Microsoft suspended a number of accounts on its {hardware} developer program that signed malicious drivers utilized by a ransomware group referred to as Cuba to disable endpoint safety instruments. The motive force certificates have been revoked and the drivers will probably be added to a blocklist that Home windows customers can optionally deploy.
“In most ransomware incidents, attackers kill the goal’s safety software program in an important precursor step earlier than deploying the ransomware itself,” researchers from safety agency Sophos mentioned in a brand new report in regards to the incident. “In latest assaults, some menace actors have turned to the usage of Home windows drivers to disable safety merchandise.”
The facility of kernel drivers and Microsoft’s try and safe them
The kernel is essentially the most delicate a part of an working system the place code is executed with the best privileges and has full management over the pc and its {hardware}. To speak and management all of the {hardware} parts the kernel makes use of specialised items of code referred to as machine drivers which can be both developed by Microsoft or by {hardware} corporations.
Again within the days of Home windows XP, rootkits (root-level malware) had been a standard menace and infrequently made use of malicious non-signed drivers, however with Home windows Vista and Home windows 7, Microsoft began to lock down this loophole by imposing driver signature validation out of the field.
At the moment supported variations of Home windows (Home windows 10 and better) won’t permit customers to put in a kernel-mode driver that hasn’t been digitally cross-signed by Microsoft by means of the Home windows {Hardware} Developer Program. For the motive force to be appropriate for distribution by means of Home windows Replace, it additionally must be licensed by Microsoft.
These new safety features have made the usage of malicious drivers a uncommon incidence, however some subtle teams discovered a workaround: exploiting vulnerabilities in respectable and trusted drivers. This created a brand new drawback, as a result of even when a driver vendor launched a brand new model to patch a vulnerability, there was nothing to cease a trojan horse from deploying an older model of the motive force on customers’ methods.
Microsoft responded by making a susceptible driver blocklist, however that is solely enabled by default with the Home windows 11 2022 replace launched in September 2022. For Home windows 10 20H2 and Home windows 11 21H2, it is just obtainable as an non-compulsory replace. Moreover, this checklist is simply up to date solely a couple of times per yr when main Home windows variations are launched. One other technique to apply this blocklist is thru the Home windows Defender Software Management (WDAC).
“Most kernel driver assaults have sometimes taken the BYOVD (Deliver Your Personal Weak Driver) type,” the Sophos researchers mentioned. “Current examples embody BlackByte ransomware, which used a susceptible graphics card overclocking driver, and one other ransomware actor abusing a susceptible anti-cheat driver created by the software program writer of the online game Genshin Impression.”
Cuba ransomware takes driver assaults to the subsequent stage
The most recent assaults from the Cuba ransomware group, initially noticed in late September and October, offered an escalation in Home windows kernel driver abuse as a result of they used malicious kernel drivers they obtained by means of a respectable channel: Home windows {Hardware} Developer Program accounts.
“We had been notified of this exercise by SentinelOne, Mandiant, and Sophos on October 19, 2022, and subsequently carried out an investigation into this exercise,” Microsoft mentioned in its advisory. “This investigation revealed that a number of developer accounts for the Microsoft Accomplice Middle had been engaged in submitting malicious drivers to acquire a Microsoft signature. A brand new try at submitting a malicious driver for signing on September 29, 2022, led to the suspension of the sellers’ accounts in early October.”
Microsoft has additionally launched safety updates that can revoke the certificates that had been used to signal the malicious drivers.
The Cuba ransomware group used the motive force as a part of post-exploitation actions along side a malicious loader utility whose function was prone to terminate the processes of safety merchandise earlier than deploying the ransomware. This malicious utility has been noticed earlier than, and Mandiant dubbed it BURNTCIGAR again in February. On the time it was deployed utilizing a susceptible driver related to the Avast antivirus program.
After discovering the newest model of the software signed straight by Microsoft by means of the {hardware} developer and driver certification program, the Sophos researchers hunted malware databases, together with VirusTotal for earlier variations. They discovered variants of the software and accompanying driver that was signed with an Nvidia certificates that was leaked by the hacker group Lapsus$ in addition to certificates belonging to 2 Chinese language corporations, one among them a writer of software program instruments which can be continuously flagged as probably undesirable purposes (PUA) by antivirus distributors.
This reveals an evolution in ways by this group over the previous yr: from abusing respectable however susceptible drivers to abusing legitimate code signing certificates of publishers with doubtful origin to lastly infiltrating the Microsoft {hardware} developer program and getting their driver signed straight by Microsoft.
Copyright © 2022 IDG Communications, Inc.
