An advisory from Cisco Talos has revealed that threat actors have been utilizing a policy loophole in Windows cross-signed kernel drivers to load unverified malicious drivers with forged timestamps. The researchers have identified over a dozen code signing certificates that were used in conjunction with open source tools, exploiting this vulnerability. These certificates, along with their keys and passwords, were found in a PFX file hosted on GitHub. Based on the metadata language code found in the corrupted drivers, the threat actors behind this attack are believed to be Chinese nationals.
The loophole exploited by the threat actors allows them to cross the user-kernel barrier, which is essential for maintaining the integrity and security of the operating system. By loading unverified malicious drivers onto the system, these threat actors can potentially gain unauthorized access and compromise the overall security of the system. This poses a significant risk to both individuals and organizations relying on Windows operating systems.
Cisco Talos promptly informed Microsoft about the issue, and the tech giant has taken immediate action to address the problem. Microsoft has disabled all forged certificates that could have passed through this loophole, preventing further exploitation of the vulnerability. This proactive response shows Microsoft’s dedication to protecting its users and ensuring the security of its products.
The advisory from Talos also sheds light on how the loophole in Windows driver signing policy came to be. According to the researchers, Microsoft introduced exceptions to its driver signing policy with the release of Windows 10 1607. These exceptions were meant to allow older drivers to be authenticated and used. However, one specific exception created a loophole that threat actors have been exploiting.
The exception states that drivers signed with an end-entity certificate issued prior to July 29th, 2015, which chain to a supported cross-signed certificate authority, can bypass the regular verification process. This means that if a certificate was not revoked before the specified date and is cross-signed by a trusted authority, it can still be used to load drivers without undergoing proper verification.
To exploit this vulnerability, threat actors have developed multiple open source tools, including HookSignTool and FuckCertVerifyTimeValidity. These tools enable threat actors to forge signature timestamps and deploy malicious drivers without submitting them to Microsoft for verification. Talos has observed multiple threat actors utilizing these tools to deploy thousands of malicious, signed drivers.
The discovery of this loophole and subsequent exploitation by threat actors highlights the constant cat-and-mouse game between cybersecurity researchers and those seeking to exploit vulnerabilities. Although the Talos researchers were able to identify the threat actors involved, attribution in the cyber realm can be challenging. Determining the true identities and motivations of these threat actors requires further investigation and collaboration between cybersecurity experts and law enforcement agencies.
In response to this incident, it is critical for Windows users to remain vigilant and ensure that their systems are up to date with the latest security patches and updates. Regularly checking for and installing these updates will help mitigate the risk of falling victim to attacks leveraging this particular vulnerability.
Microsoft’s swift response and action to disable the forged certificates demonstrate the company’s commitment to addressing security vulnerabilities promptly. However, this incident also emphasizes the need for continuous monitoring, proactive security measures, and ongoing collaboration between researchers, vendors, and users to stay ahead of evolving threats in the ever-changing landscape of cybersecurity.