Ransomware gang caught using Microsoft-approved drivers to hack targets

Security researchers say they have evidence that threat actors affiliated with the Cuba ransomware gang used malicious hardware drivers certified by Microsoft during a recent attempted ransomware attack.

Drivers — the software that allows operating systems and apps to access and communicate with hardware devices — require highly privileged access to the operating system and its data, which is why Windows requires drivers to bear an approved cryptographic signature before it will allow the driver to load.

These drivers have long been abused by cybercriminals, often taking a “bring your own vulnerable driver” approach, in which hackers exploit vulnerabilities found within an existing Windows driver from a legitimate software publisher. Researchers at Sophos say they have observed hackers making a concerted effort to progressively move toward using more widely trusted digital certificates.

While investigating suspicious activity on a customer network, Sophos discovered evidence that the Russia-linked Cuba ransomware gang are making efforts to move up the trust chain. During their investigation, Sophos found that the gang’s oldest malicious drivers dating back to July were signed by certificates from Chinese companies, then began signing their malicious driver with a leaked, since-revoked Nvidia certificate found in the data dumped by the Lapsus$ ransomware gang when it hacked the chipmaker in March.

The attackers have now managed to obtain “signage” from Microsoft’s official Windows Hardware Developer Program, which means the malware is inherently trusted by any Windows system.

“Threat actors are moving up the trust pyramid, attempting to use increasingly more well-trusted cryptographic keys to digitally sign their drivers,” wrote Sophos researchers Andreas Klopsch and Andrew Brandt in a blog post. “Signatures from a large, trustworthy software publisher make it more likely the driver will load into Windows without hindrance, improving the chances that Cuba ransomware attackers can terminate the security processes protecting their targets’ computers.”

Sophos found that the Cuba gang planted the malicious signed driver onto a targeted system using a variant of the so-called BurntCigar loader, a known piece of malware affiliated with the ransomware group that was first observed by Mandiant. The two are used in tandem in an attempt to disable endpoint detection security tools on the targeted machines.

If successful — which, in this case, they were not — the attackers could deploy the ransomware on the compromised systems.

Sophos, along with researchers from Mandiant and SentinelOne, informed Microsoft in October that drivers certified by legitimate certificates were used maliciously in post-exploitation activity. Microsoft’s own investigation revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature.

“Ongoing Microsoft Threat Intelligence Center analysis indicates the signed malicious drivers were likely used to facilitate post-exploitation intrusion activity such as the deployment of ransomware,” Microsoft said in an advisory published as part of its monthly scheduled release of security patches, known as Patch Tuesday. Microsoft said it has released Windows security updates revoking the certificate for affected files and has suspended the partners’ seller accounts.

Earlier this month, a U.S. government advisory revealed that the Cuba ransomware gang has brought in an additional $60 million from attacks against 100 organizations globally. The advisory warned that the ransomware group, which has been active since 2019, continues to target U.S. entities in critical infrastructure, including financial services, government facilities, healthcare and public health, and critical manufacturing and information technology.