signed drivers attest to the operating system that they do not carry malware. Ironically, security experts have discovered that ransomware groups are using drivers like this to attack Windows systems. That’s like opening the door of your house for the bad guys to come in.
As they contain instructions for using the hardware, drivers can access the operating system’s kernel. That’s why Windows requires drivers to have a cryptographic signature recognized by Microsoft🇧🇷 Proof of this is that, in 2020, the Windows 10 now blocks drivers without this feature🇧🇷
But here, the maxim that nothing is 100% secure is strongly present. security companies principal🇧🇷 Sophos and SentinelOne revealed that drivers signed through the Windows Hardware Developer Program were being used for malicious purposes.
How is this possible?
For a driver to be signed, a hardware developer must obtain an extended validation certificate that proves their identity to Microsoft.
This certificate is linked to the developer’s account in the Windows Hardware Developer Program. In the next step, the driver must be submitted to Microsoft for validation.
The trick is in manipulating this process. THE SentinelOne explains that attackers have developed drivers that, despite being malicious, manage to pass Microsoft’s security checks during analysis.
If the driver is approved, it is trusted by the operating system. That’s where the problems start.
According to Mandant, at least nine groups had been exploring this trick. THE Sophos highlights the work of the Cuba ransomware gang, which, despite its name, is said to be connected to Russia.
In conjunction with malware called BurntCigar, the ransomware attempts to disable the computer’s security tools via the driver.
Security mechanism processes are protected by the system. You cannot disable them as if they were regular software. To circumvent this protection, ransomware groups could resort to a “kit” with two components: Stonestop and Poortry.
Stonestop attempts to terminate security feature processes. For this, he triggers Poortry, which is a signed driver. As such, Windows does not stop the Poortry action. With the system unprotected, ransomware or any other malware has free rein.
The three security companies have reported the issue to Microsoft. Since then, the company has been acting to contain the scheme🇧🇷
For starters, Microsoft Defender has been enabled, via updates, to detect signed but malicious drivers.
Additionally, security updates for Windows have been released to revoke compromised certificates. Accounts used to upload problematic drivers have been suspended.
Microsoft just didn’t explain how these drivers made it through their review process. On the other hand, the company said it is working with Microsoft Active Protections Program partners to develop more effective protection mechanisms.
With information: BleepingComputer🇧🇷