enardeitjaptrues

Microsoft suspended several accounts on its hardware developer program that signed malicious drivers used by a ransomware group called Cuba to disable endpoint security tools. The driver certificates have been revoked and the drivers will be added to a blocklist that Windows users can optionally deploy.

"In most ransomware incidents, attackers kill the target’s security software in an essential precursor step before deploying the ransomware itself," researchers from security firm Sophos said in a new report about the incident. "In recent attacks, some threat actors have turned to the use of Windows drivers to disable security products."

The power of kernel drivers and Microsoft's attempt to secure them

The kernel is the most sensitive part of an operating system where code is executed with the highest privileges and has complete control over the computer and its hardware. To communicate and control all the hardware components the kernel uses specialized pieces of code called device drivers that are either developed by Microsoft or by hardware companies.

Back in the days of Windows XP, rootkits (root-level malware) were a common threat and often made use of malicious non-signed drivers, but with Windows Vista and Windows 7, Microsoft started to lock down this loophole by enforcing driver signature validation out of the box.

Currently supported versions of Windows (Windows 10 and higher) will not allow users to install a kernel-mode driver that hasn't been digitally cross-signed by Microsoft through the Windows Hardware Developer Program. For the driver to be suitable for distribution through Windows Update, it also needs to be certified by Microsoft.

These new security features have made the use of malicious drivers a rare occurrence, but some sophisticated groups found a workaround: exploiting vulnerabilities in legitimate and trusted drivers. This created a new problem, because even if a driver vendor released a new version to patch a vulnerability, there was nothing to stop a malicious program from deploying an older version of the driver on users' systems.