Microsoft-approved and digitally-signed malicious drivers used in ransomware attacks

Microsoft has warned that malicious hackers were able to get the software giant to digitally sign their code so it could be used in attacks, such as the deployment of ransomware.

In an advisory published on the Microsoft website at the same time as it released its regular Patch Tuesday updates, the company explained that multiple cybercriminal groups were able to abuse Microsoft's Windows Hardware Developer Program in order to have drivers certified that, in truth, deployed malware.

The malicious third-party drivers were able to skate under the radar of many security services, which implicitly trust anything digitally signed by Microsoft as trustworthy.

Once the attackers had broken into a Windows computer and gained admin access, they could use the signed drivers to disable security software and help an attack spread across a network.

Security researchers at various companies first alerted Microsoft to the problem in October, having observed that Microsoft-signed Windows kernel driver code was being deployed to help spread attacks such as the Cuba ransomware.

This month, CISA and the FBI advised that the Cuba ransomware had extorted more than $60 million worth of ransom payments.

Although the Cuba ransomware is not believed to have any connection or affiliation to the country of Cuba, it does change the names of encrypted files so they have a ".cuba" file extension and displays Cuba-themed iconography on its website.

Microsoft has now revoked the certificates and suspended the developer accounts that were used to sign the malicious drivers. In addition, Microsoft recommends that all customers install its latest security updates and ensure that their anti-virus defences are kept current.

Microsoft has stressed that it has found no evidence that its own network was compromised and that the extent of the attack (as far as it related to itself) was that it was being hoodwinked into signing drivers that would subsequently be used in attacks against other organisations.