Jump to content
  • Microsoft acknowledges many Windows 11, Windows 10 WHQL drivers were actually malware

    Karlston

    • 547 views
    • 3 minutes
     Share


    • 547 views
    • 3 minutes

    Earlier today, Microsoft released its Patch Tuesday updates for Windows 10 (KB5028166) and Windows 11(KB5028185). The company announced separately about the new Dynamic SafeOS updates meant for hardening the security mitigations put in place against Secure Boot vulnerabilities.

     

    Alongside changes made to its Secure Boot DBX, Microsoft also added several malicious drivers to its Windows Driver.STL revocation list. Microsoft was informed of these vulnerable drivers by security research firms Cisco Talos, Sophos, and Trend Micro.

     

    On a dedicated security advisory ADV230001, Microsoft explains the issue (CVE-2023-32046) which was a result of maliciously signed WHQL drivers:

     

    Microsoft was recently informed that drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP) were being used maliciously in post-exploitation activity. In these attacks, the attacker gained administrative privileges on compromised systems before using the drivers.

     

    Microsoft has completed its investigation and determined that the activity was limited to the abuse of several developer program accounts and that no Microsoft account compromise has been identified. We’ve suspended the partners' seller accounts and implemented blocking detections for all the reported malicious drivers to help protect customers from this threat.

     

    Microsoft has required kernel mode drivers to be signed using its WHDP program since Vista. However, as this has happened before, the certification is not a foolproof method. Cisco Talos contacted Neowin explaining that threat actors have been using various driver signature-forging utilities like HookSignTool to bypass the WHCP measures. Aside from forged signs, such utilities have also been used for re-signing patched software like that of PrimoCache.

     

    Cisco stated:

     

    During our research we identified threat actors leveraging HookSignTool and FuckCertVerifyTimeValidity, signature timestamp forging tools that have been publicly available since 2019 and 2018 respectively, to deploy these malicious drivers.

     

    HookSignTool is a driver signature forging tool that alters the signing date of a driver during the signing process through a combination of hooking into the Windows API and manually altering the import table of a legitimate code signing tool.

     

    The signing of malicious drivers isn’t the only issue that arises from the existence of these tools. During our research, we encountered HookSignTool being used to re-sign drivers after being patched to bypass digital rights management.

     

    Microsoft has added all such drivers to the Vulnerable Driver Blocklist with Windows Security updates (Microsoft Defender 1.391.3822.0 and newer).

     

    Source: Cisco Talos via Sophos, Trend Micro

     

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...