Hypervisor Protected Code Integrity Against a Pirated Software-Enabled Software Security Threat: Microsoft Incidentally Identify and Identify Malicious Drivers

As noted by Ars Technica, Microsoft uses something called hypervisor-protected code integrity (HVCI) that’s supposed to protect against malicious drivers, which the company says comes enabled by default on certain Windows devices. Will Dormann, a senior vulnerability analyst at cybersecurity company Analygence, said that the feature doesn’t provide adequate protection against malicious drivers.

Christopher Budd, director of threat research at Sophos, says attackers from Cuba know what they are doing and they are persistent. The initial discovery yielded a total of 10 malicious drivers. These drivers show a concerted effort to move up the trust chain, starting at least this past July. Creating a malicious driver from scratch and getting it signed by a legitimate authority is difficult. However, it’s incredibly effective, because the driver can essentially carry out any processes without question.”

Cuba used these cryptographically signed “drivers” after compromising a target’s systems as part of efforts to disable security scanning tools and change settings. The activity was meant to fly under the radar, but it was flagged by monitoring tools from the security firm Sophos. Cuba was observed by researchers from Palo Alto Networks Unit 42 to sign aprivileged piece of software known as a “kernel driver” with an NVIDIAcertificate that was leaked earlier this year. At least one Chinese tech company’s certificates were compromised by the group and it has also seen them use that tactic, according to the security firm.

On October 19th, Mandiant and security firm SentinelOne notified Microsoft of the activity. Microsoft says it has suspended the Partner Center accounts that were being abused, revoked the rogue certificates, and released security updates for Windows related to the situation. The company says there has not been any compromise of its systems beyond partner account abuse.

Ransomware Attacks on Cryptographic Software Signing: The Case of Google, Manuscrypt, and Other Crypto-Factorized Platforms

Cryptographic software signing is an important validation mechanism meant to ensure that software has been vetted and anointed by a trusted party or “certificate authority.” Attackers are always looking for weaknesses in this infrastructure, though, where they can compromise certificates or otherwise undermine and abuse the signing process to legitimize their malware.

“Mandiant has previously observed scenarios when it is suspected that groups leverage a common criminal service for code signing,” the company wrote in a report published today. Code signing certificates, which have been stolen or fraudulently obtained by threat actors, have been a common method for this, and their use has proven a lucrative niche in the underground economy.

Earlier this month, Google published findings that a number of compromised “platform certificates” managed by Android device makers including Samsung and LG had been used to sign malicious Android apps distributed through third-party channels. It appears that at least some of the compromised certificates were used to sign components of the Manuscrypt remote access tool. The FBI and CISA have previously attributed activity associated with the Manuscrypt malware family to North Korean state-backed hackers targeting cryptocurrency platforms and exchanges.

“In 2022, we’ve seen ransomware attackers increasingly attempting to bypass endpoint detection and response products of many, if not most, major vendors,” Sophos’ Budd says. “The security community needs to be aware of this threat so that they can implement additional security measures. What’s more, we may see other attackers attempt to emulate this type of attack.”