Trend Micro Warns of Rising Attacks Using Signed Windows Drivers

At the end of December 2022, companies Mandiant , Sophos And Sentinel One reported that several hardware developer accounts Microsoft were used to sign malicious Windows kernel drivers. These drivers have been used in various cyberattacks, including ransomware. Later, Microsoft withdrew these accounts to break the chain of attacks, but the hackers managed to do a lot of damage.

In February 2023, experts Trend Micro discovered a new case of using a signed driver in a BlackCat ransomware attack. This driver was similar to those disclosed earlier, and was used by attackers to bypass security mechanisms on infected computers.

Attackers use a variety of methods to sign their malicious drivers, typically by abusing Microsoft portals to sign kernel modules, and by using leaked and stolen certificates. Trend Micro continues to monitor misuse of signed drivers and associated tools, tactics and procedures.

“Signed drivers are part of an attacker’s strategy to gain privileged access to the Windows operating system. They allow you to hide malicious code from security tools and bypass protection at the user and process level. Therefore, we believe that such threats will not disappear from the arsenal of attackers in the near future,” Trend Micro researchers report.

“Attackers are likely to continue to use rootkits to hide malicious code from security tools, compromise security, and stay unnoticed in the victim’s system for a long time,” the experts added.

Such rootkits are actively used by groups of cybercriminals who have both the skills of reverse engineering low-level system components and the necessary resources to perform it. The main danger associated with these rootkits lies in their ability to hide sophisticated targeted attacks that are typically used in the early stages of a compromise, allowing an attacker to compromise an organization’s defenses before the final payloads are launched.

For organizations, certificate compromise is not only a security risk. It can also lead to loss of reputation and trust in the original signed software. That is why companies should strive to protect their certificates at all costs by implementing best security practices to reduce the risk of unauthorized access.

Using strong passwords and multi-factor authentication methods can also help protect certificates from being stolen or compromised by hackers. Also, using separate test signing certificates (for pre-code used in test environments) minimizes the chances that valid signing certificates will be used in an attack.

Only by adopting a multifaceted approach to endpoint, email, and intranet security can organizations effectively defend against malicious elements and suspicious activity, including ransomware attacks.