Several cyber attacks have been reported, with threat actors using forged signatures in Windows drivers, according to Microsoft and other cybersecurity vendors. In a security advisory released on Tuesday, Microsoft disclosed that these threat actors had gained administrative access to victims’ environments before using drivers certified by the Windows Hardware Developer Program. The use of driver signature bypasses is considered highly dangerous as it enables attackers to gain kernel-level access within victim environments.
The discovery of these attacks was made by three cybersecurity vendors: Cisco Talos, Sophos, and Trend Micro. According to Microsoft’s advisory, “several developer accounts for the Microsoft Partner Center (MPC) were engaged in submitting malicious drivers to obtain a Microsoft signature.” Microsoft’s investigation revealed that the threat activity was limited to the abuse of several developer accounts, and no compromises of Microsoft accounts were identified.
In response, Microsoft has revoked all certificates and drivers used in the attacks and suspended the relevant accounts. The company has also implemented blocking detections for all reported malicious drivers to assist in protecting customers from this threat. Additionally, patches for Windows Security have been released.
Further technical details about the attacks have been shared in blog posts by Sophos and Cisco Talos. Cisco Talos’ blog provides significant context on how the threat actors executed their plan. According to Chris Neal, an outreach researcher at Cisco Talos, Microsoft changed its driver signing policy with the release of Windows 10 version 1607 in August 2016. The updated policy allows only kernel-mode drivers signed by Microsoft’s Developer Portal. However, Neal explains that a loophole exists that permits newly compiled drivers to be signed with non-revoked certificates issued prior to or expired before July 29, 2015, as long as the certificate chains to a supported cross-signed certificate authority.
To bypass the updated policy, cyber adversaries used signature timestamp forging tools that are several years old and commonly used in the video game cheat development community. Neal provides an example of RedDriver, a driver-based browser hijacker, which also utilized HookSignTool, a signature forger used by the threat actors in this case.
According to Neal, Microsoft has mitigated the immediate issue by blocking certificates and remediation. However, he mentioned that Microsoft is facing a tough balancing act between security implications and supporting hardware built before 2015. While closing the loophole in the signature policy would eliminate the activity found in this case, it could also break many older legitimate cross-signed drivers. Blocking certificates is currently seen as the most effective way to maintain backwards compatibility and mitigate the issue. However, there is a possibility that additional certificates may be exposed or stolen in the future, allowing for further exploitation by threat actors.
TechTarget Editorial reached out to Microsoft for more information about the scope of exploitation, but the company declined to comment on the matter.
The recent cyber attacks exploiting forged signatures in Windows drivers highlight the ongoing challenges faced by both Microsoft and the cybersecurity community. Balancing security and backward compatibility is a complex task, and as threat actors continue to evolve their tactics, it is crucial for organizations to remain vigilant and adopt comprehensive security measures to protect their systems and data.