Freely subscribe to our NEWSLETTER

In 2022, the actors were involved in a variety of intrusions, heavily targeting Business Process Outsourcing (BPO) and telecommunications businesses. Additional targeting includes the entertainment, transportation, Managed Security Service Providers (MSSP), financial, and cryptocurrency sectors.

Notably, SentinelLabs observed a separate threat actor also utilising a similar Microsoft signed driver, which resulted in the deployment of Hive ransomware against a target in the medical industry, indicating a broader use of this technique by various actors with access to similar tooling.

Key findings:
• SentinelOne has observed prominent threat actors abusing legitimately signed Microsoft drivers in active intrusions into telecommunication, BPO, MSSP, and financial services businesses.
• Investigations into these intrusions led to the discovery of POORTRY and STONESTOP malware, part of a small toolkit designed to terminate AV and EDR processes.
• This discovery was first reported to Microsoft’s Security Response Center (MSRC) in October 2022 and SentinelOne received an official case number (75361). Today, MSRC released an associated advisory under ADV220005.

Conclusion
Code signing mechanisms are an important feature in modern operating systems. The introduction of driver signing enforcement was key in stemming the tide of rootkits for years. The receding effectiveness of code signing represents a threat to security and verification mechanisms at all OS layers. It is hoped that Microsoft will take steps to consider further enhancements to bolster the security of their signing process to help maintain the implicit trust placed in Microsoft-signed drivers.