Driver Targets Endpoint Detection and Response (EDR) Software; Attacks Linked to the Cuba Ransomware Group

OXFORD, U.K. — 12月 13, 2022 —

OXFORD, U.K. – Dec. 13, 2022 – Sophos, a global leader in innovating and delivering cybersecurity as a service, today revealed it has found malicious code in multiple drivers signed by legitimate digital certificates. Its latest report, “Signed Driver Malware Moves up the Software Trust Chain,” details the investigation which began with an attempted ransomware attack in which the attackers used a malicious driver signed with a legitimate Windows Hardware Compatibility Publisher digital certificate from Microsoft. The malicious driver is designed to specifically target processes used by major Endpoint Detection and Response (EDR) software packages and was installed by malware that has been tied to threat actors affiliated with Cuba ransomware, a highly prolific group that has successfully targeted more than 100 companies globally over the past year. Sophos Rapid Response was able to successfully thwart the attack, and the investigation triggered a comprehensive collaboration between Sophos and Microsoft to take action and address the threat.

Drivers can perform highly privileged operations on systems. For example, kernel-mode drivers can, among other things, terminate many types of software, including security. Controlling which drivers can load is one way to protect computers from this avenue of attack. Windows requires drivers to bear a cryptographic signature—a “stamp of approval”—before it will allow the driver to load.

However, not all digital certificates used to sign drivers are trusted equally. Some digital signing certificates, stolen and leaked to the internet, were later abused to sign malware; still other certificates have been bought and used by unscrupulous PUA software publishers. Sophos’ investigation of a malicious driver used to sabotage endpoint security tools during the commission of a ransomware attack, revealed that the adversaries had been making a concerted effort to progressively move from less widely to more widely trusted digital certificates.

“These attackers, most likely affiliates of the Cuba ransomware group, know what they’re doing—and they’re persistent. We’ve found a total of 10 malicious drivers, all variants of the initial discovery. These drivers show a concerted effort to move up the trust chain, with the oldest driver dating back to at least July. The oldest ones we’ve found to date were signed by certificates from unknown Chinese companies; they then moved on and managed to sign the driver with a valid, leaked, revoked NVIDIA certificate. Now, they’re using a certificate from Microsoft, which is one of the most trusted authorities in the Windows ecosystem. If you think about it like company security, the attackers have essentially received valid company IDs to enter the building without question and do whatever they please,” said Christopher Budd, senior manager, threat research, Sophos.                   

A closer look at the executables utilized in the attempted ransomware attack found that the malicious signed driver was downloaded onto the targeted system with a variant of the loader BURNTCIGAR, a known piece of malware affiliated with the Cuba ransomware group. Once the loader downloads the driver on the system, the latter waits for one of 186 different program filenames commonly used by major endpoint security and EDR software packages to initiate and then attempts to terminate those processes. If successful, the attackers can then deploy the ransomware.

“In 2022, we’ve seen ransomware attackers increasingly attempt to bypass EDR products of many, if not most, major vendors. The most common technique is known as ‘bring your own driver,’ which BlackByte recently used, and it involves  attackers exploiting an existing vulnerability in a legitimate driver. Creating a malicious driver from scratch and getting it signed by a legitimate authority is far more difficult. However, should they succeed, it’s incredibly effective because the driver can essentially carry out any processes without question. In the case of this particular driver, virtually all EDR software is vulnerable; fortunately, Sophos’ additional anti-tampering protections were able to halt the ransomware attack. The security community needs to be aware of this threat so that they can implement additional security measures, such as eyes on glass, where necessary; what’s more, we may see other attackers attempt to emulate this type of attack,” said Budd.

Upon discovering this driver, Sophos promptly alerted Microsoft, and the two companies worked together to resolve the issue. Microsoft has released information in their security advisory with more information today as part of Patch Tuesday.

 

Learn more about this topic in the article, “Signed Driver Malware Moves up the Software Trust Chain,” on Sophos.com.

ソフォスについて

ソフォスは、MDR (Managed Detection and Response) サービス、インシデント対応サービス、およびエンドポイント、ネットワーク、メール、クラウド セキュリティ テクノロジーの幅広いポートフォリオなど、サイバー攻撃を阻止する高度なセキュリティソリューションを提供する世界的なリーダーであり、革新的な企業です。ソフォスは、最大手のサイバーセキュリティ専門プロバイダーの 1つであり、全世界で 60万以上の組織と 1億人以上のユーザーを、アクティブな攻撃者、ランサムウェア、フィッシング、マルウェアなどから保護しています。ソフォスのサービスと製品は、Sophos Central 管理コンソールを介して接続され、企業のクロスドメイン脅威インテリジェンスユニットである Sophos X-Ops を利用しています。Sophos X-Ops のインテリジェンスは、Sophos ACE (Adaptive Cybersecurity Ecosystem) 全体を最適化します。このエコシステムには、お客様、パートナー、開発者、その他のサイバーセキュリティおよび情報技術ベンダーが利用できる豊富なオープン API セットを活用する一元化されたデータレイクが含まれます。ソフォスは、フルマネージド型のソリューションを必要とする組織に、Cyber​​security-as-a-Service を提供します。お客様は、ソフォスのセキュリティ運用プラットフォームを使用してサイバーセキュリティを直接管理することも、脅威ハンティングや修復などソフォスのサービスを使用して社内チームを補完するハイブリッドアプローチを採用することもできます。ソフォスは、リセラーパートナー、MSP (マネージド サービス プロバイダ) を通じて販売しています。ソフォス本社は英国オックスフォードにあります。詳細については www.sophos.com をご覧ください。