The ransomware gang was able to use signed malicious drivers to disable endpoint security tools. Microsoft has revoked the certificates. Credit: Svetazi / Getty Images Microsoft suspended several accounts on its hardware developer program that signed malicious drivers used by a ransomware group called Cuba to disable endpoint security tools. The driver certificates have been revoked and the drivers will be added to a blocklist that Windows users can optionally deploy.“In most ransomware incidents, attackers kill the target’s security software in an essential precursor step before deploying the ransomware itself,” researchers from security firm Sophos said in a new report about the incident. “In recent attacks, some threat actors have turned to the use of Windows drivers to disable security products.”The power of kernel drivers and Microsoft’s attempt to secure themThe kernel is the most sensitive part of an operating system where code is executed with the highest privileges and has complete control over the computer and its hardware. To communicate and control all the hardware components the kernel uses specialized pieces of code called device drivers that are either developed by Microsoft or by hardware companies. Back in the days of Windows XP, rootkits (root-level malware) were a common threat and often made use of malicious non-signed drivers, but with Windows Vista and Windows 7, Microsoft started to lock down this loophole by enforcing driver signature validation out of the box. Currently supported versions of Windows (Windows 10 and higher) will not allow users to install a kernel-mode driver that hasn’t been digitally cross-signed by Microsoft through the Windows Hardware Developer Program. For the driver to be suitable for distribution through Windows Update, it also needs to be certified by Microsoft.These new security features have made the use of malicious drivers a rare occurrence, but some sophisticated groups found a workaround: exploiting vulnerabilities in legitimate and trusted drivers. This created a new problem, because even if a driver vendor released a new version to patch a vulnerability, there was nothing to stop a malicious program from deploying an older version of the driver on users’ systems. Microsoft responded by creating a vulnerable driver blocklist, but this is only enabled by default with the Windows 11 2022 update released in September 2022. For Windows 10 20H2 and Windows 11 21H2, it is only available as an optional update. Furthermore, this list is only updated only once or twice per year when major Windows versions are released. Another way to apply this blocklist is through the Windows Defender Application Control (WDAC).“Most kernel driver attacks have typically taken the BYOVD (Bring Your Own Vulnerable Driver) form,” the Sophos researchers said. “Recent examples include BlackByte ransomware, which used a vulnerable graphics card overclocking driver, and another ransomware actor abusing a vulnerable anti-cheat driver created by the software publisher of the video game Genshin Impact.”Cuba ransomware takes driver attacks to the next levelThe latest attacks from the Cuba ransomware group, initially observed in late September and October, presented an escalation in Windows kernel driver abuse because they used malicious kernel drivers they obtained through a legitimate channel: Windows Hardware Developer Program accounts. “We were notified of this activity by SentinelOne, Mandiant, and Sophos on October 19, 2022, and subsequently performed an investigation into this activity,” Microsoft said in its advisory. “This investigation revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature. A new attempt at submitting a malicious driver for signing on September 29, 2022, led to the suspension of the sellers’ accounts in early October.”Microsoft has also released security updates that will revoke the certificates that were used to sign the malicious drivers.The Cuba ransomware group used the driver as part of post-exploitation activities in conjunction with a malicious loader application whose purpose was likely to terminate the processes of security products before deploying the ransomware. This malicious utility has been observed before, and Mandiant dubbed it BURNTCIGAR back in February. At the time it was deployed using a vulnerable driver associated with the Avast antivirus program. After finding the latest version of the tool signed directly by Microsoft through the hardware developer and driver certification program, the Sophos researchers hunted malware databases, including VirusTotal for previous versions. They found variants of the tool and accompanying driver that was signed with an Nvidia certificate that was leaked by the hacker group Lapsus$ as well as certificates belonging to two Chinese companies, one of them a publisher of software tools that are frequently flagged as potentially unwanted applications (PUA) by antivirus vendors.This shows an evolution in tactics by this group over the past year: from abusing legitimate but vulnerable drivers to abusing valid code signing certificates of publishers with dubious origin to finally infiltrating the Microsoft hardware developer program and getting their driver signed directly by Microsoft. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe