Just like our defenders, our adversaries are creative and determined. There are no actions customers should take other than follow security best practices and deploy Antivirus software such as Windows Defender for Endpoint. We will be sharing an update on how we are refining our partner access policies, validation and the signing process to further enhance our protections. It’s important to understand that the techniques used in this attack occur post exploitation, meaning an attacker must either have already gained administrative privileges in order to be able to run the installer to update the registry and install the malicious driver the next time the system boots or convince the user to do it on their behalf. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers. The actor’s goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere. We are not attributing this to a nation-state actor at this time. The actor’s activity is limited to the gaming sector specifically in China and does not appear to target enterprise environments. We are also sharing these detections with other AV security vendors so they can proactively deploy detections. In alignment with our Zero Trust and layered defenses security posture, we have built-in detection and blocking of this driver and associated files through Microsoft Defender for Endpoint. We have seen no evidence that the WHCP signing certificate was exposed.
We have suspended the account and reviewed their submissions for additional signs of malware. The actor submitted drivers for certification through the Windows Hardware Compatibility Program. Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments.
As the industry moves closer to the adoption of a Zero Trust security posture with broad and layered defenses, we remain committed to sharing threat intelligence with the community to shine a light on the latest techniques and exploits of attackers so the industry can better protect itself. The security landscape continues to rapidly evolve as threat actors find new and innovative methods to gain access to environments across a wide range of vectors.
0 kommentar(er)
