Ransomware group abused Microsoft certificates to sign malware

A joint advisory from the US Cybersecurity & Infrastructure Security Agency and FBI warned of a ransomware threat from a Russian gang called “Cuba”. New research shows that the group has been using pieces of malware that were certified by Microsoft. Cuba used these cryptographically signed “drivers” to compromise targets’ systems and disable security scanning tools. The activity was flagged by security firm Sophos. Researchers from Palo Alto Networks Unit 42 previously observed Cuba signing a piece of software known as a “kernel driver” with an NVIDIA certificate that was leaked earlier this year by the Lapsus$ hacking group. Sophos also says it has seen the group use the strategy with compromised certificates from a Chinese tech company. Microsoft has suspended the relevant Partner Center accounts and revoked the rogue certificates.

Cryptographic software signing is a validation mechanism that ensures that software has been vetted by a trusted party or “certificate authority”. However, attackers are constantly looking for ways to compromise certificates or undermine the signing process to legitimize their malware. This has proven to be a lucrative niche in the underground economy. Earlier this month, Google published findings that compromised “platform certificates” managed by Android device makers, including Samsung and LG, had been used to sign malicious Android apps distributed through third-party channels. The FBI and CISA have previously attributed activity associated with the Manuscrypt malware family to North Korean state-backed hackers targeting cryptocurrency platforms and exchanges. With so many compromised certificates available, it seems that many attackers have already shifted to using this strategy.