| Recurring |
one_organization, multiple_organization |
(a) The software failure incident related to the abuse of signed malicious drivers by threat actors has happened again at Microsoft. The incident involved malicious drivers certified by Microsoft's Windows Hardware Developer Program being used in post-exploitation activity, such as the deployment of ransomware. Microsoft suspended the Partner Center accounts that were abused, revoked the rogue certificates, and released security updates for Windows in response to the incident [136908].
(b) The incident of compromised certificates being used to sign malicious software has also been observed at other organizations. Google found that compromised "platform certificates" managed by Android device makers like Samsung and LG were used to sign malicious Android apps. Additionally, the FBI and CISA have previously attributed activity associated with the Manuscrypt malware family to North Korean state-backed hackers, who used compromised certificates to sign components of the Manuscrypt remote access tool [136908]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase is evident in the article where it mentions that the Cuba ransomware group used malicious drivers that were certified by Microsoft after compromising a target's systems to disable security scanning tools and change settings. These drivers were signed by legitimate authorities, such as Microsoft, through fraudulent means, indicating a failure in the design phase where attackers exploited weaknesses in the software signing process to legitimize their malware [136908].
(b) The software failure incident related to the operation phase is highlighted in the article when it discusses how the Cuba ransomware group used the compromised certificates from tech companies like Zhuhai Liancheng Technology Co. to facilitate post-exploitation intrusion activities, such as deploying ransomware. This misuse of certificates obtained through fraudulent means points to a failure in the operation phase where attackers abused the trust chain to carry out malicious processes without detection [136908]. |
| Boundary (Internal/External) |
within_system, outside_system |
(a) within_system: The software failure incident described in the articles is primarily due to contributing factors that originate from within the system. Specifically, the failure involved the malicious use of drivers certified by Microsoft's Windows Hardware Developer Program to facilitate post-exploitation intrusion activities, such as deploying ransomware. The attackers compromised certificates and abused the signing process to legitimize their malware [136908].
(b) outside_system: The software failure incident also involved contributing factors that originate from outside the system. For instance, the attackers obtained certificates from legitimate authorities through fraudulent means, indicating a weakness in the infrastructure related to cryptographic software signing. Additionally, compromised "platform certificates" managed by Android device makers were used to sign malicious Android apps, highlighting vulnerabilities in the broader ecosystem [136908]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in the articles is related to non-human actions, specifically the misuse of cryptographically signed drivers by the Cuba ransomware group. The group used malicious drivers certified by Microsoft to disable security scanning tools and change settings after compromising a target's systems [136908].
(b) The failure was also influenced by human actions, as the malicious drivers were submitted by developer accounts for the Microsoft Partner Center that were engaged in submitting malicious drivers to obtain a Microsoft signature. This abuse of partner accounts led to the deployment of ransomware through the signed malicious drivers [136908]. |
| Dimension (Hardware/Software) |
hardware, software |
(a) The software failure incident related to hardware:
- The incident involved the misuse of drivers certified by Microsoft's Windows Hardware Developer Program to facilitate post-exploitation intrusion activities, such as deploying ransomware [136908].
- Attackers compromised certificates from tech companies like NVIDIA and Zhuhai Liancheng Technology Co. to sign malicious drivers, which were used to disable security scanning tools and change settings on compromised systems [136908].
(b) The software failure incident related to software:
- The incident involved the use of malicious drivers that were signed by legitimate authorities, such as Microsoft, to carry out malicious processes without detection [136908].
- The compromised certificates and abuse of the signing process by attackers legitimized their malware, highlighting weaknesses in the infrastructure meant to validate software [136908]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The objective of the software failure incident was malicious, as it involved the Cuba ransomware group using malicious drivers that were certified by Microsoft to facilitate post-exploitation intrusion activities, such as the deployment of ransomware [136908].
(b) The incident involved the abuse of certificates and signing processes by threat actors to legitimize their malware, indicating a non-malicious failure in terms of the certificates being compromised or fraudulently obtained [136908]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) The intent of the software failure incident was related to poor decisions made by the attackers. The Cuba ransomware group made poor decisions by using malicious drivers certified by Microsoft to facilitate post-exploitation intrusion activities, such as deploying ransomware. These drivers were signed by legitimate authorities, making them difficult to detect and allowing the attackers to carry out processes without question [136908]. |
| Capability (Incompetence/Accidental) |
development_incompetence, unknown |
(a) The software failure incident related to development incompetence is evident in the incident where the Cuba ransomware group used malicious drivers certified by Microsoft to facilitate post-exploitation intrusion activity, such as deploying ransomware. These drivers were signed by legitimate authorities after compromising certificates from various tech companies, including Microsoft. The attackers showed a high level of competence in creating and utilizing malicious drivers to bypass security measures [136908].
(b) The accidental aspect of the software failure incident is not explicitly mentioned in the provided article. |
| Duration |
permanent |
(a) The software failure incident described in the articles is more of a permanent nature. The incident involved the malicious use of drivers certified by Microsoft in ransomware attacks by the group known as "Cuba." The attackers compromised certificates and abused the signing process to legitimize their malware, indicating a persistent and ongoing threat. Microsoft took actions such as suspending Partner Center accounts, revoking rogue certificates, and releasing security updates for Windows in response to the incident [136908].
(b) The software failure incident can also be considered temporary in the sense that immediate actions were taken to address the issue. Microsoft suspended the abused Partner Center accounts, revoked the rogue certificates, and released security updates for Windows related to the situation. The company stated that it hadn't identified any compromise of its systems beyond the partner account abuse, suggesting a containment of the immediate threat [136908]. |
| Behaviour |
other |
(a) crash: The software failure incident in the articles does not involve a crash where the system loses state and does not perform any of its intended functions. The incident is more focused on malicious activities related to the use of compromised certificates and drivers [136908].
(b) omission: The incident does not involve a failure due to the system omitting to perform its intended functions at an instance(s). Instead, it revolves around the misuse of signed drivers and certificates for malicious purposes [136908].
(c) timing: The failure is not related to the system performing its intended functions correctly but too late or too early. The focus is on the abuse of certificates and drivers for post-exploitation intrusion activities [136908].
(d) value: The software failure incident is not about the system performing its intended functions incorrectly. It is more about the misuse of signed drivers and certificates to facilitate malicious activities like deploying ransomware [136908].
(e) byzantine: The incident does not involve the system behaving erroneously with inconsistent responses and interactions. It is primarily about the exploitation of trusted mechanisms like cryptographic software signing for malicious purposes [136908].
(f) other: The behavior of the software failure incident can be categorized as a security breach or compromise where attackers abuse the trust in signed drivers and certificates to carry out post-exploitation activities like deploying ransomware [136908]. |