Drivers are specialized pieces of code that interact with hardware components and provide control within an operating system. To load on a machine, these drivers need access to the kernel and must be signed with a cryptographic signature. Researchers from Sophos, Mandiant and SentinelOne have discovered that multiple cyber-criminal groups are using malicious drivers certified by Microsoft to distribute malware and ransomware. On Tuesday, Microsoft suspended several developer accounts and revoked certificates used to sign the malicious drivers.
1. Cuba Ransomware Group
A group of hackers calling themselves “Cuba” have been targeting organizations worldwide, including IT, finance, healthcare and government. Their tactics involve demanding victims pay up for their encrypted data or they leak information on stolen systems if the ransom isn’t paid. According to a joint advisory from FBI and US Cybersecurity & Infrastructure Security Agency (CISA), at least $60 million in ransom payments have been made since December 2021 by this criminal enterprise.
Cuba attackers often employ a double extortion strategy, in which they steal sensitive data, demand a ransom payment and publish it on their leak site. Furthermore, they rely on the Hancitor malware downloader which grants them access to enterprise networks. Furthermore, Cuba attackers have been observed exploiting ZeroLogon vulnerabilities, local privilege escalation exploits and kernel drivers specifically tailored for security products.
These threats are typically distributed via spam campaigns. They typically include a malicious Word document with macros embedded, which when opened allows the threat actor to download Hancitor malware. Once activated, this malware communicates with its command-and-control server which facilitates lateral movement and extracts data necessary for encrypting files on an infected system.
The Hancitor malware downloader has been used to deliver various types of ransomware, including information stealers and Remote Access Trojans. Additionally, it exploited CVE-2020-1472 (known as “ZeroLogon”) vulnerability in order to obtain domain administrative privileges on infected machines.
The gang has long been a threat to companies in IT and manufacturing, but more recently began targeting organizations in finance, government, and healthcare as well. Over the past year it has compromised over 100 entities from these sectors while demanding $145 million in ransom payments.
Ransomware is the most prevalent type of cyberattack, resulting in data loss and financial losses for organizations of all sizes. These attacks are becoming more frequent as hackers increasingly target devices such as routers, computers and smart appliances that lack security software to launch attacks.
A technique known as Bring Your Own Vulnerable Driver (BYOVD) enables attackers to bypass critical security mechanisms that require Windows drivers to be digitally signed by a trusted authority. Unfortunately, this process can be exploited by malicious actors who exploit vulnerable kernel-mode drivers.
Due to this, the industry has seen an uptick in attacks using BYOVD methods. One recent example is BlackByte ransomware, which took advantage of a graphics card overclocking driver exploit.
Malware infections are typically accompanied by other risks. These could include Remote Desktop and VPN vulnerabilities, files infections, APTs or highly targeted Advanced Persistent Threats (APTs), the use of unprotected routers, CTV systems, smart appliances and IoT devices – just to name a few.
Despite the increased risk of ransomware infections, many organizations still opt not to pay ransoms in order to regain access to their data and services. This strategy is common among governments who rely increasingly on digital systems and software for delivering a variety of essential services – from healthcare to law enforcement and public education – across multiple sectors.
On Tuesday, Microsoft declared a countermeasure against this threat by installing blocking protections and suspending accounts used to publish malicious drivers certified by its Windows Hardware Developer Program. The announcement came after being alerted in October by cybersecurity firms Mandiant, SentinelOne and Sophos about this activity.
Researchers discovered that the Cuban gang planted a cryptographically signed driver on compromised systems, which is then loaded by an executable “loader” application dubbed BURNTCIGAR. This tool is similar to one previously identified by Mandiant in February; its purpose is to disable endpoint detection tools before ransomware can take effect.
REvil is a Russian ransomware group known for encrypting computer files in exchange for exorbitant ransom demands. It has earned itself the reputation for being unafraid to attack high-profile targets with impunity.
