Skip to main content

Ransomware gang caught using Microsoft-approved drivers to hack targets

Security researchers say they have evidence that threat actors affiliated with the Cuba ransomware gang used malicious hardware drivers certified by Microsoft during an recent attempted ransomware attack.

Drivers — the software that allows operating systems and apps to access and communicate with hardware devices — require highly privileged access to the operating system and its data, which is why Windows requires drivers to bear an approved cryptographic signature before it will allow the driver to load.

These drivers have long been abused by cybercriminals, often taking a “bring your own vulnerable driver” approach, in which hackers exploit vulnerabilities found within an existing Windows driver from a legitimate software publisher. Researchers at Sophos say they have observed hackers making a concerted effort to progressively move towards using more widely trusted digital certificates.

While investigating suspicious activity on a customer network, Sophos discovered evidence that the Russia-linked Cuba ransomware gang are making efforts to move up the trust chain. During their investigation, Sophos found that the gang’s oldest malicious drivers dating back to July were signed by certificates from Chinese companies, then began signing their malicious driver with a leaked, since-revoked Nvidia certificate found in the data dumped by the Lapsus$ ransomware gang when it hacked the chipmaker in March.

The attackers have now managed to obtain “signage” from Microsoft’s official Windows Hardware Developer Program, which means the malware is inherently trusted by any Windows system.

“Threat actors are moving up the trust pyramid, attempting to use increasingly more well-trusted cryptographic keys to digitally sign their drivers,” wrote Sophos researchers Andreas Klopsch and Andrew Brandt in a blog post. “Signatures from a large, trustworthy software publisher make it more likely the driver will load into Windows without hindrance, improving the chances that Cuba ransomware attackers can terminate the security processes protecting their targets’ computers.”

Sophos found that the Cuba gang planted the malicious signed driver onto a targeted system using a variant of the so-called BurntCigar loader, a known piece of malware affiliated with the ransomware group that was first observed by Mandiant. The two are used in tandem in an attempt to disable endpoint detection security tools on the targeted machines.

If successful — which, in this case, they were not — the attackers could deploy the ransomware on the compromised systems.

Sophos, along with researchers from Mandiant and SentinelOne, informed Microsoft in October that drivers certified by legitimate certificates were used maliciously in post-exploitation activity. Microsoft’s own investigation revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature.

“Ongoing Microsoft Threat Intelligence Center analysis indicates the signed malicious drivers were likely used to facilitate post-exploitation intrusion activity such as the deployment of ransomware,” Microsoft said in an advisory published as part of its monthly scheduled release of security patches, known as Patch Tuesday. Microsoft said it has released Windows security updates revoking the certificate for affected files and has suspended the partners’ seller accounts.

Earlier this month, a U.S. government advisory revealed that the Cuba ransomware gang has brought in an additional $60 million from attacks against 100 organizations globally. The advisory warned that the ransomware group, which has been active since 2019, continues to target U.S. entities in critical infrastructure, including financial services, government facilities, healthcare and public health, and critical manufacturing and information technology.

Ransomware gang caught using Microsoft-approved drivers to hack targets by Carly Page originally published on TechCrunch



source https://techcrunch.com/2022/12/13/cuba-ransomware-microsoft-drivers/

Comments

Popular posts from this blog

Apple’s AI Push: Everything We Know About Apple Intelligence So Far

Apple’s WWDC 2025 confirmed what many suspected: Apple is finally making a serious leap into artificial intelligence. Dubbed “Apple Intelligence,” the suite of AI-powered tools, enhancements, and integrations marks the company’s biggest software evolution in a decade. But unlike competitors racing to plug AI into everything, Apple is taking a slower, more deliberate approach — one rooted in privacy, on-device processing, and ecosystem synergy. If you’re wondering what Apple Intelligence actually is, how it works, and what it means for your iPhone, iPad, or Mac, you’re in the right place. This article breaks it all down.   What Is Apple Intelligence? Let’s get the terminology clear first. Apple Intelligence isn’t a product — it’s a platform. It’s not just a chatbot. It’s a system-wide integration of generative AI, machine learning, and personal context awareness, embedded across Apple’s OS platforms. Think of it as a foundational AI layer stitched into iOS 18, iPadOS 18, and m...

The Silent Revolution of On-Device AI: Why the Cloud Is No Longer King

Introduction For years, artificial intelligence has meant one thing: the cloud. Whether you’re asking ChatGPT a question, editing a photo with AI tools, or getting recommendations on Netflix — those decisions happen on distant servers, not your device. But that’s changing. Thanks to major advances in silicon, model compression, and memory architecture, AI is quietly migrating from giant data centres to the palm of your hand. Your phone, your laptop, your smartwatch — all are becoming AI engines in their own right. It’s a shift that redefines not just how AI works, but who controls it, how private it is, and what it can do for you. This article explores the rise of on-device AI — how it works, why it matters, and why the cloud’s days as the centre of the AI universe might be numbered. What Is On-Device AI? On-device AI refers to machine learning models that run locally on your smartphone, tablet, laptop, or edge device — without needing constant access to the cloud. In practi...

Max Q: Psyche(d)

In this issue: SpaceX launches NASA asteroid mission, news from Relativity Space and more. © 2023 TechCrunch. All rights reserved. For personal use only. from TechCrunch https://ift.tt/h6Kjrde via IFTTT