Hackers are using open source tools to exploit a Windows policy loophole for kernel mode drivers to load malicious and unverified drivers with expired certificates, researchers have found. The activity — primarily targeted at Chinese-speaking Windows users — potentially gives threat actors full access to victims' systems.
Researchers from Cisco Talos discovered the malicious activity, which takes advantage of an exception in Microsoft's Windows driver-signing policy that allows the signing and loading of cross-signed kernel mode drivers with signature timestamp prior to July 29, 2015, they revealed in a blog post July 11.
"Actors are leveraging multiple open source tools that alter the signing date of kernel mode drivers to load malicious and unverified drivers signed with expired certificates," Chris Neal, outreach researcher for Cisco Talos, wrote in the post.
So far, the researchers have observed more than a dozen code-signing certificates with keys and passwords contained in a PFX file hosted on GitHub used together with these open source tools. Among these tools are signature timestamp forging tools HookSignTool and FuckCertVerifyTimeValidity, which have been publicly available since 2019 and 2018 respectively.
In a separate post, Cisco Talos outlined how one of the malicious drivers — dubbed RedDriver — uses HookSignTool to forge its signature timestamp to bypass Windows driver-signing policies. The threat actors used code from multiple open source tools in the development of RedDriver's infection chain, including HP-Socket and a custom implementation of ReflectiveLoader, the researchers found. Moreover, the authors of RedDriver appear to be skilled in driver development and have deep knowledge of the Windows OS.
RedDriver — like most of the malicious drivers that the researchers discovered — contained a Simplified Chinese language code in its metadata, suggesting that actors are targeting native Chinese speakers. Cisco Talos also has identified an instance of one of the open source tools being used to alter signing dates performing the same task on cracked drivers to bypass digital rights management (DRM).
Complete Windows OS Takeover
Kernel mode drivers are part of the core layer of the Windows OS, providing the essential and necessary functions to run the system. Drivers facilitate communication between this layer and the user mode, where the files and applications with which users interact with reside.
"Splitting the operating system into two modes creates a highly controlled logical barrier between the average user and the Windows kernel," Neal wrote. "This barrier is critical to maintaining the integrity and security of the OS, as access to the kernel provides complete access to a system."
By loading a malicious kernel mode driver then, attackers can breach this secure barrier and compromise the entire system, manipulating system- and user-mode processes, he said. At the same time, they evade endpoint detection and can maintain persistence on an infected system.
"These advantages provide a significant incentive for attackers to discover ways to bypass the Windows driver signature policies," Neal wrote.
Cisco Talos informed Microsoft of the researchers' discovery and, in response, the company blocked all certificates that were identified as associated with malicious drivers. The company also issued an advisory informing its customers to be aware that drivers are being used to gain administrator privileges on compromised systems.
After an investigation, the company determined that "the activity was limited to the abuse of several developer program accounts," and that no Microsoft account has been compromised. "We've suspended the partners' seller accounts and implemented blocking detections for all the reported malicious drivers to help protect customers from this threat," the company said.
Creating the Windows Driver Policy Loophole
Microsoft began requiring kernel-mode drivers to be digitally signed with a certificate from a verified certificate authority starting in Windows Vista 64-bit to combat the threat of malicious drivers. However, starting with Windows 10, version 1607, Microsoft updated its driver signing policy to forbid the use of new kernel-mode drivers that have not been submitted to, and signed by, its Developer Portal.
At the same time, the company had to ensure that older drivers still maintained functionality and compatibility, so it created a few exceptions — one of which created the problem at the core of the exploitation. It states that drivers signed with an end-entity certificate issued prior to July 29, 2015 that chains to a support cross-signed certificate authority are still valid.
This effectively created a loophole allowing a newly compiled driver to be signed with non-revoked certificates issued prior to or expired before that date, as long as it chains to a supported cross-signed certificate authority. A driver signed this way can be installed and started as a service in the OS kernel layer, activity that's further facilitated by the availability of multiple open source tools to exploit this loophole, Neal said.
Mitigating the Windows Kernel Cyber Threat
Cisco Talos includes a list of the expired certificates associated with malicious drivers in its post and recommends that Windows users also block them, noting that malicious drivers are most effectively blocked based on file hashes or the certificates used to sign them. As previously mentioned, Microsoft also has taken action to block the certificates that Cisco Talos reported to them.
Comparing the signature timestamp to the compilation date of a driver also can sometimes be an effective means of detecting instances of timestamp forging. However, as compilation dates can be altered to match signature timestamps, this defense method is not always comprehensive, according to Cisco Talos.
"Cisco Talos has created coverage for the certificates discussed in this blog and will continue to monitor this threat activity to inform future protections," Neal wrote. "Additionally, we will report any future findings regarding this threat to Microsoft."