Back in October, Microsoft was informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used in a malicious way in post-exploitation activity.
Microsoft was made aware of this activity by security companies SentinelOne, Mandiant, and Sophos and were quick to perform an investigation.
Christopher Budd, senior manager of threat research in the Sophos Technology Group, explained that the attack came in the form of a piece of malware that was signed using legitimate certificates from Microsoft.
“Our rapid response team was engaged in an instant and afterwards we were able to determine that it was an attempted Cuba ransomware attack,” he said. “We disputed that attack and when looking at how they tried to carry out the attack, we saw that… they were trying to disable our security product and they failed to do that.”
Budd continued saying that as the team at Sophos dug in deeper, they discovered that this malware was signed through the Microsoft Windows Hardware Quality Labs.
The team then immediately reported its findings to Microsoft and worked in tandem with them in order to effectively block that signed driver.
With this update, Budd said that customers and their security are no longer at risk because that piece of malware is now essentially inert.
“That said, the broader implication… is that the Cuba ransomware group, over the course of months, have been using this particular tactic of building malware and getting it signed with a valid certificate… and they have been going up the trust chain,” Budd explained.
He expanded on what this all means, saying that the ransomware group had been working to make their malware appear more legitimate.
According to Budd, Cuba initially started getting the malware signed with valid certificates from a Chinese company; next they obtained copies of stolen, expired, and revoked NVIDIA certificates and used that to sign; and finally, they began getting signatures through the Microsoft Windows Hardware Labs.
“And in addition to the one that we saw used in an active attack, we found six other examples of signed drivers like that through Microsoft,” he said. “And all of this means that we believe the Cuba ransomware group is going up that trust chain and getting more entrusted, better recognized signers for their malware.”
Budd emphasized that even though this attack was ultimately unsuccessful, malware groups will not stop their attempts anytime soon.
Going forward, he strongly advised that users continue to take updates from Microsoft and to have their own modern and up-to-date security software that includes anti-tampering capabilities.
“Overall, as these things go, I think this is a pretty positive and successful story as far as really showing how the industry with partnerships can work together to help protect people better,” Budd said.
