Tweet
Researchers at Sophos have identified that vulnerabilities in Microsoft-approved hardware drivers have been exploited in ransomware attacks by a group known as Cuba.
A pair of files were found on compromised machines that Sophos says âwork together to terminate processes or services used by a variety of endpoint security product vendors.â
Claiming to have âkicked the attackers off the systemsâ before things escalated, the company canât be sure what sort of attacks (if any) may have taken place, though some evidence points at a variant of malware known as âBURNTCIGARâ.
[HEADING=1]Ransomware with Microsoft drivers[/HEADING]
Sophos informed Microsoft of its findings, which later published an advisory as part of its monthly Patch Tuesday release.
The tech giant promised to have completed an investigation which found that âactivity was limited to the abuse of several developer program accounts and that no compromise has been identified.â
Read more
> Stay safe with the best firewall choices around
Microsoft has also suspended the partnersâ seller accounts in an effort to protect users in the meantime.
A security update has been released that will revoke the certificate for impacted files, and blocking detections now forms part of the OS (when using Microsoft Defender 1.377.987.0 or newer).
As ever, the company is urging its customers to install updates wherever applicable, including to the operating system and to installed antivirus and endpoint protection software. Attacking the targetâs security software is usually the precursor to more impactful steps, like deploying ransomware.
More generally, Sophos has noticed a trend that sees threat actors âmoving up the trust pyramid, attempting to use increasingly more well-trusted cryptographic keys to digitally sign their drivers.â
[ul]
[li]Think youâre at risk? Consider the best malware removal tools[/li][/ul]
Continue readingâŚ
A pair of files were found on compromised machines that Sophos says âwork together to terminate processes or services used by a variety of endpoint security product vendors.â
Claiming to have âkicked the attackers off the systemsâ before things escalated, the company canât be sure what sort of attacks (if any) may have taken place, though some evidence points at a variant of malware known as âBURNTCIGARâ.
[HEADING=1]Ransomware with Microsoft drivers[/HEADING]
Sophos informed Microsoft of its findings, which later published an advisory as part of its monthly Patch Tuesday release.
The tech giant promised to have completed an investigation which found that âactivity was limited to the abuse of several developer program accounts and that no compromise has been identified.â
Read more
> Stay safe with the best firewall choices around
Ransomware is being used as a precursor to physical war
Rackspace warns of phishing risks following ransomware attack
A security update has been released that will revoke the certificate for impacted files, and blocking detections now forms part of the OS (when using Microsoft Defender 1.377.987.0 or newer).
As ever, the company is urging its customers to install updates wherever applicable, including to the operating system and to installed antivirus and endpoint protection software. Attacking the targetâs security software is usually the precursor to more impactful steps, like deploying ransomware.
More generally, Sophos has noticed a trend that sees threat actors âmoving up the trust pyramid, attempting to use increasingly more well-trusted cryptographic keys to digitally sign their drivers.â
[ul]
[li]Think youâre at risk? Consider the best malware removal tools[/li][/ul]
Continue readingâŚ