"Ransomware Attackers Use Microsoft-Signed Drivers to Gain Access to Systems"

Microsoft has revealed that it took action to suspend accounts used to publish malicious drivers certified by its Windows Hardware Developer Program, which were used to sign malware. The activity was limited to a number of developer program accounts, and no further compromise was discovered. Not only does cryptographically signing malware undermine a critical security mechanism, but it also allows threat actors to circumvent traditional detection methods and infiltrate target networks to perform highly privileged operations. On October 19, 2022, cybersecurity firms Mandiant, SentinelOne, and Sophos notified Redmond of rogue drivers being used in post-exploitation efforts, including the deployment of ransomware. One distinguishing feature of these attacks was that the adversary had already obtained administrative privileges on compromised systems before deploying the drivers. According to Microsoft, several developer accounts for the Microsoft Partner Center were involved in submitting malicious drivers in order to obtain a Microsoft signature. A new attempt to submit a malicious driver for signing on September 29, 2022, resulted in the sellers' accounts being suspended. Sophos discovered that the threat actors associated with the Cuba ransomware, also known as COLDDRAW, planted a malicious signed driver in a failed attempt to disable endpoint detection tools using a novel malware loader called BURNTCIGAR, which Mandiant first discovered in February 2022. The company also discovered three variants of the driver that were signed with code signing certificates belonging to two Chinese companies, Zhuhai Liancheng Technology and Beijing JoinHope Image Technology. This article continues to discuss ransomware attackers using malicious drivers certified by Microsoft. 

THN reports "Ransomware Attackers Use Microsoft-Signed Drivers to Gain Access to Systems"