Microsoft Certificates Used to Authenticate Malware | Spiceworks
This week, Microsoft said it suspended several developer accounts that were surreptitiously being used to get the IT giant to digitally sign malicious drivers. According to several security researchers, hackers used these malicious but legitimized drivers to carry out cyberattacks.
Researchers at SentinelOne, Mandiant, and Sophos coordinated with Microsoft to fix a lapse in the Windows maker’s security checks. The disclosure comes two months after ArsTechnica’s Dan Goodin reported deficiencies in hypervisor-protected code integrity (HVCI), a tool that protects the Windows kernel that, if enabled, can allow anyone to download and install a malicious driver on a device.
Drivers usually require OS kernel access, considering they interface between different software/hardware components within a system that may be manufactured by multiple vendors. Drivers are signed off with a digital certificate for authenticity.
As such, several threat actors were submitting malicious drivers to Microsoft’s Windows Hardware Developer Program to lend the company’s credibility to the driver with a digital signature. The OS trusts a driver signed with a valid cryptographic signature to load it onto the system.
“This validation was important in combating the scourge of kernel mode rootkits, malware designed to run with the highest privileges and thereby subvert attempts to detect or root them out,” SentinelOne noted. “That battle has been going on for quite some time.”
Specifically, malicious drivers signed with Microsoft certificates were designed to terminate security products’ antivirus and extended detection and response (EDR) processes. Microsoft noted that drivers were being used in the post-exploitation activity.
This means the attacker would necessarily have to gain administrative privileges on compromised systems. One of the threat actors, UNC3944, is deploying STONESTOP, a loader/installer, to set up POORTRY, another malware tasked with terminating antivirus and EDR processes. Researchers discovered three versions of POORTRY, two of which were signed with Microsoft certificates.
As of this week, multiple threat actors have leveraged malware signed…