Less than two a few weeks ago, the US Cybersecurity & Infrastructure Security Agency and the FBI announced a general advisor about the threat of ransomware attacks from a gang calling itself “Cuba”. In fact, the group, which the researchers believe is based in Russia, went on a rampage in the last year targeting an increasing number of businesses and other organizations in the United States and abroad. New research released today shows that Cuba has been using malware in attacks that have been certified or stamped by Microsoft.
Cuba used these cryptographically signed “drivers” after compromising the target’s systems as part of an effort to disable security scanning tools and change settings. This activity was intended to fly under the radar, but it was flagged by surveillance tools from security company Sophos. Researchers from Palo Alto Networks Unit 42 previously observed Cuba signing a privileged piece of software called a “kernel driver” with a licensed NVIDIA certificate. leaked earlier this year plain Lapsus$ . hacking group. And Sophos said it has also seen the group use this strategy with compromised certificates from at least one other Chinese tech company, security firm Mandiant identified as Zhuhai Liancheng Technology Co.
“Microsoft was recently notified that drivers certified by the Microsoft Windows Hardware Developer Program are being maliciously used in post-exploitation,” the company said in a statement. Father. security consulting today. “Several developer accounts for the Microsoft Partner Center were involved in submitting malicious drivers for Microsoft’s signature… Signed malicious drivers could potentially be used to facilitate facilitation. beneficial for post-exploit intrusion, such as ransomware deployments.”
Sophos notified Microsoft of this activity on October 19 along with Obligatory and security company SentinelOne. Microsoft says it has suspended the Partner Center accounts that are being abused, revoked rogue certificates, and released security updates for Windows related to the situation. The company added that it has not identified any compromises to its systems other than abuse of partner accounts.
Microsoft declined WIRED’s request for comment beyond advice.
“These attackers, most likely an affiliate of the Cuban ransomware group, know what they are doing—and they are very persistent,” said Christopher Budd, director of threat research at Sophos. We found a total of 10 malicious drivers. all variations of the original discovery. These drivers represent a concerted effort to enhance the chain of trust, at least starting this past July. Creating a malicious driver from scratch and getting it signed by a legitimate authority is difficult. However, it is extremely efficient, because the driver can basically do any process without question.”
Cryptographic software signing is an important authentication mechanism that ensures that software has been tested and validated by a trusted party or “certification authority”. However, attackers are always looking for weaknesses in this infrastructure where they can compromise certificates or sabotage and abuse the signing process to legitimize their malware.
“Mandiant has previously observed scenarios when it was suspected that groups were using a common criminal service to sign code,” the company said. wrote in a report published today. “The use of code signing certificates stolen or fraudulently obtained by threat actors is a common tactic, and offering these certificates or signing services has proven a lucrative market. in the underground economy.”
Earlier this month, Google announced the finding that some “platform certificate” compromised managed by Android device manufacturers including Samsung and LG were used to sign malicious Android apps distributed through third-party channels. It appear that’s at least some of the compromised certificates that were used to sign components of the Manuscrypt remote access tool. The FBI and CISA have previous rules activity related to the Manuscrypt line of malware with North Korean state-backed hackers targeting cryptocurrency exchanges and platforms.
“In 2022, we have seen ransomware attackers increasingly attempt to bypass the endpoint detection and response products of many, if not most, major vendors,” said Sophos. ‘ Budd said. “The security community needs to be aware of this threat so they can take additional security measures. Furthermore, we can see other attackers trying to mimic this type of attack.”
With so many compromised certificates, it seems that many attackers have received notice of switching to this strategy.
