Microsoft and US authorities recently released notices about a ransomware gang using legitimate Microsoft certificates to sign its malware. The trick grants malicious software privileged access to Windows, making it harder to fight. Cryptographic signatures tell Windows that Microsoft trusts a piece of software, letting it interact with a system relatively unimpeded. Building fraudulent signatures or fraudulently obtaining real ones has long been a common hacker tactic. A ransomware gang called Cuba – no connection to the Republic of Cuba – uses a dropper that writes a kernel driver that disables security software like antivirus programs. The kernel driver was signed with a certificate originating from the Lapsus$ group’s attack on Nvidia earlier this year. Lapsus$ targeted Nvidia with ransomware in February. While the ransomware didn’t significantly affect Nvidia’s operations, the hackers leaked much of the company’s data, including source code and apparently Microsoft software certificates. Police in the UK later arrested two London teenagers in connection with Lapsus$.
This October, three security companies informed Microsoft that a malicious actor had compromised several Microsoft Partner Center developer accounts, using them to submit malicious drivers for Microsoft certificates. The company’s analysis suggests the drivers were used to deliver malware. Microsoft subsequently suspended the accounts, updated Windows Security to revoke the certificates, and employed new detections for Microsoft Defender versions 1.377.987.0 and newer. Windows users should keep the antivirus software up-to-date to fight this and other threats like the vulnerabilities this week’s Patch Tuesday addressed. Meanwhile, earlier this month the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) released an advisory about Cuba’s actions. Over the last year, the group has doubled its count of successful attacks and increased its income from ransoms. Investigations indicate that in addition to its own ransomware, Cuba also uses Industrial Spy and RomCom Remote Access Trojan (RAT). This isn’t the only recent case where attackers used compromised certificates to sign malware. A similar incident emerged involving Android Platform certificates in November. Like Microsoft, Google also promptly made those certificates invalid.