A Microsoft Windows policy loophole has been observed to be exploited, primarily by native Chinese-speaking attackers, to forge kernel-mode driver signatures.
In an in-depth two-part report shared with The Hacker News, Cisco Talos said, “Attackers are leveraging multiple open-source tools to change the signing date of kernel-mode drivers to exploit expired certificates. You are loading a signed, malicious, unverified driver.” “This is a big threat because access to the kernel provides complete access to the system and is therefore a complete compromise.”
Following Responsible Disclosure, Microsoft said it had taken steps to block all certificates to mitigate the threat. Further, it said its investigation found that “the activity was limited to the abuse of multiple developer program accounts and that no Microsoft accounts were compromised.”
In addition to suspending the account of the developer program involved in the incident, the tech giant emphasized that the threat actor had already obtained administrative privileges on the compromised system before using the driver.
It’s worth pointing out that Windows makers rolled out similar blocking protections in December 2022 to prevent ransomware attackers from using Microsoft-signed drivers for their post-exploitation activities.
Driver Signature Enforcement requires kernel-mode drivers to be digitally signed with a certificate from Microsoft’s Dev Portal and is an important line of defense against malicious drivers. Malicious drivers can be weaponized to evade security solutions, tamper with system processes, and maintain persistence. .
A new vulnerability discovered by Cisco Talos may allow the signature of kernel mode drivers to be forged, thereby bypassing Windows certificate policy.
This is made possible by an exception made by Microsoft to maintain compatibility. This exception allows cross-signed drivers if they are “signed with an end-entity certificate issued before July 29, 2015 that chains to a supported cross-signed certificate.” increase. [certificate authority]. “
“The third exception is if the newly compiled driver was issued or revoked before July 29, 2015, as long as the certificate is chained to a supported cross-signed certificate authority. It creates a loophole that allows you to sign with a certificate that doesn’t exist,” said the cybersecurity firm. Said.
As a result, drivers signed in this way are no longer prevented from loading on Windows devices, allowing attackers to leverage escape clauses to expose thousands of maliciously signed files without submitting them to Microsoft for verification. It will be possible to deploy the driver.
These rogue drivers are deployed using signature timestamp forgery software such as HookSignTool and FunnyCertVerifyTimeValidity which have been publicly available since 2019 and 2018 respectively.
HookSignTool has been accessible via GitHub since January 7, 2020, and FuckCertVerifyTimeValidity was first committed to the code hosting service on December 14, 2018.
“HookSignTool is a driver signature forger tool that combines a hook into the Windows API and manual modification of the import table of legitimate code signing tools to change the driver’s signing date during the signing process,” explained Cisco Talos.
Specifically, this involves hooking into the CertVerifyTimeValidity function, which verifies the time validity of certificates, and changing the signature timestamp on the fly.
“This small project prevents verification by signing tools. [sic] It improves certificate time validity, allowing bins to be signed with older certificates without manually changing the system time,” states the GitHub page for FuckCertVerifyTimeValidity.
🔐 PAM Security – Expert Solutions to Secure Sensitive Accounts
Gain the knowledge and strategies you need to transform your privileged access security strategy in this expert-led webinar.
reserve a spot
“Install a hook on crypt32!CertVerifyTimeValidity to always return 0, and to sign certificates from 2011, you can add “-fuckyear 2011” to the signtool command line, so you don’t need kernel32!GetLocalTime to return things. “
However, a successful forgery requires an unrevoked code-signing certificate issued before July 29, 2015, along with the certificate’s private key and passphrase.
Cisco Talos has announced that it has discovered over a dozen code signing certificates with keys and passwords in PFX files hosted on GitHub within a forked repository of FuckCertVerifyTimeValidity. It is not immediately clear how these certificates were obtained.
Additionally, HookSignTool is used to re-sign cracked drivers to bypass Digital Rights Management (DRM) integrity checks, and an attacker named “Juno_Jr” is a legitimate software caching solution. It has been observed that they have released a cracked version of PrimoCache. , at the Chinese Software Cracking Forum on November 9, 2022.
“In the crack version […]A Talos researcher said, “The patched driver was re-signed with a certificate originally issued to ‘Shenzhen Luyoudashi Technology Co., Ltd.’ and this certificate was included in the PFX file on GitHub. I’m here. ” he said, the Talos researcher. Attempting to bypass her DRM checks for signed drivers is a serious roadblock. “
That’s not all. HookSignTool is also used by a previously undocumented driver identified as RedDriver to forge signature timestamps. Active since at least 2021, it functions as a driver-based browser hijacker that utilizes the Windows Filtering Platform (WFP) to intercept browser traffic and reroute it to localhost (127.0.0.1).
The target browser is randomly selected from a hard-coded list containing process names of many popular Chinese browsers such as Liebao, QQ Browser, Sogou, UC Browser and Google Chrome, Microsoft Edge, Mozilla Firefox.
Chris Neal, an outreach researcher at Cisco Talos, told The Hacker News: “This was his one of the first samples I came across that immediately struck me as suspicious. What caught my attention was the list of web browsers stored within the RedDriver file. “
The ultimate purpose of this browser traffic redirection is not clear, but it goes without saying that such functionality can be abused to modify browser traffic at the packet level.
RedDriver’s infection chain begins by executing a binary named ‘DnfClientShell32.exe’, which then initiates encrypted communication with a command and control (C2) server to download a malicious driver.
“Although we did not observe the delivery of the initial file, it is very likely that it was packaged to look like a game file and hosted on a malicious download link.” said Neil. “The victim probably thought he was downloading a file from a legitimate source and ran the executable. ‘DNFClient’ is a very popular game in China, commonly known as ‘DNF’.” This is the name of the file that belongs to “Dungeon Fighter Online”.
“The learning curve for malicious driver development is steep, so RedDriver may have been developed by a highly skilled attacker,” Cisco Talos said. “Although this threat appears to target native Chinese speakers, it is likely that the authors are also Chinese speakers.”
“The authors also demonstrated familiarity or experience with the software development lifecycle, another skill set that requires previous development experience.”
