Friend
Professional
- Messages
- 2,653
- Reaction score
- 851
- Points
- 113
How one account led to the collapse of the IT infrastructure.
A group of pro-Ukrainian cybercriminals successfully attacked the IT infrastructure of a Russian industrial organization, exploiting a vulnerability in the Windows operating system. The vulnerability, known since 2022, is related to the processing of digital signatures of drivers.
Specialists of the Solar 4RAYS cyber threat research center of the Solar Group of Companies conducted an investigation into the incident in May 2024. They found that the attackers used the vulnerability to inject a malicious driver into the victim's network, which subsequently disabled the antivirus software. After neutralizing the protection, hackers encrypted a number of corporate systems and partially disabled virtualization servers, causing significant damage to the company.
The network penetration occurred in April 2024 through a compromised contractor account. From the contractor's host, the attackers gained access to a number of systems using the RDP (Remote Desktop Protocol) protocol. Before carrying out destructive actions, they disabled security software to avoid detection and blocking.
The flaw in Microsoft's work, which was exploited by the attackers, has been known for a long time. In 2022, the company introduced a policy of mandatory digital signature of software that can get into the core of the system, including various drivers. This signature can be obtained through a dedicated developer portal. Windows 10, starting with version 1607, does not run new drivers without such a signature. This measure was introduced to improve security and limit the ability of attackers to create malware signed with certificates from legal but unscrupulous certification authorities.
However, to ensure compatibility with older drivers (for example, for hardware that is no longer in production), Microsoft has left a few exceptions to this policy. One of these exceptions allows the use of drivers signed with a leaf certificate (issued by a specific organization) no later than July 29, 2015. It was this exception that the attackers used by using the technique of spoofing the timestamps of certificates. They took the certificate of the Chinese electronics manufacturer and "aged" it to the required date so as not to arouse suspicion in the operating system.
During the study of the attacked servers, Solar 4RAYS experts found two malware samples. One of them looked for signs of the presence of a security solution, and the other disabled it with a command from kernel mode.
The company noted that this technique allows cybercriminals to disable any software and freely develop an attack in the target infrastructure. He stressed the importance of regularly checking the performance of security solutions and assessing compromise in order to detect such attacks in a timely manner.
Source
A group of pro-Ukrainian cybercriminals successfully attacked the IT infrastructure of a Russian industrial organization, exploiting a vulnerability in the Windows operating system. The vulnerability, known since 2022, is related to the processing of digital signatures of drivers.
Specialists of the Solar 4RAYS cyber threat research center of the Solar Group of Companies conducted an investigation into the incident in May 2024. They found that the attackers used the vulnerability to inject a malicious driver into the victim's network, which subsequently disabled the antivirus software. After neutralizing the protection, hackers encrypted a number of corporate systems and partially disabled virtualization servers, causing significant damage to the company.
The network penetration occurred in April 2024 through a compromised contractor account. From the contractor's host, the attackers gained access to a number of systems using the RDP (Remote Desktop Protocol) protocol. Before carrying out destructive actions, they disabled security software to avoid detection and blocking.
The flaw in Microsoft's work, which was exploited by the attackers, has been known for a long time. In 2022, the company introduced a policy of mandatory digital signature of software that can get into the core of the system, including various drivers. This signature can be obtained through a dedicated developer portal. Windows 10, starting with version 1607, does not run new drivers without such a signature. This measure was introduced to improve security and limit the ability of attackers to create malware signed with certificates from legal but unscrupulous certification authorities.
However, to ensure compatibility with older drivers (for example, for hardware that is no longer in production), Microsoft has left a few exceptions to this policy. One of these exceptions allows the use of drivers signed with a leaf certificate (issued by a specific organization) no later than July 29, 2015. It was this exception that the attackers used by using the technique of spoofing the timestamps of certificates. They took the certificate of the Chinese electronics manufacturer and "aged" it to the required date so as not to arouse suspicion in the operating system.
During the study of the attacked servers, Solar 4RAYS experts found two malware samples. One of them looked for signs of the presence of a security solution, and the other disabled it with a command from kernel mode.
The company noted that this technique allows cybercriminals to disable any software and freely develop an attack in the target infrastructure. He stressed the importance of regularly checking the performance of security solutions and assessing compromise in order to detect such attacks in a timely manner.
Source
