Multiple accounts which signed malicious drivers for the Cuba ransomware organization to deactivate endpoint security solutions have been suspended by Microsoft from its hardware developer program.
Cuba attempted to disable vulnerability scanning programs and alter settings using these cryptographically signed 'drivers' after infiltrating a target's systems. The intention of the activity was to go unnoticed, however, monitoring software from the security company Sophos alerted to it.
Additionally, In October, Microsoft received information from the Google-owned Mandiant, SentinelOne, and Sophos that many cybercrime groups were utilizing malicious third-party kernel-mode hardware drivers which were signed by Microsoft to transmit ransomware.
According to Microsoft's counsel, "In these attacks, the attacker had already gained administrative rights on compromised systems prior to using the drivers, the company's investigation has revealed that several developer's accounts for the Microsoft Partner Center had been engaged in submitting malicious drivers to acquire a Microsoft signature."
The Cuba ransomware group employed the driver as part of its post-exploitation operations together with a malicious loader application, which was most likely used to end the processes of security products before the ransomware was activated. Mandiant named this malicious utility BURNTCIGAR back in February after it had previously been seen. It was installed using a faulty driver that was connected to the Avast antivirus software at the time.
Sophos' Christopher Budd, director of threat research, stated, "We've discovered a total of 10 malicious drivers, all of which are variations of the original discovery. Starting at least in July of last year, these drivers exhibit a concentrated effort to advance through the trust chain. It is tough to write a malicious driver from scratch and get it approved by a reputable body. Nevertheless, it's highly efficient because the driver can virtually complete any task without hesitation."
Since Windows 10, Microsoft has demanded that kernel-mode drivers be signed by the Windows Hardware Developer Program. Researchers at Sophos Andreas Klopsch and Andrew Brandt claim that the signature denotes trust. In 2022, the use of reputable third-party device drivers has increased for the purpose of killing security tools.
According to a U.S. government alert, the Cuba ransomware group has profited an additional $60 million through operations against 100 companies worldwide. The report warned that the ransomware organization, active since 2019, continues to target American entities with critical infrastructure.
