Cybercrime: Microsoft Revokes Many Signed Drivers Used by Chinese Cybercriminals
Introduction
In a recent development, Microsoft has revoked signed drivers that have been used by threat actors, particularly Chinese cybercriminals, for post-exploitation activity. Signed drivers are extremely valuable tools for threat actors as they allow them to gain complete control over compromised systems. These drivers can be used to manipulate system processes, evade endpoint security products, and maintain persistence on a system. This article provides insights into the abuse of signed drivers by cybercriminals, the involvement of Chinese companies in these activities, and the implications for cybersecurity.
The Abuse of Signed Drivers by Cybercriminals
Cybersecurity firms have frequently encountered campaigns where threat actors abuse signed drivers. In December 2022, Microsoft took action after multiple security firms, including SentinelOne, Mandiant, and Sophos, warned them about cybercriminals using signed malicious drivers to disable security products. At that time, Microsoft published an advisory informing users that hackers were leveraging drivers certified by their Windows Hardware Developer Program (WHDP) with elevated privileges for post-exploitation activities. However, Microsoft clarified that their systems were not compromised, and the abuse was limited to certain developer program accounts.
On July 12, 2023, Microsoft released another advisory, acknowledging the abuse of signed drivers and crediting Sophos, Cisco, and Trend Micro for reporting these incidents. Sophos identified 133 malicious drivers, including 100 signed with a Microsoft WHCP certificate. Many of these non-WHCP signed drivers were issued to Chinese companies. The drivers were used to disable endpoint security products and act as rootkits, allowing attackers to bypass security features like the Windows User Account Controls (UAC) feature.
Cisco’s blog post described how threat actors abused open-source tools to change the signing date of kernel mode drivers, enabling them to load malicious drivers signed with expired certificates. The attackers exploited a loophole in Windows policies that allowed the signing and loading of cross-signed kernel mode drivers with signature timestamps prior to July 29, 2015. One of the analyzed malicious drivers named RedDriver was used by Chinese cybercriminals to intercept the browser traffic of Chinese users.
Trend Micro provided details on a campaign involving a new signed rootkit believed to be used by the same threat actor behind the Fivesys rootkit. The actor originates from China and primarily targets the gaming sector in China. The company noted that their malware seemed to have passed through the Windows Hardware Quality Labs (WHQL) process, obtaining a valid signature.
Implications and Recommendations
The abuse of signed drivers by cybercriminals, particularly Chinese threat actors, raises significant concerns about the security of systems and the effectiveness of security measures. The fact that these drivers were signed with legitimate certificates raises questions about the security verification processes followed by Microsoft and the Windows Hardware Developer Program. It also highlights the challenges faced by security firms in detecting and preventing such abuse.
To address this issue, it is crucial for Microsoft and other organizations to strengthen their verification processes for signed drivers. They should ensure that only legitimate and trusted developers are granted certificates for signing drivers. Additionally, regular audits and monitoring should be conducted to detect any suspicious or abusive behavior.
End users should also take necessary precautions to protect their systems from threats associated with signed drivers. They should ensure that their operating systems and security software are up to date with the latest patches and updates. Regular scanning of systems for any malicious drivers and rootkits is essential. Users should also exercise caution when downloading and installing software from untrusted sources.
The cybersecurity community, including both government and private organizations, must collaborate to share information about emerging threats and signatures of malicious drivers. This collaboration will enhance the detection and prevention mechanisms against cybercriminals and minimize the risk to businesses and individuals.
Conclusion
The abuse of signed drivers by Chinese cybercriminals, as observed in recent campaigns, highlights the need for stronger security measures and vigilance in the cybersecurity community. The revocation of these signed drivers by Microsoft is a positive step, but more efforts are needed to prevent such abuse in the future. Only through active collaboration, continuous monitoring, and stricter verification processes can the industry mitigate the risks associated with signed driver exploitation and protect users from cyber threats.
<< photo by Muha Ajjan >>
The image is for illustrative purposes only and does not depict the actual situation.
