Cuba Ransomware gang misused Microsoft certificates to sign malware
Less than two A few weeks ago, the United States Cybersecurity & Infrastructure Security Agency and the FBI released a joint advisory about the threat of ransomware attacks from a group calling itself “Cuba.” The group, which the researchers believe is actually based in Russia, has been on a rampage over the past year targeting an increasing number of companies and other institutions in the US and abroad. New research released today indicates that Cuba has used pieces of malware in its attacks that were certified, or given a seal of approval, by Microsoft.
Cuba used these cryptographically signed “drivers” after compromising a target’s systems as part of efforts to disable security scanning tools and change settings. The activity was meant to fly under the radar, but it was flagged by monitoring tools from security firm Sophos. Researchers from Palo Alto Networks Unit 42 previously observed Cuba signing a privileged piece of software known as a “core driver” with an NVIDIA certificate that was leaked earlier this year by the Lapsus$ hacking group. And Sophos says it has also seen the group use the strategy with compromised certificates from at least one other Chinese technology company, which security firm Mandiant identified as Zhuhai Liancheng Technology Co.
“Microsoft was recently informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activities,” the company said in a security advisory today. “Several Microsoft Partner Center developer accounts were engaged in submitting malicious drivers to obtain a Microsoft signature … The signed malicious drivers were likely used to facilitate post-exploitation intrusion activity, such as ransomware distribution.”
Sophos notified Microsoft of the activity on October 19, along with Mandiant and security firm SentinelOne. Microsoft says it has suspended the Partner Center accounts that were abused, revoked the fake certificates and released security updates for Windows related to the situation. The company adds that it has not identified any compromise of its systems beyond the partner account abuse.
Microsoft declined WIRED’s request for comment beyond the advisory.
“These attackers, most likely affiliated members of the Cuba ransomware group, know what they’re doing – and they’re persistent,” said Christopher Budd, director of threat research at Sophos. “We have found a total of 10 malicious drivers, all variants of the initial detection. These drivers show a concerted effort to move up the chain of trust, starting at least last July. Creating a malicious driver from scratch is difficult and get it signed by a legitimate authority. It’s incredibly efficient, though, because the driver can essentially do all the processes without question.”
Cryptographic software signing is an important validation mechanism intended to ensure that software has been verified and anointed by a trusted party or “certificate authority”. However, attackers are always looking for weaknesses in this infrastructure, where they can compromise certificates or otherwise subvert and abuse the signing process to legitimize malware.
“Mandiant has previously observed scenarios when groups are suspected of exploiting a common criminal service for code signing,” the company wrote in a report published today. “The use of stolen or fraudulently obtained code signing certificates by threat actors has been a common tactic, and offering these certificates or signing services has proven to be a lucrative niche in the underground economy.”
Earlier this month, Google published findings that a number of compromised “platform certificates” managed by Android device manufacturers including Samsung and LG had been used to sign malicious Android apps distributed through third-party channels. It appears that at least some of the compromised certificates were used to sign components of the Manuscrypt remote access tool. The FBI and CISA have previously attributed activity related to the Manuscrypt malware family to North Korean state-sponsored hackers targeting cryptocurrency platforms and exchanges.
“In 2022, we’ve seen ransomware attackers increasingly attempt to bypass endpoint detection and response products from many, if not most, major vendors,” says Sophos’ Budd. “The security community needs to be aware of this threat so they can implement additional security measures. Also, we can see other attackers trying to imitate this type of attack.”
With so many compromised certificates flying around, it seems that many attackers have already gotten the memo to shift towards this strategy.