After Microsoft warned earlier this week that some drivers certified by the Windows Hardware Developer Program (MWHDP) are being leveraged maliciously, a Cisco Talos security researcher said the number of malicious drivers could number in the thousands.
Talos researcher Chris Neal discussed how the security problem evolved in a blog post.
“Starting in Windows Vista 64-bit, to combat the threat of malicious drivers, Microsoft began to require kernel-mode drivers to be digitally signed with a certificate from a verified certificate authority,” Neal wrote. “Without signature enforcement, malicious drivers would be extremely difficult to defend against as they can easily evade anti-malware software and endpoint detection.”
Beginning with Windows 10 version 1607, Neal said, Microsoft has required kernel-mode drivers to be signed by its Developer Portal. “This process is intended to ensure that drivers meet Microsoft’s requirements and security standards,” he wrote.
Still, there are exceptions – most notably, one for drivers signed with certificates that expired or were issued prior to July 29, 2015.
If a newly compiled driver is signed with non-revoked certificates that were issued before that date, it won’t be blocked. “As a result, multiple open source tools have been developed to exploit this loophole,” Neal wrote.
And while Sophos reported that it had uncovered more than 100 malicious drivers, Neal said Cisco Talos “has observed multiple threat actors taking advantage of the aforementioned Windows policy loophole to deploy thousands of malicious, signed drivers without submitting them to Microsoft for verification.”
Neal said that two timestamp forging tools that are popular ways of developing game cheats are now being used by threat actors. The tools are FuckCertVerifyTimeValidity, which was launched in 2018; and HookSignTool, available since 2019.
“To successfully forge a signature, HookSignTool and FuckCertVerifyTimeValidity require a non-revoked code signing certificate that expired or was issued before July 29, 2015, along with the private key and password,” Neal wrote. “During our research, we identified a PFX file hosted on GitHub in a fork of FuckCertVerifyTimeValidity that contained more than a dozen expired code signing certificates frequently used with both tools to forge signatures.”
Both tools present a serious threat, Neal said, since malicious drivers can give attackers kernel-level access to a system.
“Microsoft, in response to our notification, has blocked all certificates discussed in this blog post,” he noted.
A Real-World Example
In a separate blog post, Neal described one example of the threat, a malicious driver named RedDriver that’s been active since at least 2021. “Bypassing the driver signature enforcement policies by using HookSignTool allows a threat actor to deploy drivers that would otherwise be blocked from running,” he wrote. “RedDriver is a real-world example of this tool being effectively used in a malicious context.”
“During our research into HookSignTool, Cisco Talos observed the deployment of an undocumented malicious driver utilizing stolen certificates to forge signature timestamps, effectively bypassing driver signature enforcement policies within Windows … RedDriver is a critical component of a multi-stage infection chain that ultimately hijacks browser traffic and redirects it to localhost (127.0.0.1),” Neal wrote.
“As of publication time, the end goal of this browser traffic redirection is unclear,” he added. “However, regardless of intent, this is a significant threat to any system infected with RedDriver, as this allows all traffic through the browser to be tampered with.”
Defending Against Signed Drivers
Neal recommended blocking the certificates in question, “as malicious drivers are difficult to detect heuristically and are most effectively blocked based on file hashes or the certificates used to sign them. Comparing the signature timestamp to the compilation date of a driver can sometimes be an effective means of detecting instances of timestamp forging. However, it is important to note that compilation dates can be altered to match signature timestamps.”
KnowBe4 data-driven defense evangelist Roger Grimes told eSecurity Planet by email that an even greater threat could be presented if an attacker were to create something highly wormable. “A wormable exploit using a bogus signing certificate could cause a lot of problems,” he said.
The good news, Grimes said, is that all of this is preventable. “Microsoft provides several ways, such as Windows Defender Application Control, to prevent unwanted installing of drivers and software,” he said. “Customers just have to research how they work and enable them. Then this entire threat is gone.”
- Best Antivirus Software
- Top Endpoint Detection and Response (EDR) Solutions
- Best Patch Management Software & Tools
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.