Driver Targets Endpoint Detection and Response (EDR) Software; Attacks Linked to the Cuba Ransomware Group

OXFORD, U.K. — 十二月 13, 2022 —

OXFORD, U.K. – Dec. 13, 2022 – Sophos, a global leader in innovating and delivering cybersecurity as a service, today revealed it has found malicious code in multiple drivers signed by legitimate digital certificates. Its latest report, “Signed Driver Malware Moves up the Software Trust Chain,” details the investigation which began with an attempted ransomware attack in which the attackers used a malicious driver signed with a legitimate Windows Hardware Compatibility Publisher digital certificate from Microsoft. The malicious driver is designed to specifically target processes used by major Endpoint Detection and Response (EDR) software packages and was installed by malware that has been tied to threat actors affiliated with Cuba ransomware, a highly prolific group that has successfully targeted more than 100 companies globally over the past year. Sophos Rapid Response was able to successfully thwart the attack, and the investigation triggered a comprehensive collaboration between Sophos and Microsoft to take action and address the threat.

Drivers can perform highly privileged operations on systems. For example, kernel-mode drivers can, among other things, terminate many types of software, including security. Controlling which drivers can load is one way to protect computers from this avenue of attack. Windows requires drivers to bear a cryptographic signature—a “stamp of approval”—before it will allow the driver to load.

However, not all digital certificates used to sign drivers are trusted equally. Some digital signing certificates, stolen and leaked to the internet, were later abused to sign malware; still other certificates have been bought and used by unscrupulous PUA software publishers. Sophos’ investigation of a malicious driver used to sabotage endpoint security tools during the commission of a ransomware attack, revealed that the adversaries had been making a concerted effort to progressively move from less widely to more widely trusted digital certificates.

“These attackers, most likely affiliates of the Cuba ransomware group, know what they’re doing—and they’re persistent. We’ve found a total of 10 malicious drivers, all variants of the initial discovery. These drivers show a concerted effort to move up the trust chain, with the oldest driver dating back to at least July. The oldest ones we’ve found to date were signed by certificates from unknown Chinese companies; they then moved on and managed to sign the driver with a valid, leaked, revoked NVIDIA certificate. Now, they’re using a certificate from Microsoft, which is one of the most trusted authorities in the Windows ecosystem. If you think about it like company security, the attackers have essentially received valid company IDs to enter the building without question and do whatever they please,” said Christopher Budd, senior manager, threat research, Sophos.                   

A closer look at the executables utilized in the attempted ransomware attack found that the malicious signed driver was downloaded onto the targeted system with a variant of the loader BURNTCIGAR, a known piece of malware affiliated with the Cuba ransomware group. Once the loader downloads the driver on the system, the latter waits for one of 186 different program filenames commonly used by major endpoint security and EDR software packages to initiate and then attempts to terminate those processes. If successful, the attackers can then deploy the ransomware.

“In 2022, we’ve seen ransomware attackers increasingly attempt to bypass EDR products of many, if not most, major vendors. The most common technique is known as ‘bring your own driver,’ which BlackByte recently used, and it involves  attackers exploiting an existing vulnerability in a legitimate driver. Creating a malicious driver from scratch and getting it signed by a legitimate authority is far more difficult. However, should they succeed, it’s incredibly effective because the driver can essentially carry out any processes without question. In the case of this particular driver, virtually all EDR software is vulnerable; fortunately, Sophos’ additional anti-tampering protections were able to halt the ransomware attack. The security community needs to be aware of this threat so that they can implement additional security measures, such as eyes on glass, where necessary; what’s more, we may see other attackers attempt to emulate this type of attack,” said Budd.

Upon discovering this driver, Sophos promptly alerted Microsoft, and the two companies worked together to resolve the issue. Microsoft has released information in their security advisory with more information today as part of Patch Tuesday.

 

Learn more about this topic in the article, “Signed Driver Malware Moves up the Software Trust Chain,” on Sophos.com.

关于 Sophos

Sophos 是全球领先的先进安全解决方案提供商和创新者,全面安全解决方案涵盖托管式侦测与响应 (MDR) 和事件响应服务,以及广泛的端点、网络、电子邮件和云安全技术。作为最大的纯网络安全厂商之一,Sophos 为全球超过 600,000 家企业和超过 1 亿用户提供防御主动攻击对手、勒索软件、网络钓鱼、恶意软件等威胁的保护。Sophos 的服务和产品通过 Sophos Central 管理控制台连接,并得到公司内部的跨领域威胁情报部门 Sophos X-Ops 的支持。Sophos X-Ops 情报优化整个 Sophos Adaptive Cybersecurity Ecosystem 自适应网络安全生态体系,包括一个中央数据湖,为客户、合作伙伴、开发人员和其他网络安全与信息技术供应商提供一组丰富的开放 API。Sophos为需要完全托管的安全解决方案的组织提供网络安全即服务。客户还可以直接利用 Sophos 的安全运行平台管理其网络安全,或者采用混合方法,为内部团队补充 Sophos 服务(包括威胁追踪与修复)。Sophos 通过世界各地的经销商合作伙伴和托管服务供应商 (MSP) 销售。Sophos 总部位于英国牛津。如欲了解更多信息,请访问 www.sophos.com