Microsoft December 13 stated that she blocked and suspended the actions of the accounts that were used to publish malicious drivers certified by Windows Hardware Developer Program.
Microsoft investigation showed that activity was limited by several developers programs, and that no further hacking was found. The investigation was initiated after in October the IB-company Sophos reported fraudulent drivers that were used for post-operating and deploying programs-carriers.
This attack method is called BYOVD (Bring Your Own Vulnerable Driver). This method allows an attacker with the privileges of the administrator to easily circumvent the protection of the Windows nucleus. Instead of writing an exploit from scratch, cybercriminal simply sets a third -party driver with well -known vulnerabilities. Then he uses these vulnerabilities to get instant access to some of the most protected areas Windows.
also Mandiant discovered that the unc3944 group uses Stonestop loader to install harmful driver Poortry, designed to complete antivirus programs and file deletion processes.
Attackers use compromised, stolen and illegally acquired certificates of code signatures for the signature of harmful software. Several separate families of harmful programs associated with individual entities of threats were signed. Moreover, hackers use the service “Malicious Driver Signing as a Service), while they receive malicious artifacts signed through the Microsoft certification process on behalf of the service participants.
states that Stonestop and Poortry They were used in attacks on telecommunications sectors, business outsources, MSP services, financial services, cryptocurrencies and transport.
Since then, Microsoft withdrew certificates for affected files and suspended the accounts of partners’ sellers to confront threats.