Windows Policy Loophole: Hackers’ New Tactic Threatens System Security
In a concerning development, security researchers have discovered that hackers are leveraging open source tools to misuse a Windows policy loophole. It poses a significant threat to system security since the dangerous actors can load malicious and unverified drivers, even with expired certificates, specifically targeting Chinese-speaking Windows users.
Such malicious activity grants hackers unrestricted access to victims’ systems, potentially leading to severe consequences. This article delves into the details of this new tactic employed by hackers and emphasizes the urgent need for enhanced security measures to safeguard against such threats.
According to recent findings by Cisco Talos researchers, this new malicious activity has come to light for exploiting a loophole in Microsoft’s Windows driver-signing policy. It allows bad actors to sign and load cross-signed kernel mode drivers with a signature timestamp dating back to before July 29, 2015. The researchers shared these discoveries in a blog post on July 11.
The attackers are capitalizing on various open source tools to manipulate the signing date of kernel mode drivers, enabling them to load malicious and unverified drivers that have expired certificates. Chris Neal, an outreach researcher for Cisco Talos, emphasized the significance of this technique in the blog post.
Previously Used Code Signing Certificates with Open Source Tools
The researchers have already identified more than a dozen code signing certificates that are being used in conjunction with these open source tools. These certificates and their corresponding keys and passwords are stored in a PFX file hosted on GitHub.
Attackers are using signature timestamp forgery tools like HookSignTool and FuckCertVerifyTimeValidity, which have been freely accessible since 2019 and 2018.
These findings shed light on the sophisticated tactics employed by hackers to infiltrate systems and gain unauthorized access. It is crucial for users, particularly those who primarily speak Chinese and use Windows, to be aware of this threat.
Additionally, organizations and security professionals must enhance their defenses and stay vigilant to protect against such exploits.
Useful Insights by Cisco Talos and RedDriver
Cisco Talos researchers have provided further insights into the tactics employed by threat actors using malicious drivers, particularly one named RedDriver. This specific driver exploits the HookSignTool to forge its signature timestamp, successfully bypassing Windows driver-signing policies.
The construction of RedDriver’s infection chain used code from many open source tools, notably HP-Socket and a customized version of ReflectiveLoader, stated Cisco Talos researchers.
Notably, the authors behind RedDriver possess advanced driver development skills and deep knowledge of the Windows operating system. To further analyze the targeting pattern, Cisco Talos discovered that RedDriver and several other malicious drivers contained metadata with Simplified Chinese language code.
This finding strongly suggests that the threat actors are specifically targeting native Chinese speakers.
Additionally, Cisco Talos has identified instances where the same open source tools used in altering signing dates were employed to manipulate cracked drivers, thereby evading digital rights management (DRM) systems.
A Solemn Danger to Microsoft
Windows OS faces a grave threat as attackers exploit kernel mode drivers, which are integral to the system’s core functions. These drivers facilitate communication between the user mode and the core layer of the Windows OS.
By loading a malicious kernel mode driver, attackers can breach the secure barrier between the user and kernel mode, compromising the entire system and gaining complete access and control. This allows them to manipulate processes and persist undetected on infected systems.
These advantages provide a significant incentive for attackers to discover ways to bypass the Windows driver signature policies,” Neal wrote. It will maintain persistence and incentivize attackers to discover vulnerabilities in the system.
Moving on, Cisco Talos alerted Microsoft to their findings, leading the company to block certificates associated with malicious drivers. Microsoft also issued an advisory cautioning users about the use of drivers to gain administrator privileges on compromised systems.
Following an investigation, Microsoft concluded that the malicious activity was limited to the abuse of several developer program accounts, and no Microsoft accounts were compromised.
The company suspended the partners’ seller accounts and implemented measures to block and detect reported malicious drivers, enhancing customer protection against this threat. Vigilance and prompt action are crucial to safeguarding Windows OS and mitigating the risks posed by such attacks.
Ways to Reduce the Pertaining Risk
To mitigate the threat posed by negative Windows kernel drivers, Cisco Talos advises blocking the expired certificates associated with these drivers. They recommend blocking based on file hashes or the certificates used for signing. Microsoft has also taken action by blocking the reported certificates.
Another detection method suggested by Cisco Talos involves comparing the signature timestamp with the driver’s compilation date. However, since compilation dates can be manipulated to match the timestamps, this defense method may not always be foolproof.
Cisco Talos is actively monitoring this threat and has developed coverage for the discussed certificates. They commit to reporting any future findings on this matter to Microsoft, ensuring ongoing protection and vigilance against this threat.
How will Microsoft Fight the Menace of Vicious Drivers?
Microsoft inadvertently created the Windows driver policy loophole in an effort to balance driver functionality and compatibility. Starting from Windows Vista 64-bit, Microsoft required digitally signed kernel-mode drivers to combat malicious threats.
However, in Windows 10, version 1607, a policy update was introduced, prohibiting the use of new, unsigned kernel-mode drivers.
An exception was made to maintain compatibility with older drivers. It validates drivers signed with end-entity certificates issued before July 29, 2015, that are signed with an end-entity certificate. This exception unintentionally created a vulnerability, enabling newly compiled drivers to sign with non-revoked or expired certificates as long as they adhere to the chain requirement.
Exploiting this loophole became feasible due to the availability of multiple open source tools designed to take advantage of the policy gap. These tools facilitate installing and activating such drivers as services within the OS kernel layer, further exacerbating the security risks associated with this issue.
Concluding up
These findings shed light on the sophisticated and targeted nature of the attacks. The combination of advanced driver development skills, the use of open source tools, and a focus on Chinese-speaking users underscore the need for heightened security measures.
Organizations and individuals must prioritize robust security protocols, including implementing up-to-date anti-malware solutions and practicing safe browsing habits to mitigate the risk posed by such threats.
It is imperative for Microsoft and security experts to collaborate and address this loophole promptly, implementing necessary safeguards and measures to prevent further abuse by malicious actors.