ADV220005

Описание

Executive Summary:

Microsoft was recently informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity. Microsoft has completed its investigation and determined that the activity was limited to the abuse of several developer program accounts and that no compromise has been identified. We’ve suspended the partners' seller accounts and implemented blocking detections to help protect customers from this threat.

Details:

Microsoft was informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity. In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers. We were notified of this activity by SentinelOne, Mandiant, and Sophos on October 19, 2022, and subsequently performed an investigation into this activity. This investigation revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature. A new attempt at submitting a malicious driver for signing on September 29th, 2022, led to the suspension of the sellers' accounts in early October.

Ongoing Microsoft Threat Intelligence Center (MSTIC) analysis indicates the signed malicious drivers were likely used to facilitate post-exploitation intrusion activity such as the deployment of ransomware.

Microsoft has released Windows Security Updates (see Security Updates table) revoking the certificate for impacted files and suspended the partners' seller accounts. Additionally, Microsoft has implemented blocking detections (Microsoft Defender 1.377.987.0 and newer) to help protect customers from legitimately signed drivers that have been used maliciously in post-exploit activity.

Microsoft is working with Microsoft Active Protections Program (MAPP) partners to help develop further detections and to better protect our shared customers. Microsoft Partner Center is also working on long-term solutions to address these deceptive practices and prevent future customer impacts.

Recommended Actions:

Microsoft recommends that all customers install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date with the latest signatures and are enabled to prevent these attacks.

Frequently Asked Questions:

Are any Microsoft services (Azure, M365, XBOX, Etc.) affected by this issue?

Microsoft’s services are not impacted by this issue. Our investigation has not identified any instances of malicious drivers affecting any of our services.

How can customers deploy their own Hypervisor-protected Code Integrity (HVCI) policy to perform detections in their own environment?

Updates will be made to the Microsoft Recommended Driver Blocklist (Microsoft recommended driver block rules (Windows 10) - Windows security | Microsoft Docs policy to perform detections in their own environment.

After the full set of malicious files has been locked, customers (enterprise and consumer) can deploy this policy onto devices to block against this malicious file and other malicious and vulnerable drivers on the blocklist. Additionally, enabling Hypervisor-protected Code Integrity (HVCI) will automatically enforce the policy without needing to deploy the policy.