Yesterday, Microsoft published a security advisory, ADV230001, addressing a concerning issue related to numerous drivers certified by the Windows Hardware Developer Program. These drivers were found to be exploited maliciously in post-exploitation activities. The discovery of this problem was credited to the diligent researchers at Sophos, who promptly notified Microsoft in early February 2023. To further emphasize the severity of the situation, Microsoft disclosed that both Trend Micro and Cisco also submitted their reports, collectively identifying 133 unsafe drivers, including non-certified ones.
Upon conducting a subsequent investigation, Microsoft uncovered that several developer accounts associated with the Microsoft Partner Center (MPC) were involved in submitting these malicious drivers to obtain a Microsoft signature. Consequently, all of these accounts were swiftly suspended. In addition, Microsoft implemented additional measures, such as blocking detections (commencing with Microsoft Defender 1.391.3822.0), which protect against legitimately signed drivers exploited in post-exploit activities.
In their findings, Sophos revealed the existence of two types of malicious drivers employed in recent attacks. The first type is similar to the maliciously signed drivers discovered last year and falls under the “Endpoint protection killer.” The second type resembles a rootkit, designed to operate discreetly as an inconspicuous background task.
Fortunately, home users need only ensure their operating systems are kept up to date, as no other devices or services have been impacted by these issues except for Windows PCs. Consequently, Azure, Xbox, or Microsoft 365 users can rest assured that they have no cause for concern.