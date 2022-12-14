



Diving Brief: According to research by SentinelOne and Mandiant, prominent threat actors have abused legitimately signed Microsoft drivers to bypass traditional endpoint security and launch attacks against organizations in several key areas.

Researchers discovered Poortry and Stonestop malware, which are part of small toolkits capable of disabling antivirus security and endpoint detection and response (EDR).

Microsoft, in a notice published on Tuesday, said that activity was limited to abuse multiple developer program accounts. The company has suspended seller accounts associated with these partners and implemented blocking detection. Overview of the dive: SentinelOne discovered that a hacker was abusing a Microsoft Signed Malicious Driver in order to escape a number of security products. In other cases, the driver was used to control, pause or kill various processes on the targeted endpoints, according to the researchers. In a number of cases, attackers attempted to offer SIM card swapping services, according to SentinelOne. During 2022, attacks focused on telecommunications and business process outsourcing companies. Other targets included managed security service providers, financial services, entertainment and other industries. A separate threat actor was also seen using Microsoft-signed drivers to deploy Hive ransomware against a target in the medical industry. The referenced drivers have been used in different attempts to disable endpoint protection for various products on victim sites, SentinelOne researcher Brian Bartholomew said via email. After analyzing the malicious tools, we realized the seriousness of the problem because the malicious components were indeed signed by Microsoft, which allowed them to bypass other security checks. The several distinct malware families, associated with separate threat actors, used a technique known as attestation signing, the Mandiant researchers said. By using this technique, Microsoft trusts them. Mandiant said a financially motivated malicious actor, identified as UNC3944, was seen deploying the signed malware. The group has been active since at least May this year and uses stolen credentials in SMS phishing operations.

