Chinese hackers have been spotted using two open-source tools to sign and load malicious kernel mode drivers on compromised endpoints.
According to cybersecurity researchers from Cisco Talos who spotted the campaign, this gives the attackers the highest-possible privilege level. "This is a major threat, as access to the kernel provides complete access to a system, and therefore total compromise,” they said in their analysis.
The two open-source tools in question are called HookSignalTool, and FuckCertVerifyTimeValidity. These two have been around for roughly five years, and are available for download on GitHub. Their primary function was to allow gaming cheaters to modify the games and gain unfair advantage.
But in this instance, Chinese hackers used it on previously breached systems to tweak the signing date of malicious drivers before July 29th, 2015. By changing the date, they can use older, malicious drivers, load them into the operating system and thus gain system admin capabilities.
The researchers then showcased a real-world example. They used HookSignTool to load a malicious driver called “RedDriver”, which helped them intercept browser traffic for the world’s most popular browsers – Chrome, Edge, and Firefox. They also managed to intercept traffic going through browsers popular in China.
"FuckCertVerifyTimeValidity works in a similar fashion to HookSignTool in that it uses the Microsoft Detours package to attach to the "CertVerifyTimeValidity" API call and sets the timestamp to a chosen date," the researchers said. “Unlike HookSignTool, FuckCertVerifyTimeValidity does not leave artifacts in the binary that it signs, making it very difficult to identify when this tool has been used."
Analysis: Why does it matter?
Not all vulnerabilities are the same. Some are harder to abuse, while others have working exploits available in the wild. Vulnerabilities such as this one, which have a working exploit that can easily be picked up and used even by low-skilled hackers, are extremely dangerous. This flaw is even more dangerous knowing it was picked up by Chinese hackers. These threat actors, especially if they’re state-sponsored, are always looking for new avenues, and their goals are usually cyber-espionage, data and identity theft, and the disruption of critical infrastructure systems. By identifying and blocking these avenues, cybersecurity experts are greatly improving the overall cybersecurity posture of major organizaations in their countries.
In this particular case, cyber-crooks are using a technique known as Bring Your Own Vulnerable Driver (BYOVD). This is a popular technique with a simple premise: install an older driver with a known vulnerability into a system and then use that vulnerability to gain access, elevate privileges, and ultimately install malware.
To defend against this threat, researchers from Cisco Talos recommend blocking all certificates mentioned here, as IT teams will struggle to detect malicious drivers by themselves. Furthermore, these are most effectively blocked based on file hashes or the certificates used to sign them. The researchers also said that Microsoft blocked all of the abovementioned certificates and that users can refer to Microsoft’s advisory for further information.
“Microsoft implements and maintains a driver block list within Windows, although it is focused on vulnerable drivers rather than malicious ones,” they said. “As such, this block list should not be solely relied upon for blocking rootkits or malicious drivers.”
What have others said about the attacks?
In its writeup, Ars Technica tentatively criticized Microsoft, saying it’s continuing to approach the problem of malicious drivers used in post-exploit scenarios as a game of whack-a-mole. “The approach is to block drivers known to be used maliciously but to do nothing to close the gaping loophole,” it says. “That leaves attackers free to simply use a new batch of drivers to do the same thing. As demonstrated in the past and again now, Microsoft often fails to detect drivers that have been used maliciously for years.”
However, the same article stresses that a working solution is hard to find because many vulnerable drivers are still being used - legitimately - by many paying customers. “A revocation of such drivers could cause crucial software worldwide to suddenly stop working.”
The silver lining, according to the publication, is that in order for the flaw to work, the system needs to be exploited in advance, so the best defense is not to get compromised in the first place.
BleepingComputer, on the other hand, reached out to Microsoft and was told the flaw would not be getting a CVE as the company doesn’t see this as a vulnerability. “While the certificates discovered by Cisco and Sophos have now been revoked, the risk is far from eliminated as further certificates likely remain exposed or stolen, allowing threat actors to continue abusing this Windows policy loophole,” the publication states. It reminds that Sophos found more than a hundred malicious kernel drivers used as “EDR Killers” to shut down security software.
Go deeper
If you want to learn more, start by reading up on Microsoft’s latest moves to prevent such attacks from happening in the first place. After that, make sure to check out our list of the best antivirus programs around, as well as best malware removal programs. Finally, you should read our in-depth guide on the best firewalls today.
- Here's our list of the best endpoint protection software around
