Security researchers with Sophos (SophosLabs) and Mandiant have determined that the threat actors associated with the Cuba ransomware gang are using hardware drivers signed by Microsoft to hack their targets. Drivers require highly privileged access to an operating system, its data, and an approved cryptographic signature before it can load.
Microsoft concludes that an internal investigation found that only a few developer program accounts were abused, and no further compromise was found.
Abusing drivers has long been a tactic of hackers, where abusing vulnerable, legitimate hardware drivers prove to be a means to exploit targets. This is referred to as the “Bring Your Own Vulnerable Driver” (BYOVD) approach.
Researchers at Sophos have found that cybercriminals often use a cryptographically signed Windows driver (with a legitimate signing certificate), and an executable “loader” application to install the driver—which are used in tandem to disable endpoint security tools.
Microsoft Windows checks the validity of the cryptographic hardware driver signature before it allows the driver to load and execute unimpeded. Otherwise, if the signature is revoked or expired, the driver will fail to load.
The exception is if something is executed on the endpoint to disable preventative measures, such as endpoint security tools. If the attack uses administrative credentials on the machine, further safeguards are bypassed.
Sophos concludes that threat actors associated with the Cuba ransomware—also known as “COLDDRAW”—planted a malicious signed driver in a failed attempt to disable endpoint security tools.
Sophos researchers Andreas Klopsch and Andrew Brandt commented, “threat actors are moving up the trust pyramid, attempting to use increasingly more well-trusted cryptographic keys to digitally sign their drivers. Signatures from a large, trustworthy software publisher make it more likely the driver will load into Windows without hindrance.”
Microsoft has since revoked the certificates for impacted files and suspended the partner developer accounts as part of its December 2022 Patch Tuesday update, per The Hacker News.
