Executive Summary:
Microsoft was recently informed that drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP) were being used maliciously in post-exploitation activity. In these attacks, the attacker gained administrative privileges on compromised systems before using the drivers.
Microsoft has completed its investigation and determined that the activity was limited to the abuse of several developer program accounts and that no Microsoft account compromise has been identified. We’ve suspended the partners' seller accounts and implemented blocking detections for all the reported malicious drivers to help protect customers from this threat.
Details:
Microsoft was informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity. In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers. An investigation was performed when we were notified of this activity by Sophos on February 9, 2023; Trend Micro and Cisco subsequently provided reports containing additional details. This investigation revealed that several developer accounts for the Microsoft Partner Center (MPC) were engaged in submitting malicious drivers to obtain a Microsoft signature. All the developer accounts involved in this incident were immediately suspended.
Microsoft has released Window Security updates (see Security Updates table) that untrust drivers and driver signing certificates for the impacted files and has suspended the partners' seller accounts. Additionally, Microsoft has implemented blocking detections (Microsoft Defender 1.391.3822.0 and newer) to help protect customers from legitimately signed drivers that have been used maliciously in post-exploit activity. For more information about how the Windows Code Integrity feature protects Microsoft customers from revoked certificates see: (Notice of additions to the Windows Driver.STL revocation list - Microsoft Support)[
https://support.microsoft.com/help/5029033].
Microsoft is working with Microsoft Active Protections Program (MAPP) partners to help develop further detections and to better protect our shared customers. Microsoft Partner Center is also working on long-term solutions to address these deceptive practices and prevent future customer impacts.
Recommended Actions:
Microsoft recommends that all customers install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date with the latest signatures and are enabled to prevent these attacks.
Frequently Asked Questions:
Are any Microsoft services (Azure, M365, XBOX, Etc.) affected by this issue?
Microsoft’s services are not affected by this issue. Our investigation has not identified any instances of malicious drivers affecting any of our services.
How can customers deploy their own Hypervisor-protected Code Integrity (HVCI) policy to perform detections in their own environment?
Updates will be made to the Microsoft Recommended Driver Blocklist -
Microsoft recommended driver block rules (Windows 10) - Windows security | Microsoft Docs policy to perform detections in their own environment.
After the full set of malicious files has been locked, customers (enterprise and consumer) can deploy this policy onto devices to block against this malicious file and other malicious and vulnerable drivers on the blocklist. Additionally, enabling Hypervisor-protected Code Integrity (HVCI) will automatically enforce the policy without needing to deploy the policy.
How do I determine if any drivers are affected that were installed prior to the available detections were implemented?
Offline scans will be required to detect malicious drivers which might have been installed prior to March 2, 2023, when new Microsoft detections were implemented. For more information see
Remove malware from your Windows PC.