Driver Targets Endpoint Detection and Response (EDR) Software; Attacks Linked to the Cuba Ransomware Group

OXFORD, U.K. — Dezember 13, 2022 —

OXFORD, U.K. – Dec. 13, 2022 – Sophos, a global leader in innovating and delivering cybersecurity as a service, today revealed it has found malicious code in multiple drivers signed by legitimate digital certificates. Its latest report, “Signed Driver Malware Moves up the Software Trust Chain,” details the investigation which began with an attempted ransomware attack in which the attackers used a malicious driver signed with a legitimate Windows Hardware Compatibility Publisher digital certificate from Microsoft. The malicious driver is designed to specifically target processes used by major Endpoint Detection and Response (EDR) software packages and was installed by malware that has been tied to threat actors affiliated with Cuba ransomware, a highly prolific group that has successfully targeted more than 100 companies globally over the past year. Sophos Rapid Response was able to successfully thwart the attack, and the investigation triggered a comprehensive collaboration between Sophos and Microsoft to take action and address the threat.

Drivers can perform highly privileged operations on systems. For example, kernel-mode drivers can, among other things, terminate many types of software, including security. Controlling which drivers can load is one way to protect computers from this avenue of attack. Windows requires drivers to bear a cryptographic signature—a “stamp of approval”—before it will allow the driver to load.

However, not all digital certificates used to sign drivers are trusted equally. Some digital signing certificates, stolen and leaked to the internet, were later abused to sign malware; still other certificates have been bought and used by unscrupulous PUA software publishers. Sophos’ investigation of a malicious driver used to sabotage endpoint security tools during the commission of a ransomware attack, revealed that the adversaries had been making a concerted effort to progressively move from less widely to more widely trusted digital certificates.

“These attackers, most likely affiliates of the Cuba ransomware group, know what they’re doing—and they’re persistent. We’ve found a total of 10 malicious drivers, all variants of the initial discovery. These drivers show a concerted effort to move up the trust chain, with the oldest driver dating back to at least July. The oldest ones we’ve found to date were signed by certificates from unknown Chinese companies; they then moved on and managed to sign the driver with a valid, leaked, revoked NVIDIA certificate. Now, they’re using a certificate from Microsoft, which is one of the most trusted authorities in the Windows ecosystem. If you think about it like company security, the attackers have essentially received valid company IDs to enter the building without question and do whatever they please,” said Christopher Budd, senior manager, threat research, Sophos.                   

A closer look at the executables utilized in the attempted ransomware attack found that the malicious signed driver was downloaded onto the targeted system with a variant of the loader BURNTCIGAR, a known piece of malware affiliated with the Cuba ransomware group. Once the loader downloads the driver on the system, the latter waits for one of 186 different program filenames commonly used by major endpoint security and EDR software packages to initiate and then attempts to terminate those processes. If successful, the attackers can then deploy the ransomware.

“In 2022, we’ve seen ransomware attackers increasingly attempt to bypass EDR products of many, if not most, major vendors. The most common technique is known as ‘bring your own driver,’ which BlackByte recently used, and it involves  attackers exploiting an existing vulnerability in a legitimate driver. Creating a malicious driver from scratch and getting it signed by a legitimate authority is far more difficult. However, should they succeed, it’s incredibly effective because the driver can essentially carry out any processes without question. In the case of this particular driver, virtually all EDR software is vulnerable; fortunately, Sophos’ additional anti-tampering protections were able to halt the ransomware attack. The security community needs to be aware of this threat so that they can implement additional security measures, such as eyes on glass, where necessary; what’s more, we may see other attackers attempt to emulate this type of attack,” said Budd.

Upon discovering this driver, Sophos promptly alerted Microsoft, and the two companies worked together to resolve the issue. Microsoft has released information in their security advisory with more information today as part of Patch Tuesday.

 

Learn more about this topic in the article, “Signed Driver Malware Moves up the Software Trust Chain,” on Sophos.com.

Über Sophos

Sophos ist ein weltweit führender Anbieter von modernsten Sicherheitslösungen zur Abwehr von Cyberangriffen, einschließlich Managed Detection and Response (MDR) und Incident Response Services sowie einem breiten Portfolio an Endpoint-, Netzwerk-, E-Mail- und Cloud-Security-Technologien. Als einer der größten ausschließlich auf Cybersicherheit spezialisierten Anbieter schützt Sophos weltweit mehr als 600.000 Unternehmen und Organisationen und mehr als 100 Mio. Benutzer vor aktiven Angreifern, Ransomware, Phishing, Malware und mehr. Die Services und Produkte von Sophos sind über die Management-Konsole Sophos Central miteinander verbunden und werden vom bereichsübergreifenden Threat-Intelligence-Expertenteam Sophos X-Ops unterstützt. Die Sophos X-Ops Intelligence optimiert das gesamte Sophos Adaptive Cybersecurity Ecosystem. Dieses Ökosystem umfasst einen zentralen Data Lake, der eine Vielzahl offener APIs nutzt, die Kunden, Partnern, Entwicklern und anderen Cybersecurity- und Informationstechnologie-Anbietern zur Verfügung stehen. Sophos bietet Cybersecurity-as-a-Service für Unternehmen und Organisationen an, die vollständig verwaltete Sicherheitslösungen benötigen. Kunden können ihre Cybersicherheit auch direkt mit der Sophos Security-Operations-Plattform verwalten oder einen hybriden Ansatz nutzen, bei dem sie ihre internen Teams mit Sophos-Services ergänzen, einschließlich Threat Hunting und Maßnahmen zur Beseitigung von Bedrohungen. Sophos vertreibt seine Produkte und Services über ein weltweites Netzwerk von Vertriebspartnern und Managed Service Providern (MSPs). Sophos hat seinen Hauptsitz im britischen Oxford. Weitere Informationen finden Sie unter www.sophos.de.