Chinese hackers were found to be using two open-source tools to sign and load malicious kernel-mode drivers on infected endpoints.
According to the Cisco Talos cybersecurity researchers who discovered the activity, this gives the attackers the highest possible privilege level. “This is a significant threat because access to the kernel provides complete access to the system and thus can cause outright compromise,” they said in their report. analyze.
The two open source tools are called HookSignalTool and FuckCertVerifyTimeValidity. Both versions have been around for about five years and are available for download on GitHub. Their main function is to allow game cheaters to modify the game and gain an unfair advantage.
But in this case, Chinese hackers used it on a previously compromised system to adjust the signature date of the malicious driver before July 29, 2015. By changing the date, they can use an older malicious driver, load it into the operating system, and gain system management capabilities.
The researchers then showed a real-world example. They used HookSignTool to load a malicious driver called “RedDriver,” which helped them intercept browser traffic for the world’s most popular browsers (Chrome, Edge, and Firefox). They also managed to intercept traffic passing through popular browsers in China.
“FuckCertVerifyTimeValidity works similarly to HookSignTool, using the Microsoft Detours package to attach to the ‘CertVerifyTimeValidity’ API call and set the timestamp to a selected date,” the researchers said. binary files, making it difficult to identify when the tool was used.”
Analysis: Why does it matter?
Not all vulnerabilities are created equal. Some are harder to abuse, while others can be exploited in the wild. Vulnerabilities like this have an effective exploit that can be easily discovered and used by even low-skilled hackers, which is extremely dangerous. Knowing that the vulnerability was discovered by Chinese hackers is even more dangerous.These threat actors, especially when state-sponsored, are always looking for new avenues, often targeting cyberespionage, data and identity theft, and disruption of critical infrastructure systems. By identifying and blocking these avenues, cybersecurity experts are dramatically improving the overall cybersecurity posture of major organizations in this country.
In this particular case, cyber crooks are using a technique called “bring your own vulnerable driver” (BYOVD). It’s a popular technique with a simple premise: Install an old driver with a known vulnerability onto a system, then exploit that vulnerability to gain access, escalate privileges, and ultimately install malware.
To defend against this threat, Cisco Talos researchers recommend blocking all mentioned certificates here, as it will be difficult for IT teams to detect malicious drivers on their own. Additionally, these are most effectively blocked based on the file hash or the certificate used to sign it. The researchers also said that Microsoft blocked all the above-mentioned certificates, and users can refer to Microsoft’s announcement for more information.
“Microsoft implements and maintains a driver blocklist in Windows, although it focuses on vulnerable drivers rather than malicious drivers,” they said. “Thus, this blocklist should not be relied upon solely to block rootkits or malicious drivers. program.”
What are others saying about the attack?
In his article, technical art Temporarily criticizes Microsoft for continuing to treat the issue of malicious drivers used in post-exploitation scenarios as a game of whack-a-mole. “This approach is to block drivers that are known to be used maliciously, but do nothing to close the gap,” it said. “This allows an attacker to simply use a new batch of drivers to accomplish the same thing. As As it has demonstrated in the past and now, Microsoft often fails to detect drivers that have been used maliciously over the years.”
However, the same article highlights that it is difficult to find an effective solution, as many of the vulnerable drivers are still legitimately used by many paying customers. “Removing such drivers could cause critical software around the world to suddenly stop working.”
The silver lining, according to the publication, is that in order for the flaw to work, the system needs to be exploited ahead of time, so the best defense is not to be compromised in the first place.
computer beepsOn the other hand, Microsoft was contacted and told that the flaw would not get a CVE because the company didn’t consider it a bug. “While the certificates discovered by Cisco and Sophos have now been revoked, the risk is far from eliminated as many more certificates may still be exposed or stolen, allowing threat actors to continue to abuse this Windows policy vulnerability,” the publication states. This alerted Sophos to discovering more than a hundred malicious kernel drivers used as “EDR Killers” to shut down security software.
If you want to know more, please read first Microsoft’s latest move Prevent such attacks from happening in the first place.Afterwards, be sure to check out our list best antivirus program around, and best malware removal program.Finally, you should read our about Today’s Best Firewalls.