



Security researchers say they have evidence that attackers belonging to the Cuban ransomware gang used malicious hardware drivers certified by Microsoft in recent ransomware attack attempts.

Driver software that enables the operating system and apps to access and communicate with hardware devices requires highly privileged access to the operating system and its data. Therefore, Windows requires drivers to have an approved cryptographic signature before allowing them to load.

These drivers have long been exploited by cybercriminals. Hackers often employ their own vulnerable driver approach, exploiting vulnerabilities found within his existing Windows drivers from legitimate software publishers. Sophos researchers say they have observed hackers making a concerted effort to gradually move toward using more widely trusted digital certificates.

While investigating suspicious activity in its customer network, Sophos found evidence that a Russian-linked Cuban ransomware gang is attempting to move up the trust chain. During its investigation, Sophos found that the gang’s oldest malicious driver, dating back to July, was signed by a Chinese company’s certificate, which was discovered in data dumped by the Lapsus$ ransomware gang, leaked. I discovered that they started signing malicious drivers with Nvidia certificates that have since been revoked. When I hacked a chip maker in March.

The attackers have now successfully obtained signatures from Microsoft’s official Windows hardware developer program. This means that malware is inherently trusted by any Windows system.

Sophos researchers Andreas Klopsch and Andrew Brandt wrote in a blog post that the threat actor climbs the trust pyramid by attempting to digitally sign drivers using highly trusted cryptographic keys. “Signing from a large and trusted software publisher makes it more likely that the driver will load into Windows without a hitch, making it more likely that Cuban ransomware attackers will be able to terminate the security processes protecting the targeted computer. Become.

Sophos has discovered that Cuban gangsters have used a variant of the so-called BurntCigar loader to plant malicious signed drivers on targeted systems. This is known malware associated with the ransomware group first seen by Mandiant. The two are used together to disable endpoint detection security tools on the victim’s machine.

If successful, the ransomware can be deployed on the compromised system, not the attacker in this case.

Sophos, along with researchers from Mandiant and SentinelOne, notified Microsoft in October that a driver certified by a legitimate certificate was used maliciously in post-exploit activity. Microsoft’s own investigation has revealed that multiple Microsoft Partner Center developer accounts were submitting malicious drivers to be signed by Microsoft.

Ongoing Microsoft Threat Intelligence Center analysis indicates that signed malicious drivers were likely used to facilitate post-exploitation intrusion activities, such as ransomware deployments. Microsoft said in an advisory published as part of the monthly scheduled release of security patches known as Patch Tuesday. Microsoft said it has released Windows security updates that invalidate certificates for affected files and has suspended partners’ merchant accounts.

Earlier this month, US government advisories revealed that Cuban ransomware gangs had raised an additional $60 million from attacks against 100 organizations around the world. The advisory confirms that ransomware groups active since 2019 continue to target U.S. organizations involved in critical infrastructure such as financial services, government facilities, healthcare and public health, and critical manufacturing and information technology. I am warning you that

