Hackers have been exploiting a Windows policy loophole to load malicious and unverified drivers with expired certificates using open source tools, according to researchers from Cisco Talos. The activity, primarily targeting Chinese-speaking Windows users, could potentially provide threat actors with full access to victims’ systems.
The researchers discovered this malicious activity, which takes advantage of an exception in Microsoft’s Windows driver-signing policy. This exception allows the signing and loading of cross-signed kernel mode drivers with signature timestamps prior to July 29, 2015. In a blog post on July 11, Chris Neal, an outreach researcher for Cisco Talos, explained that actors are using open source tools to alter the signing date of kernel mode drivers and load malicious and unverified drivers signed with expired certificates.
Cisco Talos researchers have observed over a dozen code-signing certificates with keys and passwords hosted on GitHub in a PFX file, which are used in conjunction with these open source tools. Two of these tools are HookSignTool and FuckCertVerifyTimeValidity, which have been publicly available since 2019 and 2018, respectively.
In a separate post, Cisco Talos provided details about one of the malicious drivers named RedDriver. This driver uses HookSignTool to forge its signature timestamp in order to bypass Windows driver-signing policies. The threat actors behind RedDriver have utilized code from multiple open source tools, including HP-Socket and a custom implementation of ReflectiveLoader. The researchers also believe that the authors of RedDriver have extensive knowledge of the Windows OS and driver development.
Most of the malicious drivers discovered by the researchers contain Simplified Chinese language code in their metadata, indicating that the actors are targeting native Chinese speakers. Additionally, Cisco Talos found instances of the open source tools being used to alter signing dates on cracked drivers to bypass digital rights management (DRM).
Kernel mode drivers are a crucial part of the Windows OS, providing essential functions to run the system. They facilitate communication between the core layer of the OS and the user mode where files and applications reside. By loading a malicious kernel mode driver, attackers can breach the secure barrier between the user and the Windows kernel, compromising the entire system and evading detection.
Cisco Talos has informed Microsoft about their discovery, leading the company to block all certificates associated with malicious drivers. Microsoft has also issued an advisory, warning customers about the use of drivers to gain administrator privileges on compromised systems. After investigating, Microsoft determined that the activity was limited to the abuse of several developer program accounts, and no Microsoft accounts had been compromised. The company has suspended the partners’ seller accounts and implemented blocking detections for the reported malicious drivers.
The Windows driver-signing policy loophole was created to ensure functionality and compatibility with older drivers while combating the threat of malicious drivers. However, this exception allowed threat actors to exploit the system. To mitigate this cyber threat, Cisco Talos recommends blocking the expired certificates associated with malicious drivers. Microsoft has also taken action to block the reported certificates. Comparing the signature timestamp to the compilation date of a driver can sometimes help detect instances of timestamp forging, but it is not always comprehensive due to the ability to alter compilation dates.
Cisco Talos will continue to monitor this threat activity and report any future findings to Microsoft. They have also created coverage for the certificates discussed in their blog post to provide ongoing protection against this cyber threat.