Cuba Ransomware Gang Abused Microsoft Certificates to Sign Malware

Less than two weeks ago, the United States Cybersecurity & Infrastructure Security Agency and FBI released a joint advisory about the threat of ransomware attacks from a gang that calls itself “Cuba.” The group, which researchers believe is, in fact, based in Russia, has been on a rampage over the past year targeting an increasing number of businesses and other institutions in the US and abroad. New research released today indicates that Cuba has been using pieces of malware in its attacks that were certified, or given a seal of approval, by Microsoft.

Cuba used these cryptographically signed “drivers” after compromising a target’s systems as part of efforts to disable security scanning tools and change settings. The activity was meant to fly under the radar, but it was flagged by monitoring tools from the security firm Sophos. Researchers from Palo Alto Networks Unit 42 previously observed Cuba signing a privileged piece of software known as a “kernel driver” with an NVIDIA certificate that was leaked earlier this year by the Lapsus$ hacking group. And Sophos says it has also seen the group use the strategy with compromised certificates from at least one other Chinese tech company, which security firm Mandiant identified as Zhuhai Liancheng Technology Co. 

“Microsoft was recently informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity,” the company said in a security advisory today. “Several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature … The signed malicious drivers were likely used to facilitate post-exploitation intrusion activity such as the deployment of ransomware.”

Sophos notified Microsoft about the activity on October 19 along with Mandiant and security firm SentinelOne. Microsoft says it has suspended the Partner Center accounts that were being abused, revoked the rogue certificates, and released security updates for Windows related to the situation. The company adds that it hasn’t identified any compromise of its systems beyond the partner account abuse.

Microsoft declined WIRED’s request to comment beyond the advisory.

“These attackers, most likely affiliates of the Cuba ransomware group, know what they’re doing—and they’re persistent,” says Christopher Budd, director of threat research at Sophos. “We’ve found a total of 10 malicious drivers, all variants of the initial discovery. These drivers show a concerted effort to move up the trust chain, starting at least this past July. Creating a malicious driver from scratch and getting it signed by a legitimate authority is difficult. However, it’s incredibly effective, because the driver can essentially carry out any processes without question.”

Cryptographic software signing is an important validation mechanism meant to ensure that software has been vetted and anointed by a trusted party or “certificate authority.” Attackers are always looking for weaknesses in this infrastructure, though, where they can compromise certificates or otherwise undermine and abuse the signing process to legitimize their malware. 

“Mandiant has previously observed scenarios when it is suspected that groups leverage a common criminal service for code signing,” the company wrote in a report published today. “The use of stolen or fraudulently obtained code signing certificates by threat actors has been a common tactic, and providing these certificates or signing services has proven a lucrative niche in the underground economy.”

Earlier this month, Google published findings that a number of compromised “platform certificates” managed by Android device makers including Samsung and LG had been used to sign malicious Android apps distributed through third-party channels. It appears that at least some of the compromised certificates were used to sign components of the Manuscrypt remote access tool. The FBI and CISA have previously attributed activity associated with the Manuscrypt malware family to North Korean state-backed hackers targeting cryptocurrency platforms and exchanges.

“In 2022, we’ve seen ransomware attackers increasingly attempting to bypass endpoint detection and response products of many, if not most, major vendors,” Sophos’ Budd says. “The security community needs to be aware of this threat so that they can implement additional security measures. What’s more, we may see other attackers attempt to emulate this type of attack.”

With so many compromised certificates flying around, it seems that many attackers have already gotten the memo about shifting toward this strategy.