Microsoft has revoked several hardware developer accounts after drivers certified by Microsoft's Windows Hardware Developer Program were used as part of post-exploitation activity, including incidents leading to ransomware infections.
“Microsoft was informed that drivers certified by Microsoft's Windows Hardware Developer Program were being used maliciously in post-exploitation activity. In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers,” the tech giant explained in its advisory. “Several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature. A new attempt at submitting a malicious driver for signing on September 29th, 2022, led to the suspension of the sellers' accounts in early October.”
The probe into the matter was launched following reports from Mandiant, Sophos, and SentinelLabs that found that a Microsoft-approved malicious driver was leveraged by threat actors, including those affiliated with the Cuba ransomware gang. The driver had also been observed in several intrusions at a variety of organizations in the last four months, notably at telecommunication, BPO, MSSP, and financial services businesses.
A SentinelLabs’s investigation revealed that some of the observed attacks (“bring your own vulnerable driver,” BYOVD) involved POORTRY (loader) and STONESTOP (kernel-mode driver) malware, part of a small toolkit designed to terminate AV and EDR processes that was seen being used by multiple threat actors.
Sophos has seen this Microsoft-signed toolkit used in attacks attributed to the Cuba ransomware, and SentinelLabs observed one incident where it was used by the Hive ransomware gang.
Mandiant saw a threat actor, tracked as UNC3944 and which is known for SIM swapping attacks, utilizing the toolkit in attacks as far back as August 2022.
Currently, it’s unclear how all of the threat actors have managed to obtain similar Microsoft-signed toolkits for use in attacks. Both Mandiant and SentinelLabs believe that the malicious actors acquired the toolkit through a supplier, or an underground service that sells access.