uncategorized

Ransomware gang abused Microsoft certificates to sign malware

Microsoft

A recent report from security researchers has revealed that a ransomware gang has been abusing security certificates. Microsoft to sign your malware and evade detection. The gang, known as Conti, is one of the most active and prolific ransomware groups in the world, responsible for hundreds of attacks on organizations across various sectors.

Microsoft
Microsoft

According to the report, Conti has been using a technique called "certificate spoofing" to make its malware look like legitimate Microsoft software. Certificate spoofing is a method of manipulating the digital signature of a file to make it appear as if it was signed by a trusted authority. In this case, Conti was able to spoof the certificate for Microsoft Windows Defender, the antivirus software built into Windows.

By doing so, Conti was able to bypass the security controls of Windows Defender and other antivirus products that rely on certificate validation. This allowed them to execute their ransomware payload without being detected or blocked by the system. The report also found that Conti was using a custom wrapper to obfuscate its malware code and avoid static analysis.

Researchers warned that certificate spoofing is a serious threat that can undermine the trust and security of digital certificates. They advised organizations to implement multiple layers of defense, such as behavioral analytics, network monitoring, and endpoint detection and response, to protect themselves from ransomware attacks. They also recommended that Microsoft revoke the forged certificates and update its signature verification process to prevent future abuse.

A new report reveals how a ransomware group known as “Cuba” has been exploiting Microsoft-certified malware to launch cyberattacks on several organizations in the US and other countries. The group, suspected to operate from Russia, has been active since at least 2020 and has targeted sectors such as healthcare, education and manufacturing. According to the report, Cuba has been using malware signed with valid Microsoft certificates, meaning the malicious software can bypass some security controls and appear more trustworthy to potential victims. The report also provides technical details on how the malware works and how it encrypts data on infected systems, demanding a ransom for its recovery. The report warns that Cuba is likely to continue its malicious activities and advises organizations to take preventive measures to protect their networks and data from ransomware attacks.

Code signing is a crucial process that verifies the authenticity and integrity of software. It involves using a cryptographic certificate issued by a trusted authority to digitally sign the software. This way, users can be sure that the software they download or install comes from a legitimate source and has not been tampered with.

However, code signing is not immune to attacks. Cybercriminals can exploit vulnerabilities in code signing infrastructure, such as stealing or forging certificates, compromising signing servers, or abusing legitimate services, to sign their malicious software. This can help them evade security defenses and trick users into trusting their malware.

An example of this threat is Google's recent discovery that some Android apps distributed through third-party channels were signed with compromised platform certificates. These certificates are managed by Android device manufacturers and are used to sign system components and pre-installed applications. Some of the malicious apps were found to contain parts of the Manuscrypt malware, which is linked to North Korean hackers attacking cryptocurrency platforms.

Another example is Mandiant's observation that some ransomware groups use a common criminal service for code signing. The service provides stolen or fraudulently obtained certificates or signing services to threat actors for a fee. This allows them to bypass endpoint detection and response products from various vendors.

These incidents highlight the need for increased vigilance and protection against code signing attacks. The security community must be aware of this emerging threat and implement additional security measures, such as verifying the reputation and validity of certificates, monitoring code signing activities and anomalies, and utilizing multiple layers of defense. Additionally, we may see more attackers try to copy this type of attack in the future.