Read Time:2 Minute, 7 Second
According to Sophos, dangerous malware was discovered in several authentically signed drivers with digital certificates.
Researchers in Sophos, a security software and hardware firm in Britain, conducted a report called, ‘Signed Driver Malware Moves up the Software Trust Chain.’ The investigation says that the situation commenced with a cyberattack attempt.
It was found that the attackers had employed a malicious driver authentically signed by a Microsoft Windows Hardware Compatibility Publisher digital certificate.
Researchers assert that malware linked to threat actors connected to the Cuba ransomware, a highly active organisation that has successfully attacked over 100 companies worldwide over the previous year, installed the dangerous driver. The malicious driver is created primarily to target Endpoint Detection and Response (EDR) software package processes.
As a result of the investigation, Sophos and Microsoft worked closely together to address the problem, and the report stresses that Sophos Rapid Response successfully halted the attack.
Drivers have incredibly privileged access to systems. For instance, kernel-mode drivers can be used, among other things, to terminate security software.
Windows mandates that a driver have a cryptographic signature for it to be loaded. Although they are used, not all digital driver certificates can be trusted. Sophos suggests limiting the drivers that can be loaded to protect PCs from this attack vector.
Some digital signing certificates have been stolen and leaked to the internet, where they were later used to sign malware. In contrast, dubious PUA software manufacturers have purchased and used others.
According to Christopher Budd, Senior Manager, Sophos:
“These attackers, most likely affiliates of the Cuba ransomware group, know what they’re doing, and they’re persistent. We’ve found a total of 10 malicious drivers, all variants of the initial discovery. These drivers show a concerted effort to move up the trust chain, with the oldest driver dating back to at least July.
“The oldest ones we’ve found to date were signed by certificates from unknown Chinese companies; they then moved on and managed to sign the driver with a valid, leaked, revoked NVIDIA certificate.
“Now, they’re using a certificate from Microsoft, which is one of the most trusted authorities in the Windows ecosystem. If you think about it like company security, the attackers have essentially received valid company IDs to enter the building without question and do whatever they please.”
“The security community needs to be aware of this threat so that they can implement additional security measures, such as eyes on glass, where necessary; what’s more, we may see other attackers attempt to emulate this type of attack.”
Happy
0 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %
0
0
