Cuba Ransomware Gang abused Microsoft certificates to sign malware

less than two a few weeks ago, the United States Cybersecurity & Infrastructure Security Agency and the FBI published a joint council on the threat of ransomware attacks by a gang calling itself “Cuba”. The group, which researchers say is actually based in Russia, went on a rampage over the past year targeting a growing number of companies and other institutions in the United States and abroad. New search published today indicates that Cuba used malware in its attacks that has been certified or approved by Microsoft.

Cuba used these cryptographically signed “drivers” after compromising a target’s systems as part of efforts to disable security scanning tools and alter settings. The activity was supposed to go unnoticed, but it was flagged by monitoring tools from security firm Sophos. Palo Alto Networks Unit 42 researchers previously observed Cuba signing privileged software known as the “kernel driver” with an NVIDIA certificate that was leaked earlier this year speak Lapsus$ Hacking Group. And Sophos says it also saw the group use the policy with compromised certificates from at least one other Chinese tech company, which security firm Mandiant identified as Zhuhai Liancheng Technology Co.

“Microsoft has recently become aware that drivers certified by Microsoft’s Windows Hardware Development Program are being maliciously used in post-exploitation activities,” the company said in a statement. security consulting today. “Several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature… The signed malicious drivers were likely used to facilitate post-exploitation intrusion activities such as the deployment of ransomware.”

Sophos notified Microsoft of the activity on October 19 with Beggar and security company SentinelOne. Microsoft says it has suspended Partner Center accounts that were being abused, revoked malicious certificates, and released security updates for Windows related to the situation. The company adds that it has not identified any compromises of its systems beyond partner account abuse.

Microsoft declined WIRED’s request to comment beyond the notice.

“These attackers, most likely affiliates of the Cuba ransomware group, know what they are doing and they are persistent,” said Christopher Budd, director of threat research at Sophos. “We found a total of 10 malicious drivers, all variants of the initial discovery. These pilots show a concerted effort to move up the chain of trust, starting at least last July. It is difficult to create a malicious driver from scratch and have it signed by a legitimate authority. However, it’s incredibly efficient, as the driver can basically perform any process without asking questions.”

The software’s cryptographic signature is an important validation mechanism intended to ensure that the software has been verified and approved by a trusted party or “certificate authority”. However, attackers are still looking for weaknesses in this infrastructure, where they can compromise certificates or otherwise undermine and abuse the signing process to legitimize their malware.

“Mandiant has previously observed scenarios where groups are suspected of operating a common criminal service for code signing,” the company said. written in a report published today. “The use of stolen or fraudulently obtained code-signing certificates by threat actors has been a common tactic, and the provision of such signing certificates or services has proven to be a lucrative niche in the underground economy.”

Earlier this month, Google released findings that a number of compromised “platform certificates” managed by Android device manufacturers, including Samsung and LG, had been used to sign malicious Android apps distributed through third-party channels. This appears that at least some compromised certificates were used to sign components of the Manscrypt remote access tool. The FBI and CISA have previously assigned activity associated with the Manuscrypt family of malware to North Korean state-backed hackers targeting cryptocurrency platforms and exchanges.

“In 2022, we’ve seen ransomware attackers increasingly attempt to circumvent endpoint detection and response products from many, if not most, major vendors,” Sophos’s Budd said. “The security community needs to be aware of this threat so they can implement additional security measures. Additionally, we might see other attackers attempt to mimic this type of attack. »

With so many compromised certificates floating around, it seems many attackers have already gotten the memo about switching to this strategy.