Microsoft suspended several accounts on its hardware developer program that signed malicious drivers used by a ransomware group called Cuba to disable endpoint security tools. The driver certificates have been revoked and the drivers will be added to a blocklist that Windows users can optionally deploy.
"In most ransomware incidents, attackers kill the target’s security software in an essential precursor step before deploying the ransomware itself," researchers from security firm Sophos said in a new report about the incident. "In recent attacks, some threat actors have turned to the use of Windows drivers to disable security products."
The power of kernel drivers and Microsoft's attempt to secure them
The kernel is the most sensitive part of an operating system where code is executed with the highest privileges and has complete control over the computer and its hardware. To communicate and control all the hardware components the kernel uses specialized pieces of code called device drivers that are either developed by Microsoft or by hardware companies.
Back in the days of Windows XP, rootkits (root-level malware) were a common threat and often made use of malicious non-signed drivers, but with Windows Vista and Windows 7, Microsoft started to lock down this loophole by enforcing driver signature validation out of the box.
Currently supported versions of Windows (Windows 10 and higher) will not allow users to install a kernel-mode driver that hasn't been digitally cross-signed by Microsoft through the Windows Hardware Developer Program. For the driver to be suitable for distribution through Windows Update, it also needs to be certified by Microsoft.
These new security features have made the use of malicious drivers a rare occurrence, but some sophisticated groups found a workaround: exploiting vulnerabilities in legitimate and trusted drivers. This created a new problem, because even if a driver vendor released a new version to patch a vulnerability, there was nothing to stop a malicious program from deploying an older version of the driver on users' systems.
Microsoft responded by creating a vulnerable driver blocklist, but this is only enabled by default with the Windows 11 2022 update released in September 2022. For Windows 10 20H2 and Windows 11 21H2, it is only available as an optional update. Furthermore, this list is only updated only once or twice per year when major Windows versions are released. Another way to apply this blocklist is through the Windows Defender Application Control (WDAC).
"Most kernel driver attacks have typically taken the BYOVD (Bring Your Own Vulnerable Driver) form," the Sophos researchers said. "Recent examples include BlackByte ransomware, which used a vulnerable graphics card overclocking driver, and another ransomware actor abusing a vulnerable anti-cheat driver created by the software publisher of the video game Genshin Impact."
Cuba ransomware takes driver attacks to the next level
The latest attacks from the Cuba ransomware group, initially observed in late September and October, presented an escalation in Windows kernel driver abuse because they used malicious kernel drivers they obtained through a legitimate channel: Windows Hardware Developer Program accounts.
"We were notified of this activity by SentinelOne, Mandiant, and Sophos on October 19, 2022, and subsequently performed an investigation into this activity," Microsoft said in its advisory. "This investigation revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature. A new attempt at submitting a malicious driver for signing on September 29, 2022, led to the suspension of the sellers' accounts in early October."
Microsoft has also released security updates that will revoke the certificates that were used to sign the malicious drivers.
The Cuba ransomware group used the driver as part of post-exploitation activities in conjunction with a malicious loader application whose purpose was likely to terminate the processes of security products before deploying the ransomware. This malicious utility has been observed before, and Mandiant dubbed it BURNTCIGAR back in February. At the time it was deployed using a vulnerable driver associated with the Avast antivirus program.
After finding the latest version of the tool signed directly by Microsoft through the hardware developer and driver certification program, the Sophos researchers hunted malware databases, including VirusTotal for previous versions. They found variants of the tool and accompanying driver that was signed with an Nvidia certificate that was leaked by the hacker group Lapsus$ as well as certificates belonging to two Chinese companies, one of them a publisher of software tools that are frequently flagged as potentially unwanted applications (PUA) by antivirus vendors.
This shows an evolution in tactics by this group over the past year: from abusing legitimate but vulnerable drivers to abusing valid code signing certificates of publishers with dubious origin to finally infiltrating the Microsoft hardware developer program and getting their driver signed directly by Microsoft.