Threat actors forged Windows driver signatures via loophole

Threat actors weaponized Windows drivers with forged signatures in several cyber attacks, according to Microsoft and other cybersecurity vendors.

In a security advisory on Tuesday, Microsoft said unnamed threat actors maliciously used drivers certified by the Windows Hardware Developer Program in attacks after initially gaining administrative access in the victims' environments. Driver signature bypasses are considered highly dangerous, as they can be utilized to gain kernel-level access within victim environments.

The discovery was credited to three vendors: Cisco Talos, Sophos and Trend Micro. According to the advisory "several developer accounts for the Microsoft Partner Center (MPC) were engaged in submitting malicious drivers to obtain a Microsoft signature." After completing its investigation, Microsoft determined threat activity was limited to abuse of several developer accounts, and that no Microsoft account compromises had been identified.

In response, Microsoft revokes all certificates and drivers used in the attacks, and all relevant accounts have been suspended.

Additionally, the company "implemented blocking detections for all the reported malicious drivers to help protect customers from this threat" and released patches for Windows Security.

Additional technical details are available in blog posts published by Sophos and Cisco Talos. Cisco Talos' blog provided significant context for how threat actors executed their plan.

Cisco Talos outreach researcher and post author Chris Neal explained that starting with Windows 10 version 1607 (released to the public in August 2016), Microsoft changed its driver signing policy to only allow kernel-mode drivers signed by its Developer Portal. However, a loophole exists that "allows a newly compiled driver to be signed with non-revoked certificates issued prior to or expired before July 29, 2015, provided that the certificate chains to a supported cross-signed certificate authority."

Neal said cyber adversaries were able to bypass the updated policy via signature timestamp forging tools that are several years old and are often used in the video game cheat development community. To illustrate this point, he referenced RedDriver, a driver-based browser hijacker Cisco Talos also reported on Tuesday. Neal said the hijacker utilized HookSignTool, a signature forger also used by threat actors in this case as well.

Neal told TechTarget Editorial in an email that although Microsoft blocked certificates and remediated the immediate issue, it was still "in a tough position."

"[Microsoft needs] to balance the security implications along with the ability to support hardware built before 2015," he said. "In this particular case they mitigated all the abused certificates, which will eliminate the activity that we have found. However, closing the loophole in the signature policy would break a lot of older legitimate cross-signed drivers."

Neal said the most effective way to maintain backwards compatibility and mitigate the issue is to block certificates, but it is also possible "additional certificates will be exposed or stolen, allowing additional exploitation" or that threat actors already have additional exposed certificates in their possession.

TechTarget Editorial contacted Microsoft for additional information regarding the scope of exploitation, but the company declined to comment.

Alexander Culafi is a writer, journalist and podcaster based in Boston.