Hackers Exploit Windows Policy Loophole
Recently, there has been a concerning discovery regarding a policy loophole in Microsoft Windows. It appears that certain threat actors, predominantly native Chinese speakers, have been taking advantage of this vulnerability to falsify signatures on kernel-mode drivers.
According to a detailed report from Cisco Talos, these actors are utilizing various open-source tools to modify the signing date of kernel mode drivers. This allows them to load malicious drivers that have been signed with expired certificates and have not undergone proper verification. The implications of this exploit are significant, as gaining access to the kernel grants full control over a system, leading to a complete compromise of its security.
It is crucial to address this issue promptly and ensure that appropriate measures are taken to mitigate the risks associated with this loophole. Microsoft and security experts are actively working to understand the extent of the threat and develop effective countermeasures to protect systems from such attacks, according to report
image is taken form the The hacker News
In a recent incident, a major tech company suspended developer program accounts linked to a security breach. They highlighted that the threat actors had already obtained administrative privileges on compromised systems before utilizing the malicious drivers.
It’s worth noting that the tech company had previously implemented protective measures in December 2022 to prevent ransomware attackers from using Microsoft-signed drivers for post-exploitation activities.
Driver signature enforcement is a crucial defense mechanism against malicious drivers, as it ensures they are digitally signed with a certificate from the company’s Dev Portal. This requirement helps prevent security solutions evasion, interference with system processes, and persistence. The policy was introduced with the release of Windows Vista.
However, Cisco Talos discovered a vulnerability that allows the forging of signatures on kernel-mode drivers, effectively bypassing Windows certificate policies. This weakness is a result of an exception made by Microsoft to maintain compatibility. It allows the use of cross-signed drivers in specific scenarios, such as when upgrading from an earlier Windows version, with Secure Boot disabled, and the drivers signed with a pre-July 29, 2015 end-entity certificate chained to a supported cross-signed certificate authority.
Exploiting this exception, threat actors can sign newly compiled drivers with non-revoked or expired certificates predating July 29, 2015, without submitting them to Microsoft for verification. This allows them to load malicious drivers onto Windows devices.
To accomplish this, threat actors utilize signature timestamp forging software like HookSignTool and FuckCertVerifyTimeValidity, which have been publicly available since 2019 and 2018, respectively. HookSignTool has been accessible on GitHub since January 7, 2020, while FuckCertVerifyTimeValidity was committed to the code hosting service on December 14, 2018.
HookSignTool is a tool that manipulates driver signatures by changing the signing date during the signing process. It does this by hooking into the Windows API and modifying the import table of a legitimate code signing tool. The tool hooks into the CertVerifyTimeValidity function to alter the signing timestamp. It allows users to sign their binaries with an outdated certificate without manually changing the system time. The tool has been used to re-sign cracked drivers, enabling the bypassing of digital rights management (DRM) integrity checks.
In addition to its driver signature forging capabilities, HookSignTool is also used by a previously undisclosed driver called RedDriver. RedDriver operates as a driver-based browser hijacker, intercepting and redirecting browser traffic to localhost (127.0.0.1) using the Windows Filtering Platform (WFP). The targeted browsers are selected randomly from a predefined list, including popular Chinese browsers and international ones like Chrome, Edge, and Firefox.
The purpose behind this browser traffic manipulation is unclear, but it suggests the potential for tampering with packet-level browser traffic. The infection chain of RedDriver starts with the execution of a binary named “DnfClientShell32.exe,” which establishes encrypted communications with a command-and-control server to download the malicious driver.
The initial file delivery method is unknown, but it’s likely that the file was disguised as a game file and hosted on a malicious download link. The authors of RedDriver appear to be highly skilled, with expertise in developing malicious drivers and a familiarity with software development lifecycles.
This discovery aligns with Sophos’ findings of over 100 malicious kernel drivers signed by Microsoft and other companies. Some of these drivers date back to April and are designed to sabotage security software or function as stealthy rootkits for monitoring network traffic using WFP.
Overall, the usage of HookSignTool extends beyond driver signature forgery, involving sophisticated techniques like browser hijacking and malicious driver development, for more update