In the ever-evolving landscape of cybersecurity, new threats and vulnerabilities are constantly emerging. One such threat that has recently come to light is the exploitation of a Windows policy loophole detailed by Cisco Talos that allows threat actors to forge signatures on kernel-mode drivers. This loophole has been primarily exploited by native Chinese-speaking threat actors, who are leveraging multiple open-source tools to alter the signing date of kernel mode drivers, thereby loading malicious and unverified drivers signed with expired certificates.
Understanding Kernel-Mode Drivers
The Windows operating system is split into two layers, or “modes”: user mode, where the files and applications that users interact with reside, and the kernel mode, where kernel mode drivers and the underpinnings of Windows perform the necessary functions to run the system. This separation creates a highly controlled logical barrier between the average user and the Windows kernel, which is critical to maintaining the integrity and security of the OS. Access to the kernel provides complete access to a system, and therefore total compromise.
The Role of Digital Signatures in Driver Security
To combat the threat of malicious drivers, Microsoft began to require kernel-mode drivers to be digitally signed with a certificate from a verified certificate authority starting with Windows Vista 64-bit. This requirement is a crucial line of defense against malicious drivers, which could potentially be weaponized to evade security solutions, tamper with system processes, and maintain persistence.
Exploiting the Loophole
However, a loophole in the Windows policy has been discovered that allows the forging of signatures on kernel-mode drivers, thereby bypassing the certificate policies within Windows. This loophole is facilitated by the use of open-source tooling and non-revoked certificates that either expired before or were issued prior to July 29, 2015.
Two open-source tools, HookSignTool and FuckCertVerifyTimeValidity, have been observed to be used in exploiting this loophole. These tools alter the signing date of a driver during the signing process, thereby allowing an invalid time to be verified. To successfully forge a signature, these tools require a non-revoked code signing certificate that expired or was issued before July 29, 2015, along with the private key and password.
The Threat Landscape
The exploitation of this loophole presents a serious threat as the installation of malicious drivers can provide an attacker kernel-level access to a system. These tools can also be used to re-sign a cracked driver to bypass digital rights management (DRM), which may lead to a loss of sales for an organization through software piracy.
In response to this threat, Microsoft has taken steps to block all certificates to mitigate the threat. However, the existence of these tools and the potential for their misuse underscores the need for continuous vigilance and proactive measures in the realm of cybersecurity.
Mitigation and Proactive Measures
As cybersecurity professionals, it is crucial to stay informed about these emerging threats and to take proactive measures to mitigate them. This includes regularly updating and patching systems, implementing robust security policies, and educating users about the risks of downloading and installing unverified drivers. Furthermore, organizations should consider implementing advanced threat detection and response solutions that can identify and block malicious drivers and other threats before they can cause harm.
Conclusion
In conclusion, the exploitation of the Windows policy loophole to forge kernel-mode driver signatures is a significant threat that underscores the need for robust cybersecurity measures. By staying informed about emerging threats and implementing proactive security measures, organizations can better protect themselves and their users from these and other cybersecurity threats.