2 min read

Microsoft-approved and digitally-signed malicious drivers used in ransomware attacks

Graham CLULEY

December 15, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Microsoft-approved and digitally-signed malicious drivers used in ransomware attacks

Microsoft has warned that malicious hackers were able to get the software giant to digitally sign their code so it could be used in attacks, such as the deployment of ransomware.

In an advisory published on the Microsoft website at the same time as it released its regular Patch Tuesday updates, the company explained that multiple cybercriminal groups were able to abuse Microsoft's Windows Hardware Developer Program in order to have drivers certified that, in truth, deployed malware.

The malicious third-party drivers were able to skate under the radar of many security services, which implicitly trust anything digitally signed by Microsoft as trustworthy.

Once the attackers had broken into a Windows computer and gained admin access, they could use the signed drivers to disable security software and help an attack spread across a network.

Security researchers at various companies first alerted Microsoft to the problem in October, having observed that Microsoft-signed Windows kernel driver code was being deployed to help spread attacks such as the Cuba ransomware.

This month, CISA and the FBI advised that the Cuba ransomware had extorted more than $60 million worth of ransom payments.

Although the Cuba ransomware is not believed to have any connection or affiliation to the country of Cuba, it does change the names of encrypted files so they have a ".cuba" file extension and displays Cuba-themed iconography on its website.

Microsoft has now revoked the certificates and suspended the developer accounts that were used to sign the malicious drivers. In addition, Microsoft recommends that all customers install its latest security updates and ensure that their anti-virus defences are kept current.

Microsoft has stressed that it has found no evidence that its own network was compromised and that the extent of the attack (as far as it related to itself) was that it was being hoodwinked into signing drivers that would subsequently be used in attacks against other organisations.

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Meta Pays Out Bounties for Account Takeover and Two-Factor Authentication Bypass Exploits Meta Pays Out Bounties for Account Takeover and Two-Factor Authentication Bypass Exploits
Silviu STAHIE

January 31, 2023

1 min read
Hackers steal 10 million customer details from JD Sports Hackers steal 10 million customer details from JD Sports
Graham CLULEY

January 30, 2023

2 min read
North Korean Hackers Tried to Launder $100 Million in Crypto Stolen in 2022 North Korean Hackers Tried to Launder $100 Million in Crypto Stolen in 2022
Silviu STAHIE

January 25, 2023

1 min read