Partner Article
Driving through defences: Targeted attacks leverage signed malicious Microsoft drivers
In multiple recent investigations, SentinelOne’s Vigilance DFIR team observed a threat actor utilising a Microsoft signed malicious driver to attempt evasion of multiple security products. In subsequent sightings, the driver was used with a separate userland executable to attempt to control, pause, and kill various processes on the target endpoints. In some cases, the threat actor’s intent was to ultimately provide SIM swapping services.
In 2022, the actors were involved in a variety of intrusions, heavily targeting Business Process Outsourcing (BPO) and telecommunications businesses. Additional targeting includes the entertainment, transportation, Managed Security Service Providers (MSSP), financial, and cryptocurrency sectors.
Notably, SentinelLabs observed a separate threat actor also utilising a similar Microsoft signed driver, which resulted in the deployment of Hive ransomware against a target in the medical industry, indicating a broader use of this technique by various actors with access to similar tooling.
Key findings:
- SentinelOne has observed prominent threat actors abusing legitimately signed Microsoft drivers in active intrusions into telecommunication, BPO, MSSP, and financial services businesses.
- Investigations into these intrusions led to the discovery of POORTRY and STONESTOP malware, part of a small toolkit designed to terminate AV and EDR processes.
- This discovery was first reported to Microsoft’s Security Response Center (MSRC) in October 2022 and SentinelOne received an official case number (75361). Today, MSRC released an associated advisory under ADV220005.
Conclusion Code signing mechanisms are an important feature in modern operating systems. The introduction of driver signing enforcement was key in stemming the tide of rootkits for years. The receding effectiveness of code signing represents a threat to security and verification mechanisms at all OS layers. It is hoped that Microsoft will take steps to consider further enhancements to bolster the security of their signing process to help maintain the implicit trust placed in Microsoft-signed drivers.
This research is being released alongside Mandiant, a SentinelOne technology and incident response partner.
This was posted in Bdaily's Members' News section by P Adams .
Enjoy the read? Get Bdaily delivered.
Sign up to receive our popular morning National email for free.
Our Partners
Global event supercharges North East screen sector
Is construction critical to Government growth plan?
Manufacturing needs context, not more software
Harnessing AI and delivering social value
Unlocking the North East’s collective potential
How specialist support can help your scale-up journey
The changing shape of the rental landscape
Developing local talent for a thriving Teesside
Engineering a future-ready talent pipeline
AI matters, but people matter more
How Merseyside firms can navigate US tariff shift
The importance of human insight in an AI world