Prominent threat actors have been spotted exploiting legitimately signed Microsoft drivers in active intrusions into telecommunication, business process outsourcing (BPO), managed security service providers (MSSP) and financial services companies.
The findings from SentinelLabs, Sophos and Mandiant were first shared with Microsoft in October 2022. On Tuesday, the four companies released advisories detailing the attacks.
Investigations into these intrusions led to the discovery of Poortry and Stonestop malware, SentinelLabs wrote, which were part of a small toolkit designed to terminate antivirus (AV) and endpoint detection and response (EDR) processes.
“SentinelOne’s Vigilance DFIR [digital forensics and incident response] team observed a threat actor utilizing a Microsoft signed malicious driver to attempt evasion of multiple security products,” reads SentinelLabs’ technical write-up.
“In subsequent sightings, the driver was used with a separate userland executable to attempt to control, pause, and kill various processes on the target endpoints. In some cases, the threat actor’s intent was to ultimately provide SIM swapping services.”
SentinelLabs also said it observed a separate threat actor utilizing a similar Microsoft-signed driver, which led to the deployment of Hive ransomware against an entity in the medical industry.
According to Mandiant, the malicious drivers used as part of these attacks were signed directly by Microsoft. Identifying the original software vendor then required inspecting the signature with code.
The Mandiant advisory said several distinct malware families, associated with separate threat actors, have been signed with this process. The security firm identified roughly nine unique organization names associated with attestation-signed malware.
The findings are also mentioned by Sophos, which wrote in its report that the use of device drivers to sabotage or terminate security tools has been increasing in 2022.
“Some of the previous attacks have employed a ‘bring your own vulnerable driver’ (BYOVD) approach, in which the attackers leverage a Windows driver from a legitimate software publisher with security vulnerabilities.”
As for Microsoft, the company claimed it has now completed its investigation and determined that the activity was limited to the abuse of specific developer program accounts. It further explained that no compromise had been reportedly identified.
“We’ve suspended the partners’ seller accounts and implemented blocking detections to help protect customers from this threat.”
The news comes on the same day Microsoft published its last Patch Tuesday of 2022, which addressed nearly a half-century of vulnerabilities, including two zero-days.