Evidence suggests that the Cuba ransomware gang used malicious hardware drivers certified by Microsoft’s Windows Hardware Developer Program in an attempted ransomware attack.
Remember when, in 2021, a report surfaced that revealed Microsoft had signed a driver called Netfilter, and later it turned out it contained malware? Well, it has happened again, but on a larger scale.
Sophos X-Ops Rapid Response (RR) recently discovered evidence which proves that threat actors potentially belonging to the Cuba ransomware gang used malicious hardware drivers certified by Microsoft’s Windows Hardware Developer Program in an attempted ransomware attack.
Drivers — the software that allows operating systems and apps to access and communicate with hardware devices — require highly privileged access to the operating system and its data, which is why Windows requires drivers to bear an approved cryptographic signature before allowing the driver to load.
However, cybercriminals have long since found approaches to exploit vulnerabilities found in existing Windows drivers from legitimate software publishers. These hackers make an effort to progressively move up the trust pyramid, using increasingly well-trusted cryptographic keys to digitally sign their drivers.
Sophos along with researchers from Google-owned Mandiant and SentinelOne warned Microsoft about these signed malicious drivers which were being planted into targeted machines using a variant of the BurntCigar loader utility. These two then worked in tandem to kill processes associated with antivirus (AV) and endpoint detection and response (EDR) products.
“Ongoing Microsoft Threat Intelligence Center analysis indicates the signed malicious drivers were likely used to facilitate post-exploitation intrusion activity such as the deployment of ransomware,” Microsoft said in an advisory published as part of its monthly scheduled release of security patches, known as Patch Tuesday.
Microsoft concluded its investigation by stating that “no compromise has been identified,” and proceeded to suspend the partners’ seller accounts. Moreover, they released Windows security updates to revoke the abused certificates.
Mandiant’s report is available here. In SentinelOne’s blog post, the security firm reported that it had seen several attacks where a threat actor used malicious signed drivers to evade security products which usually trust components signed by Microsoft.
The threat actors were observed to be targeting organisations in the business process outsourcing (BPO), telecommunications, entertainment, transportation, MSSP, financial and cryptocurrency sectors and in some instances, SIM swapping was the end goal.
Cuba Ransomware group was identified to be involved in gaining $60 million from attacks against 100 organisations globally, according to a joint advisory earlier this month from the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI.
The advisory also included warnings regarding the ransomware group which has been active since 2019 and continues to attack US entities in critical infrastructure, including financial services, government facilities, healthcare and public health, and critical manufacturing and information technology.
This is not the first time threat actors have used drivers signed by Microsoft in their operations, as we know it, and it seems that putting a stop to this practice has not been an easy task for Microsoft.
- Microsoft Office Most Exploited Software in Malware Attacks
- BlueBleed Breach Microsoft Exposed 2.4 TB of Customer Data
- Microsoft security patch bypassed to drop Formbook malware
- Retired Software Boa Exploited To Target Power Grids, Microsoft
- Malware Apps Signed with Hacked Android Platform Certificates