Security is always in principle a conversation of trust. Do you trust the vendors providing your company with products and services? This is a question which every company should be continually evaluating and reevaluating as part of their ongoing security posture maintenance.
Microsoft is the latest example of a company providing trust to entities, wherein that trust was abused, through no major fault of their own. As early as August 2022, a small set of accounts within Microsoft’s Hardware Developer platform began using their trusted authority to sign drivers which contained malicious code. The payload of this code has been found to effectively disable security platforms on an endpoint basis. With the endpoint security tools disabled, malware payloads can then propagate freely across an enterprise network, preparing for, and then executing on a set of commands which cryptographically lock down the contents of end user devices. The originator of the malware then sends a trigger sequence, turning the lock on the encryption mechanism, removing access to the end user, then presenting them with a ransomware demand. This ransomware has been named Cuba, after the cyber-crime organization (not related to the nation of Cuba) responsible for its dissemination.
Malicious drivers are traditionally classified as trojan horse attacks. An end user experiences a problem with their computer. To solve the problem, they search the internet for an answer, and click a link providing a download which promises to fix a malfunctioning driver causing the original problem. Once installed, that driver then executes code providing unapproved access to the device.
But the Cuba Ransomware is more sophisticated. Rather than relying on an end user going outside of the traditional support channels for help, the Cuba Ransomware relies on a supply chain breach, using a reasonably assumed trust which most companies give to one of the world’s largest software vendors, Microsoft, to provide their payload. They were able to do this by utilizing signing certificates stolen as part of the Lapsus$ group’s targeted attack of Nvidia back in February. These same leaked signing certificates were never removed from Microsoft’s Hardware Developer Program and were therefore available for Cuba to use in their supply chain attack.
To read the full Cybersecurity Advisory on Cuba Ransomware released by CISA, click here.
Why You Should Care
In the context of the Cuba ransomware event, your company can do everything correctly and still be a victim by simply installing recommended drivers from Microsoft (which is a perfectly reasonable thing to do). This is why supply chain attacks are so powerful.
As of the writing of this article, Microsoft has removed the fraudulently signed drivers, and the accounts responsible for signing them within their Hardware Developer Program. If no one in your organization has performed any kernel driver updates within the last few months, then this attack may not be relevant to your organization. That said, the number of companies that can definitively say that they have not performed kernel driver updates within the last 6 months is vanishingly small. Again, this is the power of supply chain attacks. That being the case, it is safe to assume that there is a non-trivial chance that your organization has had the Cuba Ransomware driver compromise imbedded somewhere in your environment.
To their credit, Microsoft has added the affected kernel driver versions to their blacklist, which helps ensure that these malicious drivers don’t end up on your devices in the future, and existing versions are now being removed as part of standard OS patching. But, for those environments still affected, the Cuba Ransomware group has a potentially viable link into your environment which they can use to inflict severe damage to your company.
And Cuba has been busy.
According to the United States Cybersecurity and Infrastructure Security Agency (CISA), the Cuba Ransomware group has successfully disrupted operations at 101 organizations since August 2022, 65 of which are within the United States. From these 101 organizations, the Cuba Ransomware Group has extracted $60,000,000 dollars in extortion payments.
How Syxsense can Help
Syxsense can help keep your organization safe from this supply chain attack in two distinct ways. First, our vulnerability scanning tool can alert your team to existing possible Cuba related breaches using a process called indicator of compromise detection (IoC). IoC detections are small scripts that analyze configuration files, device driver versions, and other aspects of a device’s operating system to see if the OS matches a known state associated with the supply chain attack. Using these IoC’s your organization can then determine if the Cuba ransomware attack is a relevant concern to your organization.
Additionally, Syxsense can also facilitate the standard deployment of Microsoft patches, ensuring that the latest set of patch Tuesday updates are applied to your environment universally.
Between these two mechanisms, your organization can have confidence that the Cuba ransomware is not currently present in your environment, and that the ransomware won’t be present in the future.