Safety researchers say they’ve proof that menace actors affiliated with the Cuba ransomware gang used malicious {hardware} drivers licensed by Microsoft throughout a current tried ransomware assault.
Drivers — the software program that permits working techniques and apps to entry and talk with {hardware} units — require extremely privileged entry to the working system and its information, which is why Home windows requires drivers to bear an permitted cryptographic signature earlier than it’s going to enable the driving force to load.
These drivers have long been abused by cybercriminals, typically taking a “convey your individual weak driver” strategy, wherein hackers exploit vulnerabilities discovered inside an current Home windows driver from a reputable software program writer. Researchers at Sophos say they’ve noticed hackers making a concerted effort to progressively transfer towards utilizing extra extensively trusted digital certificates.
Whereas investigating suspicious exercise on a buyer community, Sophos found proof that the Russia-linked Cuba ransomware gang are making efforts to maneuver up the belief chain. Throughout their investigation, Sophos discovered that the gang’s oldest malicious drivers relationship again to July have been signed by certificates from Chinese language corporations, then started signing their malicious driver with a leaked, since-revoked Nvidia certificates discovered within the data dumped by the Lapsus$ ransomware gang when it hacked the chipmaker in March.
The attackers have now managed to acquire “signage” from Microsoft’s official Home windows {Hardware} Developer Program, which suggests the malware is inherently trusted by any Home windows system.
“Menace actors are shifting up the belief pyramid, making an attempt to make use of more and more extra well-trusted cryptographic keys to digitally signal their drivers,” wrote Sophos researchers Andreas Klopsch and Andrew Brandt in a blog post. “Signatures from a big, reliable software program writer make it extra doubtless the driving force will load into Home windows with out hindrance, bettering the possibilities that Cuba ransomware attackers can terminate the safety processes defending their targets’ computer systems.”
Sophos discovered that the Cuba gang planted the malicious signed driver onto a focused system utilizing a variant of the so-called BurntCigar loader, a recognized piece of malware affiliated with the ransomware group that was first noticed by Mandiant. The 2 are utilized in tandem in an try to disable endpoint detection safety instruments on the focused machines.
If profitable — which, on this case, they weren’t — the attackers might deploy the ransomware on the compromised techniques.
Sophos, together with researchers from Mandiant and SentinelOne, knowledgeable Microsoft in October that drivers licensed by reputable certificates have been used maliciously in post-exploitation exercise. Microsoft’s personal investigation revealed that a number of developer accounts for the Microsoft Companion Heart have been engaged in submitting malicious drivers to acquire a Microsoft signature.
“Ongoing Microsoft Menace Intelligence Heart evaluation signifies the signed malicious drivers have been doubtless used to facilitate post-exploitation intrusion exercise such because the deployment of ransomware,” Microsoft said in an advisory printed as a part of its month-to-month scheduled launch of safety patches, often known as Patch Tuesday. Microsoft stated it has launched Home windows safety updates revoking the certificates for affected recordsdata and has suspended the companions’ vendor accounts.
Earlier this month, a U.S. authorities advisory revealed that the Cuba ransomware gang has brought in an additional $60 million from attacks towards 100 organizations globally. The advisory warned that the ransomware group, which has been energetic since 2019, continues to focus on U.S. entities in vital infrastructure, together with financial services, authorities services, healthcare and public well being, and important manufacturing and data know-how.
