![]() The policy ensures that all kernel-mode drivers need to be signed in order to be loaded. ![]() ![]() In recent attacks, some threat actors have turned to the use of Windows drivers to disable security products.īecause drivers pose a uniquely challenging risk to security, Windows enables Driver Signature Enforcement by default. In most ransomware incidents, attackers kill the target’s security software in an essential precursor step before deploying the ransomware itself. Kernel attacks can disable many security products Signatures from a large, trustworthy software publisher make it more likely the driver will load into Windows without hindrance, improving the chances that Cuba ransomware attackers can terminate the security processes protecting their targets’ computers. The research by SophosLabs indicates that the threat actors are moving up the trust pyramid, attempting to use increasingly more well-trusted cryptographic keys to digitally sign their drivers. Another closely related driver, used in still-earlier attacks, had been digitally signed using certificates from one or more Chinese companies with more dubious reputations. In that case, the driver was digitally signed using a stolen NVIDIA digital certificate (one of the files leaked by threat actors known as Lapsus$). The driver recovered in this attack bears a close resemblance to one used in a previously documented attack. Recent versions of the operating system require that drivers must carry a legitimate cryptographic signature in order to load properly. Two examples of BYOVD attacks include the Robinhood ransomware in 2020 and most recently the BlackByte ransomware. ![]() Some of the previous attacks have employed a “bring your own vulnerable driver” (BYOVD) approach, in which the attackers leverage a Windows driver from a legitimate software publisher that contains security vulnerabilities. The use of device drivers as a way to sabotage or terminate security tools has been on the rise in 2022. Sophos privately reported the existence of all the signed drivers in this research to Microsoft who have published an advisory as part of today’s Patch Tuesday release. Prior research by other companies indicate that threat actors who used this tool in prior attacks later attempted to deploy ransomware that calls itself Cuba. In our post-attack analysis, SophosLabs determined that the pair of executable files - a cryptographically signed Windows driver (signed with a legitimate signing certificate) and an executable “loader” application designed to install the driver - were used in tandem in a failed attempt to disable endpoint security tools on the targeted machines.įurther analysis of the loader application provided strong evidence it was a variant of a malware that Mandiant named BURNTCIGAR. However, techniques used and files left behind offer an intriguing clue about the group behind the attack. The two files work together to terminate processes or services used by a variety of endpoint security product vendors.īecause the RR team kicked the attackers off the systems, preventing further damage, it isn’t possible to know for certain which ransomware the attackers intended to deploy. While investigating suspicious activity on a customer network, Sophos X-Ops Rapid Response (RR) discovered a pair of files left behind on some compromised machines.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |