Scroll Top

Chinese threat actors exploit Windows Policy loophole to forge Kernel-Mode driver signatures

group-policy-editor-windows-10.jpg

Cisco Talos, a prominent cybersecurity company, has discovered a loophole in Microsoft Windows policy that is being exploited primarily by native Chinese-speaking threat actors. These actors are utilizing open-source tools to forge signatures on kernel-mode drivers, enabling them to load malicious and unverified drivers with expired certificates. This security vulnerability poses a significant threat as gaining access to the kernel grants complete control over a system, leading to its total compromise.

Microsoft’s Response: Upon responsible disclosure of the loophole, Microsoft has taken immediate action to mitigate the threat. The company has blocked all certificates associated with the exploit. Microsoft’s investigation revealed that the activity was limited to the abuse of several developer program accounts, with no compromise of Microsoft accounts identified. The tech giant has suspended the developer program accounts involved in the incident.

Driver Signature Enforcement and the Windows Policy Loophole
Driver signature enforcement, a crucial security measure, requires kernel-mode drivers to be digitally signed with a certificate from Microsoft’s Dev Portal. This process acts as a defense against malicious drivers, preventing them from evading security solutions, interfering with system processes, and maintaining persistence. However, the discovered weakness allows threat actors to forge signatures on kernel-mode drivers, bypassing Windows certificate policies.

The Exception and Exploitation
Microsoft introduced an exception to maintain compatibility, permitting cross-signed drivers if they were “signed with an end-entity certificate issued prior to July 29th, 2015, that chains to a supported cross-signed certificate authority.” Exploiting this exception, threat actors can deploy thousands of malicious, signed drivers without submitting them for Microsoft’s verification.

Tools Used for Signature Forging
Threat actors are employing signature timestamp forging software, such as HookSignTool and FuckCertVerifyTimeValidity. These tools, publicly available since 2019 and 2018 respectively, alter the signing date of a driver, manipulating the import table of a legitimate code signing tool. HookSignTool hooks into the CertVerifyTimeValidity function, while FuckCertVerifyTimeValidity installs a hook into crypt32!CertVerifyTimeValidity, enabling the signing of certificates from previous years.

Certificate Discovery and Cracked Drivers
Cisco Talos discovered over a dozen code signing certificates, along with keys and passwords, contained in a PFX file hosted on GitHub. The origin of these certificates remains unclear. The researchers also found instances where HookSignTool was used to re-sign cracked drivers, enabling the bypass of digital rights management (DRM) integrity checks. The cracked drivers were re-signed with legitimate certificates obtained from the PFX file on GitHub.

RedDriver: A Previously Undocumented Threat
Cisco Talos researchers uncovered a previously undocumented driver called RedDriver, which leverages HookSignTool to forge its signature timestamp. RedDriver operates as a driver-based browser hijacker, intercepting browser traffic and redirecting it to localhost. The hijacking targets popular Chinese language browsers, as well as Google Chrome, Microsoft Edge, and Mozilla Firefox. The intentions behind this browser traffic manipulation are yet to be fully determined.

Conclusion
The exploitation of the Windows policy loophole by native Chinese-speaking threat actors highlights the need for enhanced security measures. While Microsoft has taken steps to mitigate the threat, it is crucial for users to remain vigilant and update their systems with the latest security patches. Ongoing monitoring and cooperation among cybersecurity organizations are essential to identify and address emerging threats in the digital landscape. Internetintelligence.eu will continue to provide updates on this evolving situation and offer insights into effective security practices.

Related Posts

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.