Driver Targets Endpoint Detection and Response (EDR) Software; Attacks Linked to the Cuba Ransomware Group

OXFORD, U.K. — Diciembre 13, 2022 —

OXFORD, U.K. – Dec. 13, 2022 – Sophos, a global leader in innovating and delivering cybersecurity as a service, today revealed it has found malicious code in multiple drivers signed by legitimate digital certificates. Its latest report, “Signed Driver Malware Moves up the Software Trust Chain,” details the investigation which began with an attempted ransomware attack in which the attackers used a malicious driver signed with a legitimate Windows Hardware Compatibility Publisher digital certificate from Microsoft. The malicious driver is designed to specifically target processes used by major Endpoint Detection and Response (EDR) software packages and was installed by malware that has been tied to threat actors affiliated with Cuba ransomware, a highly prolific group that has successfully targeted more than 100 companies globally over the past year. Sophos Rapid Response was able to successfully thwart the attack, and the investigation triggered a comprehensive collaboration between Sophos and Microsoft to take action and address the threat.

Drivers can perform highly privileged operations on systems. For example, kernel-mode drivers can, among other things, terminate many types of software, including security. Controlling which drivers can load is one way to protect computers from this avenue of attack. Windows requires drivers to bear a cryptographic signature—a “stamp of approval”—before it will allow the driver to load.

However, not all digital certificates used to sign drivers are trusted equally. Some digital signing certificates, stolen and leaked to the internet, were later abused to sign malware; still other certificates have been bought and used by unscrupulous PUA software publishers. Sophos’ investigation of a malicious driver used to sabotage endpoint security tools during the commission of a ransomware attack, revealed that the adversaries had been making a concerted effort to progressively move from less widely to more widely trusted digital certificates.

“These attackers, most likely affiliates of the Cuba ransomware group, know what they’re doing—and they’re persistent. We’ve found a total of 10 malicious drivers, all variants of the initial discovery. These drivers show a concerted effort to move up the trust chain, with the oldest driver dating back to at least July. The oldest ones we’ve found to date were signed by certificates from unknown Chinese companies; they then moved on and managed to sign the driver with a valid, leaked, revoked NVIDIA certificate. Now, they’re using a certificate from Microsoft, which is one of the most trusted authorities in the Windows ecosystem. If you think about it like company security, the attackers have essentially received valid company IDs to enter the building without question and do whatever they please,” said Christopher Budd, senior manager, threat research, Sophos.                   

A closer look at the executables utilized in the attempted ransomware attack found that the malicious signed driver was downloaded onto the targeted system with a variant of the loader BURNTCIGAR, a known piece of malware affiliated with the Cuba ransomware group. Once the loader downloads the driver on the system, the latter waits for one of 186 different program filenames commonly used by major endpoint security and EDR software packages to initiate and then attempts to terminate those processes. If successful, the attackers can then deploy the ransomware.

“In 2022, we’ve seen ransomware attackers increasingly attempt to bypass EDR products of many, if not most, major vendors. The most common technique is known as ‘bring your own driver,’ which BlackByte recently used, and it involves  attackers exploiting an existing vulnerability in a legitimate driver. Creating a malicious driver from scratch and getting it signed by a legitimate authority is far more difficult. However, should they succeed, it’s incredibly effective because the driver can essentially carry out any processes without question. In the case of this particular driver, virtually all EDR software is vulnerable; fortunately, Sophos’ additional anti-tampering protections were able to halt the ransomware attack. The security community needs to be aware of this threat so that they can implement additional security measures, such as eyes on glass, where necessary; what’s more, we may see other attackers attempt to emulate this type of attack,” said Budd.

Upon discovering this driver, Sophos promptly alerted Microsoft, and the two companies worked together to resolve the issue. Microsoft has released information in their security advisory with more information today as part of Patch Tuesday.

 

Learn more about this topic in the article, “Signed Driver Malware Moves up the Software Trust Chain,” on Sophos.com.

Acerca de Sophos

Sophos es líder en ciberseguridad y protege a 600 000 organizaciones en todo el mundo con su plataforma basada en IA y servicios prestados por expertos. Sophos acompaña a las organizaciones, independientemente de su nivel de madurez en materia de seguridad, y crece con ellas para derrotar los ciberataques. Sus soluciones combinan el Machine Learning, la automatización y la información sobre amenazas en tiempo real con la experiencia humana de primera línea de Sophos X-Ops para ofrecer supervisión, detección y respuesta avanzadas 24/7 frente a amenazas.
Sophos ofrece detección y respuesta gestionadas (MDR) líder en el sector, junto con una completa cartera de tecnologías de ciberseguridad que incluye seguridad para endpoints, redes, correo electrónico y la nube, detección y respuesta ampliadas (XDR), detección y respuesta ante amenazas de identidad (ITDR) y SIEM next-gen. Junto con los servicios de asesoramiento de expertos, estas funcionalidades ayudan a las organizaciones a reducir el riesgo de forma proactiva y a responder con mayor rapidez, con la visibilidad y escalabilidad necesarias para adelantarse a las amenazas en evolución.
Sophos comercializa sus productos a través de un ecosistema global de Partners, que incluye proveedores de servicios gestionados (MSP), proveedores de servicios de seguridad gestionados (MSSP), Partners y distribuidores, integraciones para marketplaces y Partners especializados en ciberriesgos, lo que ofrece a las organizaciones la flexibilidad de elegir colaboraciones de confianza a la hora de proteger su negocio.  Sophos tiene su sede en Oxford, Reino Unido. Encontrará más información en es.sophos.com.