An unknown ransomeware group abuses Microsoft certificates to sign malware
Less than two weeks ago, the US Cybersecurity and Infrastructure Security Agency and the FBI issued a joint advisory report about threats of ransomware attacks from a gang called Cuba. The group, which investigators believe actually operates in Russia, has been on a rampage over the past year, increasingly targeting companies and other institutions in the United States and abroad.
New research published today shows that Cuba used Microsoft-certified or approved malware in its attacks. Cuba uses cryptographically signed "drivers" after compromising target systems as part of an effort to disable security scanning tools and modify settings.
Microsoft was recently notified that drivers certified by the Microsoft Windows Hardware Program are being used maliciously used in exploit activity. Microsoft in a security advisory stated that "a few Microsoft Partner Center developer accounts were also involved in submitting malicious drivers to be signed by Microsoft. Such signed malicious drivers would be used to facilitate cyber attack distribution, such as ransomware deployment.
A total of 10 malicious drivers were discovered which were all variants of the original discovery. These drivers have been showing a concerted effort since at least last July to move up the chain of trust.
Creating a malicious driver from scratch and having it signed by a legal entity with authority is difficult. However, it is incredibly powerful because the driver can basically run any process without question.
Cryptographic software signing is an important validation mechanism that ensures that software has been verified and validated by a trusted party or "certificate authority". However, attackers are always there looking for weaknesses in this infrastructure where they can corrupt or otherwise weaken certificates and abuse the signing process to legitimise their malware.
Google published findings earlier this month that several Android device manufacturers (Samsung and LG) were used to sign malicious Android apps distributed through third-party channels. It appears that at least some of the compromised certificates were used to sign components of the Manuscrypt remote access tool.
"The FBI and CISA previously attributed activity related to the Manuscrypt malware family to North Korean state-sponsored hackers targeting cryptocurrency platforms and exchanges.
In 2022, ransomware attackers will increasingly seek to bypass many, if not most, of the leading vendors endpoint detection and response products," says Sophos' Budd. The security community should be aware of this threat so that extra security measures could be implemented. Additionally, we may see other attackers try to imitate this type of attack.
With so many compromised certificates flying around, it seems that many attackers have already been signalled to switch to this strategy.