Over 100 malicious signed Windows drivers blocked by Microsoft

The security advisory published by Microsoft yesterday and labeled ADV230001 covers an issue with many drivers certified by the Windows Hardware Developer Program that "were being used maliciously in post-exploitation activity." This problem was discovered by researchers at Sophos, who notified Microsoft in early February 2023. In addition to them, Microsoft reveals that Trend Micro and Cisco provided their own reports on such problems, bringing the total number of unsafe drivers (including non-certified ones) to 133.

According to Microsoft, the subsequent investigation revealed that "several developer accounts for the Microsoft Partner Center (MPC) were engaged in submitting malicious drivers to obtain a Microsoft signature." Unsurprisingly, all these accounts were promptly suspended. Other measures were taken as well, such as the implementation of blocking detections (starting with Microsoft Defender 1.391.3822.0) that provide protection from legitimately signed drivers used in post-exploit activity.

As revealed by Sophos, two types of malicious drivers have been used in various attacks lately. The first one was similar to maliciously signed drivers discovered last year and belonging to the "Endpoint protection killer" category, while the other type resembles a rootkit, being conceived to run silently as just another background task. 

As usual, all that home users need to do is keep their operating system updated and nothing else. These problems have not affected other devices or services except Windows PCs, so users of Azure, Xbox, or Microsoft 365 have nothing to worry about.       

Buy the Microsoft Surface Laptop Go 2 (‎8QF-00012) on Amazon