The vulnerabilities in signed drivers are primarily used by developers to circumvent anti-cheat mechanisms in games, but have also been used by several hacker groups and in malware. This article discusses the types of vulnerabilities that commonly appear in kernel drivers, provides several case studies of malware using these vulnerable drivers, analyzes examples of vulnerable drivers discovered during our research, and describes effective mitigation techniques against this type of operation. These drivers can often serve as gateways to the Windows kernel for malicious actors.
There are different types of kernel drivers (the central component of the Windows operating system): "software" drivers that provide specific non-hardware related functionality, such as software diagnostics and debugging, system analysis, etc. These are likely to significantly expand the attack surface. Although direct loading of an unsigned malicious driver is no longer possible in newer versions of Windows, and kernel rootkits are a thing of the past, there are still ways to load malicious code into the kernel, for example by hijacking legitimate signed drivers. There are indeed many drivers developed by hardware vendors and software vendors that provide functionality to fully access the kernel with minimal effort.
The most commonly observed vulnerabilities in kernel drivers are:
- Inability to add controls that limit read and write access to critical registers specific to the MSR model
- Expose the ability to map read/write physical memory from user mode
- Exposing the ability to read/write kernel virtual memory from user mode
“ When malware operators need to execute malicious code in the Windows kernel on x64-based systems equipped with driver signature verification, installing a signed vulnerable kernel driver appears to be a viable option for doing so. This technique, called " Bring Your Own Vulnerable Driver " (BYOVD), is used by high-level hacker groups as well as in common malware, " explains Peter Kálnai.
Among the malicious actors using the BYOVD technique:
- The Slingshot group which implemented its core module called Cahnadr as a kernel-mode driver that can be loaded by vulnerable signed kernel drivers.
- The InvisiMole group which was discovered by ESET researchers in 2018. A newer variant of the InvisiMole malware is the only case of MSR exploitation observed by ESET on Windows 10 x64 systems so far.
- The RobbinHood ransomware which, like common malware, seeks to reach as many people as possible. So seeing him use a BYOVD technique is rare but particularly interesting. This ransomware exploits a vulnerable GIGABYTE motherboard driver to disable driver signature verification and install its own malicious driver.
- LoJax, another ESET discovery in 2018 and the very first UEFI rootkit, used the RWEverything driver to access victims' UEFI modules.
The full list of discovered vulnerabilities is available in the article published by ESET Research , Signed kernel drivers – Unguarded gateway to Windows' core .
“ While there are several mechanisms employed by the CPU and/or the operating system, most of them can be circumvented by clever techniques and are not very effective when the attacker has prepared for the attack. advance, ” adds Mr. Kálnai.
The article offers the following useful mitigation techniques:
- Virtualized Security : This is a feature introduced in Windows 10 that uses hardware virtualization to place the kernel in a sandbox, thus securing the operating system with different protections.
- Certificate revocation : On modern Windows systems, drivers must have a valid signature based on an "acceptable" certificate. Therefore, revoking a vulnerable driver's certificate would be an easy way to "disarm" it and render it unusable in most cases.
- Driver blocking : This is a practice adopted by both Microsoft and various third-party security vendors, including ESET, to detect and remove the most common vulnerable drivers.
The editorial staff of Africa CyberSecurity Mag
