Microsoft certificates misused to sign malware (Dec. 2022)

Sicherheit (Pexels, allgemeine Nutzung)[German]Security researchers have come across cases where cybercriminals have managed to sign malware-infected Windows drivers using valid digital certificates from Microsoft. This allows the malware to trick the check for a digital signature under Windows. Several threat actors seem to be involved in the abuse of Microsoft's digital signature. However, Microsoft has released updates on patchday in December 2022 to detect the affected (driver) files and eliminate attacks.


Advertising

Unpleasant story that shows that digital signatures do not help to increase security if they fall into the wrong hands.  Threat actors managed to sign infected drivers for Windows with valid digital certificates from Microsoft. The threat actors were able to use this to sign malware that then posed as legitimate Microsoft software in the form of Windows drivers to trick security checks on Microsoft Windows.

After all, Microsoft is taking steps starting with Windows 10 (64-bit versions) to ensure that only drivers with a digital Microsoft signature are loaded by the operating system. In a coordinated disclosure, Microsoft and some security vendors have disclosed the facts on Patchday (Dec. 13, 2022) – Arstechnica addressed it here.

Drivers digitally signed with malware

In document ADV220005, dated December 13, 2022, Microsoft confirms that there has been a misuse of its driver signing. Microsoft writes that it was informed by SentinelOne, Mandiant and Sophos on October 19, 2022 that drivers certified by Microsoft's Windows Hardware Developer Program were being used maliciously for post-exploitation activities (Arstechnica lists the security researchers' findings here).

Results of an investigation

Microsoft immediately launched its own investigation, which has since been completed. The investigation revealed that several developer accounts for the Microsoft Partner Center submitted malicious drivers in order to obtain a Microsoft signature. Microsoft states that the threat actors' activity was limited to the misuse of several accounts within the developer program and that no compromise was found on Microsoft's part. This is because in the reported attacks, the attacker had already gained administrative privileges on the targeted systems prior to using the digitally signed, but compromised, drivers. Ongoing analysis by the Microsoft Threat Intelligence Center (MSTIC) indicates that the signed malicious drivers were likely used to facilitate the deployment of ransomware after systems were infected.

Account suspension and mitigations

Another attempt to submit a malicious driver for signing on Sept. 29, 2022, led to the suspension of those developer accounts in early October. However, as a measure, Microsoft suspended the affected partners' accounts and implemented blocking detections to protect its customers from this threat, the company writes.


Advertising

Microsoft has released security updates for Windows (see ADV220005) that revoke the certificate for the affected files and suspended the vendor accounts of the partners. In addition, Microsoft has implemented blocking detections (Microsoft Defender 1.377.987.0 and newer) to protect customers from legitimate signed drivers used in malicious post-exploit activity.

Microsoft writes that it is working with partners in the Microsoft Active Protections Program (MAPP) to develop additional detections. The Microsoft Partner Center is also working on long-term solutions to combat these fraudulent practices and prevent future impacts to customers.

Microsoft recommends all customers install the latest Windows updates and ensure their antivirus and endpoint detection products have the latest signatures installed and enabled to prevent these attacks.


Advertising

This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).