A loophole in a core Windows security mechanism that requires all kernel drivers to be digitally signed by Microsoft allows attackers to forge signatures on maliciously modified drivers. This technique has been automated and used to defeat anti-cheating and digital rights management (DRM) features in games and more recently to deploy highly persistent malware.
“From an attacker’s perspective, the advantages of leveraging a malicious driver include, but are not limited to, evasion of endpoint detection, the ability to manipulate system and user mode processes, and maintained persistence on an infected system,” researchers from Cisco Talos said in a report. “These advantages provide a significant incentive for attackers to discover ways to bypass the Windows driver signature policies.”
Exceptions to the Windows driver policy
Kernel drivers are powerful pieces of code because they run in the most privileged area of the operating system, often facilitating communication between the OS itself and the hardware components installed in the computer: network cards, graphics cards, storage drives, sound cards, USB devices and so on. They can also be used to implement powerful features in software programs, such as virtualization, file wiping, or disk encryption. Security software often relies on drivers as well to implement some of its features.
Attackers have historically taken advantage of the power of drivers, too, by creating malicious drivers to deploy powerful rootkits, but starting with Windows Vista, Microsoft began cracking down on this abuse by requiring all kernel-mode drivers to be digitally signed by a certificate authority (CA). While this didn’t completely put a stop to malicious drivers, it raised the bar, because obtaining a code signing certificate from a CA is not cheap and involves identity verification.
Starting with Windows 10 version 1607, Microsoft went even further and started requiring all kernel drivers to be signed not by a third-party CA, but through its own Developer Program. However, to accommodate existing drivers during the transition period, this policy came with three exceptions: for drivers deployed on an older version of Windows that was upgraded in place to Windows 10, for drivers deployed when Secure Boot is disabled in BIOS, and for drivers that were signed with a valid user certificate before July 29, 2015, if the certificate had been issued by a certificate authority trusted in Windows.
Hackers figured out that this last exception could be abused if they found a way to sign new drivers and then alter the signature timestamp so it appeared to Windows that the certificate was signed in the past, before July 29, 2015. They developed a method that is now implemented and available in open-source tools. The catch: It requires existing code signing certificates that expired before or were issued before that date and were never revoked.
Unlike HTTPS connections in browsers, Windows will accept the installation of drivers that are signed with an expired code signing certificate. In fact, last year the hacking group LAPSUS$ stole and leaked two code-signing certificates from Nvidia that were expired since 2014 and 2018, and they were still used by attackers to sign malware and hacking tools.
Tools and certificates are available to exploit the Windows policy loophole
“Talos has observed multiple threat actors taking advantage of the aforementioned Windows policy loophole to deploy thousands of malicious, signed drivers without submitting them to Microsoft for verification,” the Talos researchers said. “During our research we identified threat actors leveraging HookSignTool and FuckCertVerifyTimeValidity, signature timestamp forging tools that have been publicly available since 2019 and 2018 respectively, to deploy these malicious drivers.”
HookSignTool and FuckCertVerifyTimeValidity are two tools that were created by Chinese authors and published on Chinese forums and on GitHub in 2019 and 2020, respectively. They both hook into the Windows API by using the Microsoft Detours library and attach themselves as DLLs to a legitimate code signing tool. Using this functionality they intercept calls to a function called CertVerifyTimeValidity that verifies that the signing date of a given file is valid and directs them to a modified version of the function that allows specifying custom timestamps.
The Talos researchers even found a collection of valid code signing certificates issued to different entities before July 29, 2015, that were distributed alongside one of the tools in a GitHub repository. It’s unclear how these certificates were obtained, but they came complete with their private key and passwords. Many were issued to entities with Chinese names, but a few came from the 2015 leak of data from Italian surveillance software developer HackingTeam.
Chinese browser hijacker RedDriver
One of the malware threats that the Talos researchers recently observed exploiting this loophole is called RedDriver. This threat is designed to hijack browser traffic through a driver that interacts with the Windows Filtering Platform (WFP).
“There are clear indications that the intended victims of this threat are native Chinese speakers,” the Talos researchers said. “Firstly, the driver contains a hardcoded list of Chinese language browser process names, which are searched for and hijacked. Additionally, in one instance RedDriver contained a list of driver names, many of which were related to multiple Chinese language internet cafe management software products. There are also many indications that the authors of RedDriver are native Chinese speakers themselves.”
RedDriver uses HookSignTool to bypass the driver signature enforcement and is signed with a driver issued to an entity called Beijing JoinHope Image Technology Ltd. Its developers are skilled at driver development, which requires good knowledge of Windows internals. Bugs in kernel-mode drivers can lead to system instability and can cause system reboots and halts (blue screen of death), but none of these issues were observed in RedDriver. While RedDriver is a threat primarily aimed at Chinese-speaking users, the malware could be modified to target any browser or process that generates internet traffic.
Microsoft’s mitigation for the Windows driver signature enforcement loophole
Microsoft published an advisory Tuesday in response to the findings from Cisco Talos as well as Sophos and Trend Micro, which have contacted the company with various of misused signed drivers since February. The company also released updates that blacklist the reported drivers as well as the signing certificates that have been used to create them. Detections have also been added to Microsoft Defender and several accounts who were submitting malicious drivers to the Microsoft Partner Center (MPC) have been suspended.
Vulnerabilities, Windows Security
