>
Researchers at Sophos (opens in new tab) have determined that vulnerabilities in Microsoft-approved hardware drivers have been exploited in ransomware attacks by a group known as Cuba.
A few files have been found on compromised machines that, according to Sophos, “work together to terminate processes or services used by different vendors of endpoint security products.”
The company claims to have “kicked the attackers off the systems” before things escalated, and can’t be sure what kind of attacks (if any) occurred, although there is evidence of a variant of malware known as ” BURNTCIGAR’.
Ransomware with Microsoft drivers
Sophos informed Microsoft of its findings, which later issued an advisory (opens in new tab) as part of the Patch Tuesday monthly release.
The tech giant promised to have completed an investigation that found “the activity was limited to the misuse of various developer program accounts and no compromise has been identified.”
Microsoft has also suspended the partners’ merchant accounts in an effort to protect users in the meantime.
A security update has been released that revokes the certificate for affected files, and blocking detections is now part of the operating system (when using Microsoft Defender 1.377.987.0 or newer).
As always, the company urges its customers to install updates whenever possible, including for the operating system and for installed anti-virus and endpoint protection software. Attacking the target’s security software is usually the precursor to more impactful moves, such as deploying ransomware.
More generally, Sophos has noticed a trend where threat actors are “climbing up the trust pyramid and increasingly seeking to use trusted cryptographic keys to digitally sign their drivers”.