Member Article
Driving through defences: Targeted attacks leverage signed malicious Microsoft drivers
In multiple recent investigations, SentinelOne’s Vigilance DFIR team observed a threat actor utilising a Microsoft signed malicious driver to attempt evasion of multiple security products. In subsequent sightings, the driver was used with a separate userland executable to attempt to control, pause, and kill various processes on the target endpoints. In some cases, the threat actor’s intent was to ultimately provide SIM swapping services.
In 2022, the actors were involved in a variety of intrusions, heavily targeting Business Process Outsourcing (BPO) and telecommunications businesses. Additional targeting includes the entertainment, transportation, Managed Security Service Providers (MSSP), financial, and cryptocurrency sectors.
Notably, SentinelLabs observed a separate threat actor also utilising a similar Microsoft signed driver, which resulted in the deployment of Hive ransomware against a target in the medical industry, indicating a broader use of this technique by various actors with access to similar tooling.
Key findings:
- SentinelOne has observed prominent threat actors abusing legitimately signed Microsoft drivers in active intrusions into telecommunication, BPO, MSSP, and financial services businesses.
- Investigations into these intrusions led to the discovery of POORTRY and STONESTOP malware, part of a small toolkit designed to terminate AV and EDR processes.
- This discovery was first reported to Microsoft’s Security Response Center (MSRC) in October 2022 and SentinelOne received an official case number (75361). Today, MSRC released an associated advisory under ADV220005.
Conclusion Code signing mechanisms are an important feature in modern operating systems. The introduction of driver signing enforcement was key in stemming the tide of rootkits for years. The receding effectiveness of code signing represents a threat to security and verification mechanisms at all OS layers. It is hoped that Microsoft will take steps to consider further enhancements to bolster the security of their signing process to help maintain the implicit trust placed in Microsoft-signed drivers.
This research is being released alongside Mandiant, a SentinelOne technology and incident response partner.
This was posted in Bdaily's Members' News section by P Adams .
Enjoy the read? Get Bdaily delivered.
Sign up to receive our popular morning National email for free.