Microsoft-Approved Drivers Used to Hack Targets in Ransomware Attacks

Security researchers at Sophos say they have evidence that Cuba, a hacker group, abused vulnerabilities in Microsoft-approved hardware drivers in a recent ransomware attack.

With ransomware attacks growing rampant, many ask how this could happen to the most used OS in the world.

Windows require drivers to have an approved cryptographic signature before allowing them to load, as drivers need highly privileged access to the operating system and its data. Drivers allow operating systems and apps to access and communicate with hardware devices.

Vulnerable drivers have been a target of cybercriminals for a long time, with hackers exploiting their vulnerabilities found within an existing Windows driver from a legitimate software publisher.

Security researchers say that hackers are making a concentrated effort to move toward using more widely trusted digital certificates.

What Sophos Found Out About the Russian-Linked Cuba Group

The Russian-linked Cuba hacking group is trying to move up the trust chain, Sophos discovered while investigating suspicious activity on a customer network.

Sophos’ X-Ops Rapid Response (RR) team kicked the attackers off the systems during the attack, preventing further damage. While it isn’t possible to know which ransomware the group intended to use, the files left behind offer some intriguing clues, says Sophos.

Sophos noticed that the group’s oldest malicious drivers, dating back to July, had their certificates signed by Chinese companies.

The hacking group moved on to signing their malicious driver with a leaked, since-revoked Nvidia certificate found in the data dumped by the Lapsus$ ransomware gang when it hacked Nvidia in March 2022.

In September 2022, Uber also blamed the Lapsus$ hacking group for a security breach.

Sophos researchers Andreas Klopsch and Andrew Brandt say that the threat actors are,

Moving up the trust pyramid, attempting to use increasingly more well-trusted cryptographic keys to digitally sign their drivers.

The researchers added that,

Signatures from a large, trustworthy software publisher make it more likely the driver will load into Windows without hindrance, improving the chances that Cuba ransomware attackers can terminate the security processes protecting their targets’ computers

Sophos conducted a post-attack analysis, concluding that the attackers used a pair of executable files that were used in tandem in a failed attempt to disable endpoint security tools on the targeted machines.

The two executable files were:

A cryptographically signed Windows driver (signed with a legitimate signing certificate) and an executable “loader” application designed to install the driver.

After further analysis, Sophos says it determined that the loader application provided strong evidence. It was a variant of malware that Mandiant named BurntCigar.

The malware is now inherently trusted by any Windows system because the attackers obtained “signage” from Microsoft’s official Windows Hardware Developer Program. Had the attack been successful, the hacking group would deploy ransomware onto the compromised systems.

Researchers from Sophos, Mandiant, and SentinelOne informed Microsoft in October 2022 of the existence of signed drivers with legitimate certificates that were used maliciously in post-exploitation activity. After an investigation, Microsoft discovered that,

Several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature.

The Microsoft Advisory went on to say,

A new attempt at submitting a malicious driver for signing on September 29th, 2022, led to the suspension of the sellers’ accounts in early October

A joint advisory from CISA and the FBI warns the group has been active since 2019 and that it’s targeting U.S. entities in critical infrastructure, including government facilities, financial services, critical manufacturing and information technology, and healthcare and public health.

Read More Software News:

Startups in Europe Will Raise $85 Billion in 2022 But That is Lower Than Last Year

Dark Net Marketplaces Make Millions from Stolen Personal Data

Mozilla Firefox Acquires Active Replica for Metaverse Initiatives