Sophos Researchers Uncover Evidence of Cuba Ransomware Gang’s Efforts to Use More Widely Trusted Digital Certificates

Security researchers at Sophos have discovered evidence that threat actors affiliated with the Cuba ransomware gang used malicious hardware drivers certified by Microsoft during a recent attempted ransomware attack. This discovery highlights the evolving tactics of cybercriminals, who are increasingly moving up the trust chain by using more widely trusted digital certificates to sign their malware.

How Malicious Drivers Can Be Used for Ransomware Attacks

Malicious drivers have long been abused by cybercriminals, often taking a "bring your own vulnerable driver" approach. In this method, hackers exploit vulnerabilities found within an existing Windows driver from a legitimate software publisher. However, researchers at Sophos say they have observed hackers making a concerted effort to progressively move toward using more widely trusted digital certificates.

The Role of Digital Certificates in Ransomware Attacks

Digital certificates play a crucial role in ensuring the trustworthiness of software and drivers on a Windows system. To prevent malicious code from running, Windows requires drivers to bear an approved cryptographic signature before it will allow the driver to load. This is why Windows requires drivers to be signed with a valid digital certificate.

Cuba Ransomware Gang’s Efforts to Move Up the Trust Chain

During their investigation, Sophos discovered evidence that the Cuba ransomware gang are making efforts to move up the trust chain by using more widely trusted digital certificates. In July, the gang began signing their malicious drivers with certificates from Chinese companies. However, in March, they managed to obtain a leaked, since-revoked Nvidia certificate found in the data dumped by the Lapsus$ ransomware gang when it hacked the chipmaker.

Obtaining Microsoft’s Official Windows Hardware Developer Program Signature

The most significant development is that the attackers have now managed to obtain "signage" from Microsoft’s official Windows Hardware Developer Program. This means the malware is inherently trusted by any Windows system, making it more likely to load into Windows without hindrance.

Sophos Researchers’ Findings and Recommendations

In a blog post, Sophos researchers Andreas Klopsch and Andrew Brandt wrote: "Threat actors are moving up the trust pyramid, attempting to use increasingly more well-trusted cryptographic keys to digitally sign their drivers. Signatures from a large, trustworthy software publisher make it more likely the driver will load into Windows without hindrance, improving the chances that Cuba ransomware attackers can terminate the security processes protecting their targets’ computers."

The Use of BurntCigar Loader and Signed Malicious Drivers

Sophos found that the Cuba gang planted the malicious signed driver onto a targeted system using a variant of the so-called BurntCigar loader, a known piece of malware affiliated with the ransomware group. The two are used in tandem in an attempt to disable endpoint detection security tools on the targeted machines.

Microsoft’s Investigation and Response

Sophos, along with researchers from Mandiant and SentinelOne, informed Microsoft in October that drivers certified by legitimate certificates were being used maliciously in post-exploitation activity. Microsoft’s own investigation revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature.

Microsoft’s Patch Tuesday Release

As part of its monthly scheduled release of security patches, known as Patch Tuesday, Microsoft released Windows security updates revoking the certificate for affected files and has suspended the partners’ access to the Windows Hardware Developer Program.

The Importance of Staying Up-to-Date with Security Patches

This incident highlights the importance of staying up-to-date with security patches. Organizations must ensure that their systems are properly configured and updated to prevent malicious code from running.

Related Developments and Recommendations

  • Regularly update Windows systems: Ensure that all Windows systems are regularly updated with the latest security patches.
  • Use anti-virus software: Install and use reputable anti-virus software to detect and remove malware.
  • Implement a robust security posture: Implement a robust security posture by using a combination of security controls, including firewalls, intrusion detection systems, and encryption.

Conclusion

The Cuba ransomware gang’s efforts to move up the trust chain demonstrate the evolving tactics of cybercriminals. Organizations must stay vigilant and adapt their security strategies to counter these emerging threats. By staying informed and taking proactive measures, organizations can reduce the risk of falling victim to a ransomware attack.