Microsoft-approved hardware drivers used in cyber attacks
OXFORD, UNITED KINGDOM – Hardware drivers signed by Microsoft have been used in ransomware attacks according to information technology (IT) security company Sophos’ research arm.
According to Sophos, a pair of files were found on compromised machines that Sophos says “work together to terminate processes or services used by a variety of endpoint security product vendors.”
“In our post-attack analysis, SophosLabs determined that the pair of executable files — a cryptographically signed Windows driver (signed with a legitimate signing certificate) and an executable “loader” application designed to install the driver — were used in tandem in a failed attempt to disable endpoint security tools on the targeted machines,” Sophos stated in a news release posted on its website.
Sophos, together with two other IT security firms SentinelLabs and Mandiant spotted that the prominent threats were intruding telecommunication, business process outsourcing (BPO), managed security service providers (MSSP) and financial services companies.
The report made by Sophos noted that the use of device drivers to sabotage or terminate security tools has been increasing in 2022.
“The research by SophosLabs indicates that the threat actors are moving up the trust pyramid, attempting to use increasingly more well-trusted cryptographic keys to digitally sign their drivers,” according to Sophos.
