Cybersecurity Firms Shocked Over Exploited Microsoft-Signed Driver

Recent ransomware attacks have been found by cybersecurity firms to depend heavily on a driver that has Microsoft’s signature. As such, the cybersecurity world expresses concern following this discovery. This is because trusted tools are not showing signs that they can be used to inflict harm on their users.  

Cybersecurity Firms Shocked Over Exploited Microsoft-Signed Driver

Trusted Driver Used for Harm 

The security team at Cisco Talos discovered that cybercriminals used an authorized Microsoft driver to deactivate users’ antivirus solutions. This driver received Microsoft’s Windows Hardware Developer Program certification. Therefore, causing worries to cybersecurity firms as a trusted program became an instrument to distribute harmful software through advanced methods. 

In this case, the attackers abused the trusted signature to obtain increased access permissions throughout the system. Their strategic location allowed them to stay undetected by standard security detection methods. Because of this signed driver, threat actors were enabled to suspend antivirus processes and allow the ransomware to start.  

How the Attack Worked Cybersecurity Firms

As traced by reputable cybersecurity firms, the attackers began their operation by letting the driver access the victim’s system. Following this initial step, they added kernel-level access to the program. The malicious application was activated to kill security applications before letting the ransomware infection start. The attack method enabled cybercriminals to stay undetected in their pursuit.  

The driver was part of a toolkit called “STONESTOP,” which included a loader called “POORTRY.” These tools worked together. The driver’s installation through “POORTRY” triggered “STONESTOP” to disable security protection services. The ransomware encryption process began after this stage. 

Microsoft Responds Quickly

Thankfully, the notification to Microsoft triggered an immediate response. They removed the driver signature from the system, effectively preventing additional system misuse. Following that, Microsoft also provided an update for Windows Defender while distributing the driver’s hash. This is to prevent other security defenders from allowing it through.  

Furthermore, Microsoft officially acknowledged the abuse while assuring all parties that no breaches occurred in their signing process. This is because the criminals used a proper developer account to publish their malicious driver. Through this method, cybersecurity firms explained, the attackers obtained driver authorization without triggering trust verification systems.  

Root Cause: Misuse of the Dev Program 

The attackers completed their admission from the Windows Hardware Developer Program. This is a program which provides testing and driver submittal services for developer signings. Because of this, the attackers managed to access the program to submit the dangerous driver before Microsoft allowed its release. Therefore, cybersecurity firms scrutinize, the fault lay in the application of the Microsoft system rather than in the system itself. 

The incident proves that protected systems become vulnerable when trust processes remain unmonitored. As a result, the computer account that submitted the driver has received a suspension from Microsoft. Additionally, Microsoft implements new security features that aim to safeguard the developer program platform from developer misuse. 

Impact and Prevention Cybersecurity Firms

It is not observed that attackers increasingly choose to employ authorized drivers as part of their attack strategies. Cybersecurity firms say that this method enables unauthorized access because security systems are unable to detect it. Therefore, security administrators must start inspecting driver activities while restricting the installation of programs on company machines.  

Business organizations also need to block all outdated drivers and perform checks on system-level access permissions of running applications. Cybersecurity firms also advise that successful prevention of comparable security risks requires immediate awareness and swift response action. Moreover, Microsoft strongly advises users to activate memory integrity together with their most current version of antivirus software. 

Implications and Warning to the Cybersecurity World 

Using signed drivers demonstrates serious vulnerabilities to security systems. As attackers now use legitimate certificates to bypass traditional defenses, appropriate action must also be undertaken by cybersecurity firms. One of which is to monitor vulnerabilities actively alongside immediate reaction to known system weaknesses. As trust becomes a weapon that helps attackers generate serious vulnerabilities against systems. Companies, together with developers, need to maintain continual surveillance regarding their tool usage by users. Minor mistakes in oversight may result in significant security threats.  

Building defensive measures with your trusted cybersecurity firms represents only one part of the security practice. This is because the main focus lies in maintaining perpetual trust verification. Significant security gaps appear when trusted tools become weapons, because otherwise secure systems become vulnerable.

Looking to strengthen your company’s cybersecurity posture against threats? Get in touch with EB Solution today! We offer cybersecurity and IT management solutions for businesses, regardless of size.

Call today! 

Cybersecurity Firms