this post was submitted on 12 Jul 2023
208 points (98.1% liked)

Technology

59710 readers
5629 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Hackers are using open source software that’s popular with video game cheaters to allow their Windows-based malware to bypass restrictions Microsoft put in place to prevent such infections from occurring.

The software comes in the form of two software tools that are available on GitHub. Cheaters use them to digitally sign malicious system drivers so they can modify video games in ways that give the player an unfair advantage. The drivers clear the considerable hurdle required for the cheat code to run inside the Windows kernel, the fortified layer of the operating system reserved for the most critical and sensitive functions.

Researchers from Cisco’s Talos security team said Tuesday that multiple Chinese-speaking threat groups have repurposed the tools—one called HookSignTool and the other FuckCertVerifyTimeValidity. Instead of using the kernel access for cheating, the threat actors use it to give their malware capabilities it wouldn’t otherwise have.

A new way to bypass Windows driver restrictions

“During our research we identified threat actors leveraging HookSignTool and FuckCertVerifyTimeValidity, signature timestamp forging tools that have been publicly available since 2019 and 2018 respectively, to deploy these malicious drivers,” the researchers wrote. “While they have gained popularity within the game cheat development community, we have observed the use of these tools on malicious Windows drivers unrelated to game cheats.”

With the debut of Windows Vista, Microsoft enacted strict new restrictions on the loading of system drivers that can run in kernel mode. The drivers are critical for devices to work with antivirus software, printers, and other kinds of software and peripherals, but they have long been a convenient inroad for hackers to run malware in kernel mode. These inroads are available to hackers post-exploit, meaning once they've already gained administrative privileges on a targeted machine. Advertisement

While attackers who gain such privileges can steal passwords and take other liberties, their malware typically must run in the Windows kernel to perform a large number of more advanced tasks. Under the policy put in place with Vista, all such drivers can be loaded only after they’ve been approved in advance by Microsoft and then digitally signed by a trusted certificate authority to verify they are safe.

Malware developers with admin privileges already had one well-known way to easily bypass the driver restrictions. The technique is known as “bring your own vulnerable driver.” It works by loading a publicly available third-party driver that has already been signed and later is found to contain a vulnerability allowing system takeover. The hackers install the driver post exploit and then exploit the driver vulnerability to inject their malware into the Windows kernel.

Although the technique has existed for more than a decade, Microsoft has yet to devise working defenses and has yet to provide any actionable guidance on mitigating the threat despite one of its executives publicly lauding the efficacy of Windows to defend against it.

The technique Talos has discovered represents a new way to bypass Windows driver restrictions. It exploits a loophole that has existed since the start of the policy that grandfathers in older drivers even when they haven’t been reviewed for safety by Microsoft. The exception, designed to ensure older software was still able to run on Windows systems, is triggered when a driver is signed by a Windows-trusted certificate authority prior to July 29, 2015.

“If a driver is successfully signed this way, it will not be prevented from being installed and started as a service,” Tuesday’s Talos post explained. “As a result, multiple open source tools have been developed to exploit this loophole. This is a known technique though often overlooked despite posing a serious threat to Windows systems and being relatively easy to perform due in part to the tooling being publicly available.”

you are viewing a single comment's thread
view the rest of the comments
[–] LeberechtReinhold 12 points 1 year ago* (last edited 1 year ago) (11 children)

Yes and no. It's an escalations issue. Even with administrator access, you are not supposed[note1] to be allowed to install drivers with invalid signature, which supposedly haven an even high chain of trust (although this really iffy unless you are using secureboot as well but that's another discussion).

That said, when the attacker already has admin privileges you are so far in the compromised chain that the kernel driver is an issue, but you are most likely completely fucked anyways.

This just makes your vulnerability state to be the same as in linux, where your drivers arent required to be signed in the first place, for example.

[note 1]: There's a caveat, with admin acess you can disable driver signatures entirely, using bcdedit, this is called test signing and leaves a visible watermark at all times with "Test signing enabled", therefore the user can already see that the computer is compromised. Its mostly useful for devs (or attacking people who dont give a fuck).

[–] Zeth0s 2 points 1 year ago (5 children)

Why do you say that the "vulnerability state just like Linux"? Linux is the name for a family of OSes that behave differently.

Nowadays all that I know are secured by default (e.g. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_monitoring_and_updating_the_kernel/signing-a-kernel-and-modules-for-secure-boot_managing-monitoring-and-updating-the-kernel)

[–] LeberechtReinhold 4 points 1 year ago (4 children)

If you have root in linux you can disable that, so you are in the same state. You could also selfsign.

This is an issue, but IMHO quite overblown.

[–] meisme 3 points 1 year ago (1 children)

Self signing sends you to the bios to approve the key, and requires you to enter a password that was used when creating the key. It's all but impossible to do it accidentally, as if you have no idea what you're doing you won't know the password.

[–] LeberechtReinhold 1 points 1 year ago

Yeah, the password is much better. In Windows you also realize it because the admin screen is hard to miss, but you can just go ahead and accept it, since many users run their PC as admins.

load more comments (2 replies)
load more comments (2 replies)
load more comments (7 replies)