REvil operates under a ransomware as a service (RaaS) model, meaning it relies on an extensive network of affiliates to spread its malware and collect payments. According to IBM Security X-Force estimates, REvil victimized at least 140 organizations between April and May 2018, with many from the US, UK, and Australia.
Many ransomware threats are designed to encrypt information only, but REvil employs double-extortion tactics in which it steals data from victims before encrypting. This allows the gang to exert additional pressure on its victims, according to cybersecurity firm DarkOwl Analysts.
Ransomware attackers increasingly employ this tactic, making it easier for victims to pay up as their data has already been stolen.
REvil often sends media and business partners a note about an intrusion, placing even greater strain on its victims. It has begun auctioning off personal data of high profile figures like Madonna, threatening to release it if its demands aren’t fulfilled.
On Friday, Mandiant analysts Michael Klopsch and Mark Brandt published an analysis on REvil that attempted to disable various endpoint protections on computers before encryption. These tools had been signed via Microsoft’s hardware developer program and disabled popular antivirus products, firewalls, and anti-malware solutions.
4. Evil Corp
Evil Corp has been mounting an international campaign against corporate entities, banks, and financial institutions since 2009. It’s considered one of the world’s largest and most dangerous cybercrime enterprises and has been accused of siphoning off hundreds of millions of dollars worth of stolen funds from victims’ bank accounts.
This Russian group is known for its Dridex banking Trojan and several prominent ransomware families, such as Jaff, Locky, Bart, BitPaymer, PayloadBin, WastedLocker and Hades. Furthermore, it utilizes LockBit – a well-known ransomware-as-a-service operation – in order to carry out operations anonymously.
According to a threat profile from the Health Sector Cybersecurity Coordination Center (HC3), Evil Corp has targeted organizations around the globe. However, it appears that organizations in the U.S. and Europe are particularly vulnerable to its attacks, as indicated by its high scalability and adaptability. With such an expansive network, Evil Corp may be able to leverage its connections for obtaining access to healthcare-related intellectual property.
Maksim Yakubets, a Moscow native who has been working with the group since 2000, serves as its leader. He reportedly cultivates an international network to ensure their scalability and influence over cybercriminals worldwide.
Once it obtains the victim’s credentials, it encrypts nearly all files on the system and demands a ransom payment of between $500,000 and $10 million. After making this payment, however, the ransomware will no longer be active on the victim’s machine.
Microsoft has suspended several third-party developer accounts responsible for submitting malicious drivers to its hardware developer program, as well as revoking certificates used to sign these malicious drivers. Furthermore, it issued patches to its users which will prevent them from loading these malicious drivers and will provide guidance on how to protect their machines from these same malicious drivers.
Kaseya is an IT management platform used by managed service providers (MSPs) to monitor and maintain their clients’ endpoints. These systems typically consist of a server, network interfaces, and other hardware. With Kaseya’s software, MSPs can remotely control their clients’ IT infrastructure via a remote management agent.
The software’s primary function is to automate processes such as updating software and managing assets. To accomplish this, it creates scripts that run on servers and network devices. Furthermore, the system detects and disables malicious devices on the network, in addition to identifying malicious users.
As with most technologies, it’s essential to regularly upgrade drivers on the computers running the platform in order to keep them secure. This is especially true when using a domain-based or agentless technology like Kaseya which manages all devices on a network without needing an intermediary device between computers and their administrators.
Kaseya, although relatively new on the market, is quickly gaining traction among MSPs and other businesses due to its high level of automation that helps IT managers reduce costs and boost efficiency.
Kaseya has seen rapid growth due to its superior level of security. Unlike domain-based technologies, its agents are lightweight and don’t rely on port mapping schemes or other extra resources like domain-based programs do. This enables it to be deployed even in locations where other platforms would struggle with managing a network with just one connection.
Kaseya has many advantages, yet is vulnerable to ransomware attacks. In the past, hackers have used a zero-day vulnerability in their platform to target Kaseya customers; this time around they used CVE-2021-30116 flaw to infect victims and force them into paying ransomware operators for services rendered.