Hacking groups would be using self-signed drivers Microsoft in ransomware attacks. The information was obtained by digital security specialists, who warned the company about possible malware embedded in the software.
According to the Bleeping Computer website, attackers have developed malicious drivers that pass Microsoft’s security checks. The problem is that when approved, the software is trusted by Windows.
As the drivers can have access to the kernel (core) of the operating system by having instructions for using the hardware, Microsoft requires that these software have a cryptographic digital signature recognized by the company itself.
A hardware developer needs to obtain an extended validation certificate that proves their identity to Microsoft in order to have a Microsoft-signed driver. The certificate is linked to the account in the Windows Hardware Developer Program.
According to digital security experts, the breach is precisely in the validation process. Hackers managed to create drivers that manage to pass Microsoft’s security checks during analysis even with malicious files.
Then, ransomware tries to disable system security tools through the driver, as it is not possible to disable them with regular software. To do this, attackers try to shut down Windows security feature processes.
Security companies Mandiant, Sophos and SentinelOne notified Microsoft, which began to act to close the breach. The company is said to have enabled Defender through updates to detect signed but malicious drivers.
Additionally, security updates for Windows have been released to revoke the compromised certificates, and the Hardware Developer Program entries used to ship the problematic drivers have been suspended.
Finally, the company said it is working with Microsoft Active Protections Program partners to create other, more effective protection mechanisms, but it did not explain how those drivers made it through its review process.
