Hackers exploit Windows policy vulnerability to forge Kernel-Mode driver signatures

Kernel mode driver signature

A Microsoft Windows policy vulnerability has been observed being exploited primarily by native Chinese-speaking threat actors to forge signatures on kernel-mode drivers.

«Attackers are leveraging a variety of open-source tools that alter the signing date of kernel-mode drivers to load malicious and unverified drivers signed with expired certificates,» Cisco Talos said. know in a full two-part report shared with The Hacker News. «This is a major threat, as access to the kernel provides complete access to the system and therefore will be completely compromised.»

Following the responsible disclosure, Microsoft said it took steps to block all certificates to mitigate the threat. It further stated that their investigation found «this activity was limited to the abuse of certain developer program accounts, and no Microsoft account compromises were identified.»

The tech giant, besides suspending developer program accounts related to the incident, emphasized that the threat actors had gained administrative privileges on the compromised systems before the incident. use drivers.

It is worth mentioning that the Windows manufacturer implemented similar prevention measures in December 2022 to prevent ransomware attackers from using Microsoft-signed drivers for post-exploit activity.

Driver signature enforcement, which requires kernel-mode drivers to be digitally signed with a certificate from the Microsoft Developer Portal, is an important line of defense against malicious drivers. malicious, potentially weaponized to evade security solutions, interfere with system processes, and maintain persistence.

A new weakness discovered by Cisco Talos allows forged signatures on kernel-mode drivers, thus allowing Windows certificate policies to be bypassed.

This is possible due to an exception made by Microsoft to maintain compatibility, which allows drivers to be cross-signed if they are «signed with an end-entity certificate issued before July 29th. 2015, linking to a cross-signed certificate is supported [certificate authority].»

«The third exception creates a vulnerability that allows signing new drivers compiled with non-revoked certificates issued before or before July 29, 2015, provided that the certificate relates to associated with a supported cross-signed certificate authority,» said the cybersecurity company.

As a result, drivers signed this way will not be prevented from loading on Windows devices, thus allowing threat actors to take advantage of the exit clause to deploy thousands of signed, malicious drivers without send them to Microsoft for verification.

These phishing drivers are deployed using signature timestamp spoofing software such as HookSignTool and FuckCertVerifyTimeValidity, which have been public since 2019 and 2018, respectively.

HookSignTool has been accessible via GitHub since January 7, 2020, while FuckCertVerifyTimeValidity was first committed to the code hosting service on December 14, 2018.

Kernel mode driver signature

«HookSignTool is a driver signature spoofing tool that changes the driver’s signing date during the signing process through a combination of hooking into the Windows API and manually altering the legitimate code signing tool’s input panel ,» Cisco Talos explains.

Specifically, it involves hooking up to the CertVerifyTimeValidity function, which verifies the time validity of a certificate, to change the signing timestamp during execution.

«This small project prevents signtool from verifying [sic] certificate validity period and allows you to sign your bucket with an outdated certificate without manually changing the system time,» the GitHub page for FuckCertVerifyTimeValidity reads.


🔐 PAM Security – Professional solution to secure your sensitive accounts

This expert-led webinar will equip you with the knowledge and strategies you need to transform your privileged access security strategy.

Make your reservation

«It installs hooks into crypt32! CertVerifyTimeValidity and makes it always return 0 and generates kernel32! GetLocalTime returns what you want as you can add «-fuckyear 2011″ to signtool’s command line to sign certificates from 2011 .»

That said, successful tampering requires an unrevoked code-signing certificate that was issued before July 29, 2015, along with the certificate’s private key and passphrase.

Cisco Talos says it has discovered more than a dozen key and password code signing certificates contained in a PFX file hosted on GitHub in a forked repository of FuckCertVerifyTimeValidity. It is not clear how these certificates were obtained.

Furthermore, it was observed that HookSignTool was used to re-sign cracked drivers in order to pass digital rights management (DRM) integrity checks, with an actor named «Juno_Jr» released the cracked version of PrimoCache, a legitimate software caching solution, in a Chinese software jailbreak forum on November 9, 2022.

«In the cracked version […]The patched driver has been re-signed with the certificate originally issued to ‘Shenzhen Luyoudashi Technology Co., Ltd.’, which is included in the PFX file on GitHub,» Talos researchers said. this cracked driver removes a significant barrier when trying to bypass DRM checks in signed drivers.»

Kernel mode driver signature

That’s not all. HookSignTool is also being used by an undocumented driver formerly identified as RedDriver to forge its signature timestamp. Active at least since 2021, it acts as a driver-based browser intruder that leverages the Windows Filtering Platform (WFP) to intercept browser traffic and reroute it there to the localhost (

The target browser is randomly selected from a hard-coded list containing the process names of many popular Chinese-language browsers such as Liebao, QQ Browser, Sogou, and UC Browser, as well as Google Chrome, Microsoft Edge, and Mozilla Firefox.

Chris Neal, outreach researcher at Cisco Talos told The Hacker News: “I initially found RedDriver while researching certificate timestamp spoofing on Windows drivers. «It was one of the first samples I came across that was immediately suspicious. What caught my eye was the list of web browsers stored inside the RedDriver file.»

The ultimate goal of this browser traffic redirection is unclear, although it goes without saying that such a capability could be abused to spoof browser traffic at the packet level.

The RedDriver infection chain begins with the execution of a binary file named «DnfClientShell32.exe», which in turn initiates encrypted communication with the command and control (C2) server to download the malicious driver.

«We did not observe the original file being distributed, but it was most likely packaged to masquerade as a game file and hosted on a malicious download link,» Neal said. «Victims may think they are downloading a file from a legitimate source and running the executable. ‘DNFClient’ is the name of a file that belongs to ‘Dungeon Fighter Online’, a hugely popular game in China. and is commonly referred to as ‘DNF.'»

«RedDriver can be developed by highly skilled threat actors because the learning curve to develop malicious drivers is difficult,» Cisco Talos said. «While the threat appears to be aimed at native Chinese speakers, the authors are likely also Chinese speakers.»

«The authors also demonstrate familiarity or experience with the software development lifecycle, another skill set that requires prior development experience.»

Found this article interesting? Follow us at Twitter and LinkedIn to read more of the exclusive content we post.

#Hackers #exploit #Windows #policy #vulnerability #forge #KernelMode #driver #signatures

Deja un comentario