Open source tools allow threat actors to exploit a loophole in Microsoft's kernel driver authentication procedures.
A loophole big enough to drive an APT through?
Cisco Talos researchers discovered that threat actors took advantage of a policy loophole in Windows cross-signed kernel drivers that allowed forgery of timestamps and loading of unverified malicious drivers to expired certificates. “We have observed over a dozen code signing certificates with keys and passwords contained in a PFX file hosted on GitHub used in conjunction with these open source tools,” the advisory notes. Based on the language code discovered in the metadata in the corrupted drivers, the researchers assess the threat actors to be Chinese nationals. The advisory explains that attackers can exploit the loophole to cross the user-kernel barrier, which is crucial for “maintaining the integrity and security of the OS.” Talos has alerted Microsoft, which has since disabled all forged certificates that could have passed through this loophole.
The loophole being exploited.
The researchers explain that after Microsoft updated its driver signing policy in Windows 10 1607, it allowed for exceptions to allow older drivers to be authenticated and used. The exceptions as explained by Talos were:
“The PC was upgraded from an earlier release of Windows to Windows 10, version 1607.
“Secure Boot is off in the BIOS.
“Drivers was [sic] signed with an end-entity certificate issued prior to July 29th 2015 that chains to a supported cross-signed CA.”
The third exception created a loophole which allowed a threat actor to abuse certificates which were not revoked prior to July 29th, 2015, “provided that the certificate chains to a supported cross-signed certificate authority.” Multiple open source tools have been created to exploit this and are being used by threat actors: “Talos has observed multiple threat actors taking advantage of the aforementioned Windows policy loophole to deploy thousands of malicious, signed drivers without submitting them to Microsoft for verification. During our research we identified threat actors leveraging HookSignTool and FuckCertVerifyTimeValidity, signature timestamp forging tools that have been publicly available since 2019 and 2018 respectively, to deploy these malicious drivers.”