Scientists from Sophos (opens in a new tab) discovered that vulnerabilities in Microsoft-approved hardware drivers were exploited in ransomware attacks by a group called Cuba.
A pair of files were found on the compromised machines that, according to Sophos, “cooperate to terminate processes or services used by various vendors of endpoint security products.”
Claiming to have “kicked the attackers off their systems” before the situation escalated, the company cannot be sure what type of attacks (if any) may have occurred, although some evidence points to a variant of the malware known as “BURNTCIGAR”.
Ransomware with Microsoft drivers
Sophos informed Microsoft of its findings, which later published an advisory (opens in a new tab) as part of the monthly Patch Tuesday issue.
The tech giant promised to complete its investigation, which concluded that “activity was limited to the abuse of a few developer program accounts and that no compromise had been identified.”
Microsoft has also suspended partner reseller accounts in an effort to protect users in the meantime.
A security update has been released that revokes the certificate for the affected files and lock detection is now part of the operating system (when using Microsoft Defender 1.377.987.0 or later).
As always, the company urges its customers to install updates wherever applicable, including to the operating system and installed antivirus and endpoint protection software. Attacking a target’s security software is usually a prelude to more impactful steps, such as deploying ransomware.
More generally, Sophos noted the trend that cybercriminals are “moving up the pyramid of trust, trying to use increasingly trusted cryptographic keys to digitally sign their drivers.”