Recently, a joint advisory from the United States Cybersecurity & Infrastructure Security Agency and FBI warned of the increasing threat of ransomware attacks from a group called “Cuba.” Despite its name, researchers believe the group is actually based in Russia and has been targeting an increasing number of businesses and institutions in the US and abroad. In fact, new research reveals that Cuba has been using pieces of malware in its attacks that were certified by Microsoft.
After compromising a target’s systems, Cuba used cryptographically signed “drivers” to disable security scanning tools and change settings. This was an attempt to go unnoticed, but the activity was detected by monitoring tools from the security firm Sophos. Earlier this year, researchers from Palo Alto Networks Unit 42 observed Cuba using a “kernel driver” signed with an NVIDIA certificate that was leaked by the Lapsus$ hacking group. Sophos also reported seeing the group using the same strategy with certificates from at least one other Chinese tech company, identified by security firm Mandiant as Zhuhai Liancheng Technology Co.
In a recent security advisory, Microsoft reported that malicious actors had been using drivers certified by the company’s Windows Hardware Developer Program for malicious purposes. According to the advisory, several developer accounts for the Microsoft Partner Center had been involved in submitting these malicious drivers to obtain a Microsoft signature. The signed malicious drivers were likely used for post-exploitation intrusion activity, including the deployment of ransomware.
The activity was first brought to Microsoft’s attention on October 19th by security firms Sophos, Mandiant, and SentinelOne. In response, Microsoft has suspended the Partner Center accounts that were being abused, revoked the rogue certificates, and issued security updates for Windows related to the situation. Microsoft has not identified any compromise of its systems beyond the partner account abuse.
“These attackers, most likely affiliates of the Cuba ransomware group, know what they’re doing—and they’re persistent,” says Christopher Budd, director of threat research at Sophos. “We’ve found a total of 10 malicious drivers, all variants of the initial discovery. These drivers show a concerted effort to move up the trust chain, starting at least this past July. Creating a malicious driver from scratch and getting it signed by a legitimate authority is difficult. However, it’s incredibly effective, because the driver can essentially carry out any processes without question.”
The act of cryptographically signing software is an essential process to ensure that it has undergone a thorough vetting process and has been approved by a trusted third party or “certificate authority.” Unfortunately, attackers are always on the lookout for weaknesses in this infrastructure, hoping to compromise certificates or undermine and exploit the signing process to legitimize their malware.
Mandiant, a cybersecurity firm, published a report today stating that criminal groups have frequently used fraudulent or stolen code signing certificates to legitimize their malware. The underground economy has also found providing these certificates or signing services to be a profitable niche.
Recently, Google discovered that several Android device makers, including Samsung and LG, had been using compromised “platform certificates” to sign malicious Android applications that were distributed through third-party channels. Some of the compromised certificates were found to have signed components of the Manuscrypt remote access tool. The FBI and CISA have attributed activity related to the Manuscrypt malware family to North Korean state-sponsored hackers who target cryptocurrency exchanges and platforms.
“In 2022, we’ve seen ransomware attackers increasingly attempting to bypass endpoint detection and response products of many, if not most, major vendors,” Sophos’ Budd says. “The security community needs to be aware of this threat so that they can implement additional security measures. What’s more, we may see other attackers attempt to emulate this type of attack.”
Given the number of compromised certificates in circulation, it appears that many cybercriminals have caught on to the advantages of using this approach.
If you have concerns about your Cyber Security contact us today at info@PIPM.ca or +1-416-342-7473.