Ransomware gang used Microsoft approved drivers to hack targets
Security researchers say they have evidence that threat actors associated with the Cuba ransomware gang used malicious hardware drivers certified by Microsoft during a recent attempted ransomware attack.
Drivers—the software that allows operating systems and apps to access and communicate with hardware devices—require highly privileged access to the operating system and its data, which is why Windows requires drivers to have an approved cryptographic signature before allowing the driver to load. .
These drivers have long been abused by cybercriminals, often taking a “bring your own vulnerable driver” approach, where hackers exploit vulnerabilities found in an existing Windows driver from a legitimate software publisher. Researchers at Sophos say they have observed hackers making a concerted effort to gradually move towards using more trusted digital certificates.
While investigating suspicious activity on a customer network, Sophos discovered evidence that the Russian-linked Cuba ransomware gang is making efforts to move up the chain of trust. During its investigation, Sophos found that the gang’s oldest malicious drivers dating back to July were signed by certificates from Chinese companies, and then began signing its malicious driver with a leaked, since revoked Nvidia certificate found in the data dumped by the Lapsus$ ransomware gang when it hacked the chip maker in March.
The attackers have now managed to get “separated” from Microsoft’s official Windows Hardware Developer Program, meaning that the malware is inherently trusted by any Windows system.
“Threat actors are moving up the pyramid of trust, attempting to use increasingly trusted cryptographic keys to digitally sign their drivers,” Sophos researchers Andreas Klopsch and Andrew Brandt wrote in a blog post. “Signatures from a large, trusted software publisher make it more likely that the driver will load into Windows without hindrance, improving the chances that Cuban ransomware attackers can end the security processes that protect targets’ computers.”
Sophos found that the Cuba gang planted the malicious signed driver on a targeted system using a variant of the so-called BurntCigar loader, a known piece of malware associated with the ransomware group first observed by Mandiant. The two are used together in an attempt to disable endpoint detection security tools on the targeted machines.
If they are successful – which in this case they were not – the attackers can deploy the ransomware on the compromised systems.
Sophos, along with researchers from Mandiant and SentinelOne, informed Microsoft in October that drivers certified by legitimate certificates were being used maliciously in post-exploit activity. Microsoft’s own investigation revealed that several Microsoft Partner Center developer accounts were engaged in submitting malicious drivers to obtain a Microsoft signature.
“Ongoing Microsoft Threat Intelligence Center analysis indicates that the signed malicious drivers were likely used to facilitate post-exploitation intrusion activity, such as distribution of ransomware,” Microsoft said in an advisory published as part of its monthly scheduled release of security updates , known as Patch Tuesday. Microsoft said it has released Windows security updates that revoke the certificate for affected files and has suspended its partners’ merchant accounts.
Earlier this month, a US government advisory revealed that the Cuba ransomware gang has raised an additional $60 million from attacks against 100 organizations globally. The advisory warned that the ransomware group, which has been active since 2019, continues to target US entities in critical infrastructure, including financial services, public facilities, healthcare and public health, and critical manufacturing and information technology.