{"id":474163,"date":"2022-12-14T10:47:42","date_gmt":"2022-12-14T08:47:42","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=474163"},"modified":"2022-12-14T10:53:53","modified_gmt":"2022-12-14T08:53:53","slug":"windows-hardware-developers-duped-microsoft-into-signing-malicious-drivers","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/474163-windows-hardware-developers-duped-microsoft-into-signing-malicious-drivers.html","title":{"rendered":"Windows hardware developers duped Microsoft into signing malicious drivers"},"content":{"rendered":"<p>Several Microsoft hardware developer accounts have been revoked after drivers certified through their profiles were used for cyber crimes, including ransomware attacks.<\/p>\n<p><strong><a href=\"https:\/\/www.mandiant.com\/resources\/blog\/hunting-attestation-signed-malware\" target=\"_blank\" rel=\"noopener\">Mandiant<\/a><\/strong>, <strong><a href=\"https:\/\/news.sophos.com\/en-us\/2022\/12\/13\/signed-driver-malware-moves-up-the-software-trust-chain\/\" target=\"_blank\" rel=\"noopener\">Sophos<\/a><\/strong>, and <strong><a href=\"https:\/\/www.sentinelone.com\/labs\/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers\/\" target=\"_blank\" rel=\"noopener\">SentinelOne<\/a><\/strong> notified Microsoft of the malicious activity, and the companies revealed the issue in a coordinated disclosure.<\/p>\n<p>&#8220;Microsoft was informed that drivers certified by Microsoft&#8217;s Windows Hardware Developer Program were being used maliciously in post-exploitation activity,&#8221; Microsoft said in its <strong><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/ADV220005\" target=\"_blank\" rel=\"noopener\">security advisory<\/a><\/strong>.<\/p>\n<p>&#8220;In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers.&#8221;<\/p>\n<p>Microsoft said that it was notified of the activity in October. However, the coordinated disclosure occurred on 13 December 2022 after Microsoft completed its investigations.<\/p>\n<p>&#8220;This investigation revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature,&#8221; it said.<\/p>\n<p>&#8220;A new attempt at submitting a malicious driver for signing on September 29th, 2022, led to the suspension of the sellers&#8217; accounts in early October.&#8221;<\/p>\n<p>According to <strong><a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-signed-malicious-windows-drivers-used-in-ransomware-attacks\/\" target=\"_blank\" rel=\"noopener\">Bleeping Computer<\/a><\/strong>, kernel-mode hardware drivers are assigned the highest privilege level when loaded in Windows, allowing them to perform various malicious activities, including eliminating security software and deleting protected files.<\/p>\n<p>Microsoft made the signing of kernel-mode hardware drivers through its Windows Hardware Developer Program since Windows 10, released in July 2015.<\/p>\n<p>Mandiant and SentinelOne reported on the discovery of &#8220;POORTRY&#8221; and &#8220;STONESTOP&#8221; malware that can terminate antivirus and Endpoint Detection and Response (EDR) processes.<\/p>\n<p>STONESTOP is a user-mode application that tries to terminate endpoint security processes and acts as both a loader and installer for POORTRY.<\/p>\n<p>POORTRY is a Microsoft-signed kernel-mode driver that terminates associated processes and Windows services.<\/p>\n<p>&#8220;STONESTOP functions as both a loader\/installer for POORTRY, as well as an orchestrator to instruct the driver with what actions to perform,&#8221; SentinelOne explained.<\/p>\n<p>Another STONESTOP variant can overwrite and delete files.<\/p>\n<hr \/>\n<h2 class=\"my-4\">Now read: <a href=\"https:\/\/mybroadband.co.za\/news\/security\/473891-google-defeats-lawsuit-claiming-it-tracked-users-without-permission.html\" rel=\"bookmark\">Google defeats lawsuit claiming it tracked users without permission<\/a><\/h2>\n","protected":false},"excerpt":{"rendered":"<p>Drivers certified through Microsoft&#8217;s Windows Hardware Developer Program were used in cyberattacks, including ransomware incidents.<\/p>\n","protected":false},"author":341076,"featured_media":465441,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[801,73696,123,30150,80863,765,83311],"class_list":["post-474163","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-malware","tag-mandiant","tag-microsoft","tag-ransomware","tag-sentinelone","tag-sophos","tag-windows-hardware-developer-program"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/474163"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341076"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=474163"}],"version-history":[{"count":1,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/474163\/revisions"}],"predecessor-version":[{"id":474173,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/474163\/revisions\/474173"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/465441"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=474163"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=474163"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=474163"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}