Threat actors were able to get their drivers signed off by Microsoft’s program. In response, Microsoft has confirmed the issue and acknowledged during December 2022 Patch Tuesday this week. “Microsoft was informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity. In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers. We were notified of this activity by SentinelOne, Mandiant, and Sophos on October 19, 2022, and subsequently performed an investigation into this activity. This investigation revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature. A new attempt at submitting a malicious driver for signing on September 29th, 2022, led to the suspension of the sellers’ accounts in early October. Ongoing Microsoft Threat Intelligence Center (MSTIC) analysis indicates the signed malicious drivers were likely used to facilitate post-exploitation intrusion activity such as the deployment of ransomware.”
Microsoft’s Fix
This issue was originally spotted by SentinelOne and Google’s Mandiant. Both security research groups found hackers were using the drivers to target business outsourcing, transportation, telecommunications, financial firms, cryptocurrency, and other sectors. To deal with the problem, Microsoft says it has blocked all detected drivers, revoked certification for impacted files, and suspended seller accounts of partners. Furthermore, the company recommends users to update to the latest Windows versions. Tip of the day: If you need to Create, Delete or Resize Partitions, Windows has everything you thanks to the built-in Disk Management-tool.