Sophos researchers (opens in a new tab) have identified that vulnerabilities in Microsoft-approved hardware drivers have been exploited in ransomware attacks by a group known as Cuba.
A pair of files were found on compromised machines that Sophos says "work together to kill processes or services used by various vendors of endpoint security products."
Claiming to have "pulled the attackers off the systems" before things got out of hand, the company can't be sure what type of attacks (if any) may have taken place, though some evidence points to a variant of malware known as "BURNTCIGAR ".
Ransomware with Microsoft drivers
Sophos informed Microsoft of its findings, which then issued an advisory (opens in a new tab) as part of its monthly Patch Tuesday publication.
The tech giant promised to have completed an investigation that found "activity was limited to abuse of multiple developer program accounts and no compromises were identified."
Microsoft has also suspended partner seller accounts in an effort to protect users in the meantime.
A security update has been released that will revoke the certificate of affected files, and detection blocking is now part of the operating system (when using Microsoft Defender 1.377.987.0 or later).
As always, the company encourages customers to install updates where applicable, including the operating system and any installed antivirus and endpoint protection software. Attacking the target's security software is often the precursor to more impactful steps, such as deploying ransomware.
More generally, Sophos has noticed a trend that sees threat actors "climb the pyramid of trust, trying to use increasingly reliable cryptographic keys to digitally sign their controllers."