Researchers at Sophos (opens in new tab) have identified that vulnerabilities in Microsoft-approved hardware drivers have been exploited in ransomware attacks by a group known as Cuba.
A pair of files were found on compromised machines that Sophos says “work together to terminate processes or services used by a variety of endpoint security product vendors.”
Claiming to have “kicked the attackers off the systems” before things escalated, the company can’t be sure what sort of attacks (if any) may have taken place, though some evidence points at a variant of malware known as ‘BURNTCIGAR’.
Ransomware with Microsoft drivers
Sophos informed Microsoft of its findings, which later published an advisory (opens in new tab) as part of its monthly Patch Tuesday release.
The tech giant promised to have completed an investigation which found that “activity was limited to the abuse of several developer program accounts and that no compromise has been identified.”
Microsoft has also suspended the partners’ seller accounts in an effort to protect users in the meantime.
A security update has been released that will revoke the certificate for impacted files, and blocking detections now forms part of the OS (when using Microsoft Defender 1.377.987.0 or newer).
As ever, the company is urging its customers to install updates wherever applicable, including to the operating system and to installed antivirus and endpoint protection software. Attacking the target’s security software is usually the precursor to more impactful steps, like deploying ransomware.
More generally, Sophos has noticed a trend that sees threat actors “moving up the trust pyramid, attempting to use increasingly more well-trusted cryptographic keys to digitally sign their drivers.”
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba