Microsoft warned that malicious hackers were able to get the software giant to digitally sign their code, so it could be used for attacks such as deploying ransomware.
and Recommendation Published on Microsoft’s website coinciding with the release of the regular Patch Tuesday update, multiple cybercrime groups have exploited Microsoft’s Windows Hardware Developer Program to actually deploy malware to drivers. The company said it was able to prove it.
Malicious third-party drivers have been able to slip under the radar of many security services that implicitly trust anything digitally signed by Microsoft as trustworthy.
Once an attacker breaks into a Windows computer and gains administrator access, they can use signed drivers to disable security software and help spread the attack across the network.
Security researchers from various companies first alerted Microsoft to the issue in October, when Microsoft-signed Windows kernel driver code was deployed and used to spread attacks such as the Cuba ransomware. I understand.
This month, CISA and FBI advised Cuban ransomware extorted over $60 million in ransom.
Cuba Ransomware, which is not believed to have any connection or affiliation with the country of Cuba, renames the encrypted files, giving them a “.cuba” file extension, and visiting websites. Displays Cuban-themed iconography in the .
Microsoft is now revoking certificates and suspending developer accounts used to sign malicious drivers. Additionally, Microsoft recommends that all customers install the latest security updates and keep their antivirus defenses up to date.
Microsoft has found no evidence that its network has been compromised, and the extent of the attack (as far as it pertains to itself) is that it was tricked into signing drivers used in attacks against other organizations. is emphasized. .