Goto Top

Investigating and Mitigating Malicious Drivers

The security landscape continues to rapidly evolve as threat actors find new and innovative methods to gain access to environments across a wide range of vectors. As the industry moves closer to the adoption of a Zero Trust security posture with broad and layered defenses, we remain committed to sharing threat intelligence with the community to shine a light on the latest techniques and exploits of attackers so the industry can better protect itself.

Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments. The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party. We have suspended the account and reviewed their submissions for additional signs of malware.

No Evidence of Certificate Exposure
We have seen no evidence that the WHCP signing certificate was exposed. The infrastructure was not compromised. In alignment with our Zero Trust and layered defenses security posture, we have built-in detection and blocking of this driver and associated files through Microsoft Defender for Endpoint. We are also sharing these detections with other AV security vendors so they can proactively deploy detections.

The actor’s activity is limited to the gaming sector specifically in China and does not appear to target enterprise environments. We are not attributing this to a nation-state actor at this time. The actor’s goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers.

It’s important to understand that the techniques used in this attack occur post exploitation, meaning an attacker must either have already gained administrative privileges in order to be able to run the installer to update the registry and install the malicious driver the next time the system boots or convince the user to do it on their behalf.

We will be sharing an update on how we are refining our partner access policies, validation and the signing process to further enhance our protections. There are no actions customers should take other than follow security best practices and deploy Antivirus software such as Windows Defender for Endpoint.

Just like our defenders, our adversaries are creative and determined. Because of this, Microsoft approaches security with an assume breach mentality and layered defenses. We work tirelessly alongside our industry partners to ensure the community as a whole is aware of new attack tools, tactics and procedures that we have observed or that have been reported through responsible disclosure. By sharing the information we’ve learned with this report, we are raising awareness of these techniques so that more protections can be built in across the industry and to increase the degree of difficulty for attackers.

Additional Information on the Windows Hardware Compatibility Program
Microsoft Defender and Windows Security teams work diligently with driver publishers to detect security vulnerabilities before they can be exploited by malicious software. Microsoft Defender for Endpoint’s UEFI scanner is able to scan below the operating system where these attacks occur to add further detection and protection from these kinds of low-level attacks. We also build automated mechanisms through Windows Update to block vulnerable versions of drivers and protect customers against vulnerability exploits based on ecosystem and partner engagement as this is an issue that challenges the industry at large.

Our security teams continue to work closely with the OEM and driver publishers to analyze and patch any known vulnerabilities and to update affected devices prior to shipment. Once the driver publisher patches the vulnerability, an update to all affected drivers is pushed out via the Windows Update (WU) platform. Once affected devices receive the latest security patches, drivers with confirmed security vulnerabilities are blocked on Windows 10 devices using Microsoft Defender for Endpoint Attack Surface Reduction (ASR) and Microsoft Windows Defender Application Control (WDAC) technologies to protect devices against exploits. More information is available via our Microsoft recommended driver block rules document.

Read more.


Content-Key: 839772680

Url: https://administrator.de/contentid/839772680

Printed on: June 25, 2024 at 13:06 o'clock