Microsoft is investigating an incident where a threat actor submitted malicious drivers for certification through the Windows Hardware Compatibility Program.
Built by a third-party, the drivers were designed to target gaming environments and could allow the attacker to spoof their location and play from anywhere.
Immediately upon learning of the issue, Microsoft said it suspended the offending account and started reviewing their submissions to identify any additional malware.
The company also added detection rules in Microsoft Defender for Endpoint to block the driver and its associated files, and also shared the information with other security vendors.
“We have seen no evidence that the WHCP signing certificate was exposed. The infrastructure was not compromised,” Microsoft says.
Microsoft believes the the threat actor is specifically targeting the gaming sector in China, and that it has no interest in hitting enterprise environments.
Microsoft also notes that the malicious driver appears meant to help the adversary spoof geo-location data to be able to cheat and play games from anywhere. This may also allow the threat actor to possibly compromise other players’ accounts through keyloggers and other common tools.
[ See: High-Severity Dell Driver Vulnerabilities Impact Hundreds of Millions of Devices ]
The tech giant also explains that the identified driver is used post exploitation, with the attacker first gaining administrative privileges to install the malicious driver, or convincing the targeted user to do it.
Security researchers at antivirus company G Data were the first to discover the malicious driver. Named Netfilter, the threat acts like a rootkit and was designed for IP redirection, the researchers say.
The threat fetches the IP addresses and the redirection target from a specific address that is also used for the malware’s self-update routine, as well as to receive a root certificate that is added to registry.
Related: High-Severity Dell Driver Vulnerabilities Impact Hundreds of Millions of Devices
Related: Vulnerabilities in Device Drivers From 20 Vendors Expose PCs to Persistent Malware
More from Ionut Arghire
- Dozens of Malicious Extensions Found in Chrome Web Store
- Microsoft Makes SMB Signing Default Requirement in Windows 11 to Boost Security
- Zyxel Urges Customers to Patch Firewalls Against Exploited Vulnerabilities
- Gigabyte Rolls Out BIOS Updates to Remove Backdoor From Motherboards
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
Latest News
- Dozens of Malicious Extensions Found in Chrome Web Store
- What if the Current AI Hype Is a Dead End?
- Microsoft Makes SMB Signing Default Requirement in Windows 11 to Boost Security
- Zyxel Urges Customers to Patch Firewalls Against Exploited Vulnerabilities
- Gigabyte Rolls Out BIOS Updates to Remove Backdoor From Motherboards
- SBOMs – Software Supply Chain Security’s Future or Fantasy?
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
