Two weeks ago, the United States Cybersecurity & Infrastructure Security Agency and FBI released a joint advisory about the threat of a gang that calls itself Cuba. Researchers think that a group based in Russia has been on a rampage over the past year targeting businesses and institutions in the US and abroad. According to new research, Cuba has been using pieces of malicious software in its attacks that have been approved by Microsoft.
Cuba compromised a target's systems as part of efforts to disabling security scanning tools and changing settings. The activity was supposed to go under the radar, but it turned out to be a red flag. Cuba signed a privileged piece of software with a certificate that was leaked earlier this year by the Lapsus$ hacking group, according to researchers from Palo Alto Networks Unit42. The group used the strategy with compromised certificates from at least one other Chinese tech company.
The company said in a security advisory that drivers certified by Microsoft were being used in post-exploitation activity. Several developer accounts for the Microsoft partner center were submitting malicious drivers to get a Microsoft signature.
The activity was notified by Microsoft along with Mandiant and security firms. Microsoft released security updates for Windows related to the situation, as well as suspending the partner center accounts that were being abused. The company has not found a compromise of its systems beyond partner account abuse.
Microsoft wouldn't comment beyond the advisory.
Christopher Budd is the director of threat research at Sophos. A total of 10 malicious drivers have been discovered. The drivers started moving up the trust chain in July. It is difficult to create a malicious driver from scratch. The driver can carry out any process without question.
Ensuring that software has been verified and anointed by a trusted party is one of the reasons for the use of cryptographic software signing. Attackers always look for weaknesses in this infrastructure, where they can compromise certificates or otherwise undermine and abuse the signing process to legitimize their software.
Mandiant has observed scenarios when it is suspected that groups use a criminal service for code signing. The use of stolen or fraudulently obtained code signing certificates by threat actors has been a common tactic and providing these certificates or signing services has proved a lucrative niche in the underground economy.
A number of compromised platform certificates were used to sign malicious apps distributed through third party channels. Some of the compromised certificates may have been used to sign the parts of the remote access tool. North Korean state-backed hackers are believed to be behind the activity associated with the Manuscrypt family.
Endpoint detection and response products of many, if not most, major vendors have been targeted by attackers in the past year. The security community needs to be aware of this threat so that they can protect themselves. Other attackers may try to mimic this type of attack.
Many attackers have already gotten the memo about shifting to this strategy with so many compromised certificates.
All Rights Reserved © 2024
