Microsoft disclosed Tuesday that it suspended several developer program accounts that were able to obtain drivers certified by its Windows Hardware Developer Program that likely deployed ransomware on telecommunications, outsourcing companies, MSSPs and financial services.
In a Dec. 13 security advisory, Microsoft said the attackers gained administrative privileges on compromised systems prior to use of the drivers. Several security organizations notified the Redmond, Washington-based software giant of the activity on Oct. 19, and an “investigation revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature.”
An attempt to submit a malicious driver for signing led to the suspension of the sellers’ accounts in early October, the advisory continued.
Certificates for the impacted files were revoked in Microsoft’s latest Patch Tuesday on Dec. 13, and the seller accounts were suspended. Microsoft said it also implemented blocking detections against legitimately signed drivers being used maliciously for post-exploit activity.
SentinelOne, Mandiant and Sophos all notified Microsoft of the suspicious activity.
SentinelOne detailed its discovery of POORTRY and STONESTOP malware being used to get around antivirus and endpoint detection and response (EDR) tools, as well as the types of businesses targeted by the legitimately signed drivers.
SentinelOne also floated theories that either a supplier is offering the driver-signing process “as-a-service” to paying threat actors, or, less likely, that multiple threat actors have compromised legitimate driver developers to use their Extended Validation (EV) certificate to sign and submit the malicious drivers to their developer account.
“We are highly confident that the malicious drivers mentioned above, as well as the one from June 2021, were used by different threat actors,” SentinelLabs wrote in its post. “… Other evidence supporting the ‘supplier’ theory stems from the similar functionality and design of the drivers. While they were used by two different threat actors, they functioned in very much the same way. This indicates they were possibly developed by the same person then subsequently sold for use by someone else.”
Mandiant said on its security blog that the threat group it identifies as “UNC3944” was using one of the signed malicious drivers to deploy the STONESTOP and POORTRY malware. It said the group has been active since May and is financially motivated, commonly gaining network access through stolen credentials obtained through SMS phishing.
Like SentinelOne, Mandiant said it believed that the threat groups abusing the driver-signing process are “leveraging a common criminal service for code signing.”
“Given the different company names identified and the differing development environments Mandiant suspects there is a service provider getting these malware samples signed through the attestation process on behalf of the actors. Unfortunately, at this time, this assessment is stated with low confidence.”