Dive Brief:
- Prominent threat actors have abused legitimately signed Microsoft drivers to bypass traditional endpoint security and launch attacks against organizations in several key industries, according to research from SentinelOne and Mandiant.
- Researchers discovered Poortry and Stonestop malware, which are part of small toolkits that can shut down antivirus and endpoint detection and response (EDR) security.
- Microsoft, in a Tuesday advisory, said the activity was limited to the abuse of several developer program accounts. The company suspended seller accounts associated with those partners and implemented blocking detection.
Dive Insight:
SentinelOne found a threat actor abusing a Microsoft signed malicious driver in order to evade a number of security products. In other cases the driver was used to control, pause or kill various processes on the targeted endpoints, according to researchers. In a number of cases the attackers tried to offer SIM swapping services, according to SentinelOne.
Over the course of 2022, the attacks focused on telecommunications and business process outsourcing companies. Other targets included managed security service providers, financial services, entertainment and other industries.
A separate threat actor was also seen using Microsoft signed drivers to deploy Hive ransomware against a target in the medical industry.
“The drivers referenced were used in different attempts to disable endpoint protection of various products at victim sites,” Brian Bartholomew, researcher at SentinelOne, said via email. “After analyzing the malicious tools, we realized the severity of the issue as the malicious components were effectively signed by Microsoft, which allowed them to bypass other security checks.”
The several distinct malware families, associated with distinct threat actors, used a technique known as “attestation signing,” Mandiant researchers said. By using this technique they become trusted by Microsoft.
Mandiant said a financially motivated threat actor, identified as UNC3944, was seen deploying the signed malware. The group has been active since at least May of this year, and uses credentials stolen from SMS phishing operations.