According to Sophos, dangerous malware was discovered in several authentically signed drivers with digital certificates.
Researchers in Sophos, a security software and hardware firm in Britain, conducted a report called, ‘Signed Driver Malware Moves up the Software Trust Chain.’ The investigation says that the situation commenced with a cyberattack attempt.
It was found that the attackers had employed a malicious driver authentically signed by a Microsoft Windows Hardware Compatibility Publisher digital certificate.
Researchers assert that malware linked to threat actors connected to the Cuba ransomware, a highly active organisation that has successfully attacked over 100 companies worldwide over the previous year, installed the dangerous driver. The malicious driver is created primarily to target Endpoint Detection and Response (EDR) software package processes.
As a result of the investigation, Sophos and Microsoft worked closely together to address the problem, and the report stresses that Sophos Rapid Response successfully halted the attack.
Drivers have incredibly privileged access to systems. For instance, kernel-mode drivers can be used, among other things, to terminate security software.
Windows mandates that a driver have a cryptographic signature for it to be loaded. Although they are used, not all digital driver certificates can be trusted. Sophos suggests limiting the drivers that can be loaded to protect PCs from this attack vector.
Some digital signing certificates have been stolen and leaked to the internet, where they were later used to sign malware. In contrast, dubious PUA software manufacturers have purchased and used others.
According to Christopher Budd, Senior Manager, Sophos:
“These attackers, most likely affiliates of the Cuba ransomware group, know what they’re doing, and they’re persistent. We’ve found a total of 10 malicious drivers, all variants of the initial discovery. These drivers show a concerted effort to move up the trust chain, with the oldest driver dating back to at least July.
“The oldest ones we’ve found to date were signed by certificates from unknown Chinese companies; they then moved on and managed to sign the driver with a valid, leaked, revoked NVIDIA certificate.
“Now, they’re using a certificate from Microsoft, which is one of the most trusted authorities in the Windows ecosystem. If you think about it like company security, the attackers have essentially received valid company IDs to enter the building without question and do whatever they please.”
“The security community needs to be aware of this threat so that they can implement additional security measures, such as eyes on glass, where necessary; what’s more, we may see other attackers attempt to emulate this type of attack.”
More Stories
Killnet and AnonymousSudan Collaborate to Launch Cyber Attacks on Western Organisations
In recent news, it has been reported that two Russia-sympathetic hacktivist groups, Killnet and AnonymousSudan, have allegedly launched a series...
$4000 Gone In An Instant: Mother Defrauded in Facebook Marketplace Car Deal
A mother of four is warning others to be cautious after believing she had purchased a safe and dependable car...
Shocking Scam: Sydney Family Loses $200K Life-Savings in Suncorp Spoofing Fraud
A family from Sydney has lost their life savings worth $200,000 due to a fraudulent scam. Peter and Madison, who...
Mysterious Money Transfer Leaves Couple Speechless: How They Got an Unsolicited $4000
A young couple in Melbourne claims their bank is making up a personal loan they do not understand. Ashley and...
Phishing + AI + Voice Cloning= Big Trouble: The New Way Criminals are Stealing Your Money
New Alert: Criminals use AI and voice cloning to trick you out of your money. Earlier this year, Microsoft unveiled...
‘Impossible to Spot’ Delivery Scam Email Targets Australia Post Customers – Don’t Fall Victim!
Unsuspecting shoppers should be cautious as a parcel delivery scam that is hard to distinguish targets Australia Post customers. Email...