Hackers Exploited a Windows Policy Loophole to Forge Kernel Mode Driver Signatures


Kernel-Mode Driver Signature

A Microsoft Windows policy loophole has been observed being exploited primarily by native Chinese threat actors to forge signatures on kernel mode drivers.

“Actor leverages several open source tools that change the signing date of kernel mode drivers to load rogue and unverified drivers signed with expired certificates,” Cisco Talos said in a statement. Two-part full report shared with The Hacker News. “This is a big threat, because access to the kernel provides complete access to the system, and therefore a total compromise.”

After responsible disclosure, Microsoft said it has taken steps to block all certificates to reduce threats. It further stated that its investigation found “the activity was limited to the misuse of multiple developer program accounts and no compromise of Microsoft accounts has been identified.”

The tech giant, apart from suspending the program account of the developer involved in the incident, emphasized that the threat actor had obtained administrative privileges on the compromised system before using the driver.

It’s worth noting that Windows makers rolled out similar blocking protections in December 2022 to prevent ransomware attackers from using Microsoft signed drivers for post-exploit activity.

Driver’s signature enforcementwhich requires kernel mode drivers to be digitally signed with a certificate from Microsoft’s Dev Portal, is an important line of defense against malicious drivers, potentially used as a weapon to evade security solutions, tamper with system processes, and maintain persistence.

A new weakness discovered by Cisco Talos makes it possible to forge signatures in kernel mode drivers, thus allowing Windows certificate policies to be bypassed.

This is possible because exception engraved by Microsoft to maintain compatibility, which allows cross-signed drivers if they are “signed with a final entity certificate issued before July 29, 2015 that chain to a supported cross-sign (certificate authority).”

“The third exception creates a loophole that allows freshly compiled drivers to be signed with an unrevoked certificate issued before or expired before July 29, 2015, provided the certificate chain to the cross-signed certificate authority is supported,” the cybersecurity firm said.

As a result, drivers signed in this way are not prevented from loading on Windows devices, allowing threat actors to take advantage of escape clauses to deploy thousands of maliciously signed drivers without submitting them to Microsoft for verification.

These rogue drivers are deployed using signature timestamp forging software such as HookSignTool And FuckCertVerifyTimeValiditywhich have been available to the public since 2019 and 2018 respectively.

HookSignTool has been accessible via GitHub since January 7, 2020, while FuckCertVerifyTimeValidity first committed to the code hosting service on December 14, 2018.

Kernel-Mode Driver Signature

“HookSignTool is a driver signature forgery tool that changes the driver signing date during the signing process via a combination of hooks to the Windows API and manually tweaks the import table of valid code signing tools,” explains Cisco Talos.

In particular, it involves a hook to CertVerifyTimeValidity functionwhich verifies the time validity of the certificate, to change the signing timestamp during execution.

“This little project prevents signtool from verifying (sic) the validity of time certificates and lets you sign your bin with an obsolete certificate without changing the system time manually,” the GitHub page for FuckCertVerifyTimeValidity reads.


🔐 PAM Security – Expert Solution to Secure Your Sensitive Accounts

This expert-led webinar will equip you with the knowledge and strategies you need to change your privileged access security strategy.

Book Your Place

“This installs a hook to crypt32!CertVerifyTimeValidity and makes it always return 0 and makes kernel32!GetLocalTime return what you want because you can add “-fuckyear 2011″ to the signtool command line to sign a certificate from 2011.”

However, performing successful forgery requires an unrevoked code signing certificate issued before July 29, 2015, along with private key and certificate passphrase.

Cisco Talos says it found more than a dozen code signing certificates with keys and passwords contained in a PFX file hosted on GitHub in the forked repository of FuckCertVerifyTimeValidity. It was not immediately clear how this certificate was obtained.

Moreover, it has been observed that HookSignTool has been used to re-sign cracked drivers to bypass digital rights management (DRM) integrity checks, with an actor named “Juno_Jr” releasing a cracked version of PrimoCache, a legitimate software caching solution, in a software cracking forum. China on November 9, 2022.

“In the cracked (…) version, the patched driver is re-signed with the certificate originally issued to ‘Shenzhen Luyoudashi Technology Co., Ltd.,’ contained in a PFX file on GitHub,” said the Talos researcher. “This ability to resign cracked drivers removes a significant roadblock when trying to pass DRM checks on signed drivers.”

Kernel-Mode Driver Signature

Not only that. HookSignTool is also used by a previously undocumented driver identified as RedDriver to spoof its signature timestamp. Active since at least 2021, it works as a driver-based browser hijacker that takes advantage of the Windows Filtering Platform (WFP) to intercept browser traffic and redirect it to localhost (

The target browser was randomly selected from a hard-coded list containing the process names of many popular Chinese browsers such as Liebao, QQ Browser, Sogou, and UC Browser, as well as Google Chrome, Microsoft Edge, and Mozilla Firefox.

“I originally came across RedDriver while researching certificate timestamps on Windows drivers,” Chris Neal, outreach researcher for Cisco Talos told The Hacker News. “It was one of the first samples I came across that was immediately suspicious. What caught my attention was the list of web browsers stored inside the RedDriver file.”

The ultimate goal of redirecting browser traffic is unclear, although it goes without saying that such capabilities could be abused to tamper with browser traffic at the packet level.

The RedDriver chain of infection begins with an executable binary named “DnfClientShell32.exe”, which, in turn, initiates encrypted communication with a command-and-control (C2) server to download the malicious driver.

“We didn’t observe the initial file delivery, but it’s likely that it was packaged to masquerade as a game file, and hosted on a malicious download link,” said Neal. “Victims may think they downloaded the file from a legitimate source and executed the executable file. ‘DNFClient’ is the filename belonging to ‘Dungeon Fighter Online’ which is a very popular game in China and commonly referred to as ‘DNF.'”

“RedDriver was likely developed by highly skilled threat actors because the learning curve for developing a malicious driver is very steep,” said Cisco Talos. “While the threats appear to be targeting native Chinese speakers, their authors are likely to be Mandarin speakers as well.”

“The authors also demonstrated familiarity or experience with the software development life cycle, another skill set requiring prior development experience.”

Found this article interesting? Follow us on Twitter And LinkedIn to read more exclusive content we post.


Source link

Related Articles

Back to top button