The FBI and the US Cybersecurity & Infrastructure Security Agency jointly issued an advisory less than two weeks ago warning of the danger of ransomware attacks from a group going by the name of “Cuba.” The gang has been on the rampage over the past year, attacking an increasing number of businesses and other institutions in the US and internationally, according to academics who believe the group is actually located in Russia. According to recent research, Cuba has been employing malware that has received Microsoft certification or permission in its attacks.
Cuba attempted to disable security scanning programmes and alter settings using these cryptographically signed “drivers” after infiltrating a target’s systems. The intention of the activity was to go unnoticed, however, monitoring software from the security company Sophos alerted to it. Earlier this year, the Lapsus$ hacker group stole an NVIDIA certificate that was used by Cuba to sign a privileged piece of software known as a “kernel driver,” according to researchers from Palo Alto Networks Unit 42. Additionally, according to Sophos, the gang has been observed using the tactic with certificates from at least one other Chinese tech company, Zhuhai Liancheng Technology Co., according to Mandiant, a security firm.
Microsoft stated in a security advisory today that it recently learned that drivers approved by the Windows Hardware Developer Program were being utilised maliciously in post-exploitation behavior. The signed malicious drivers were probably used to assist post-exploitation intrusion activity like the propagation of ransomware. “Several developers’ accounts for the Microsoft Partner Centre were active in submitting malicious drivers to get a Microsoft signature.”
The activity was reported to Microsoft by Sophos, Mandiant, and security company SentinelOne on October 19. According to Microsoft, the fraudulent Partner Centre accounts have been terminated, the fake certificates have been revoked, and security patches for Windows have been made in response to the issue. The business also states that other than the partner account abuse, it hasn’t discovered any system compromises.
WIRED asked Microsoft to speak further than the advisory, but they denied taking it any further!
These attackers are knowledgeable, persistent, and most likely members of the Cuba ransomware organisation “explains Christopher Budd, Sophos’ Director of Threat Research. “In total, we have discovered 10 malicious drivers, all of which are variations of the original find. Since at least this past July, these drivers have made a determined attempt to advance through the trust chain. It’s challenging to build a malicious driver from scratch and have it approved by an official body. But because the driver can essentially perform any tasks without hesitation, it’s highly successful.”
A crucial verification method known as “cryptographic software signing” is used to make sure that software has been examined and approved by a reliable third party, or “certificate authority.” Attackers, however, are constantly hunting for flaws in this infrastructure where they may tamper with certificates or otherwise subvert and misuse the signing process to make their malware appear legitimate.
Mandiant stated in a study released today that it has “before witnessed circumstances where it is suspected that groups employ a common criminal service for code signing.” Threat actors sometimes employ stolen or fraudulently obtained code signing certificates and offering these certificates or signing services has turned out to be a lucrative niche in the criminal underworld.
Google revealed earlier this month that malicious Android apps were signed using a variety of hacked “platform certificates” controlled by manufacturers of Android devices, including Samsung and LG. It appears that at least a few of the compromised certificates were applied to the Manuscrypt remote access tool’s component signing process.
In the past, the FBI and CISA have linked Manuscrypt malware family activity to attacks on cryptocurrency platforms and exchanges by North Korean state-sponsored hackers.
According to Sophos’ Budd, “In 2022, we’ve observed ransomware criminals trying to defeat endpoint detection and response products of many, if not most, big vendors. In order to put additional security measures in place, the security community needs to be aware of this threat. Additionally, we might witness additional attackers try to copy this style of assault”.
Given the large number of compromised certificates floating around, it appears that many attackers have already been informed of the change in technique.