Now there is a new pivot in abusing the driver signing requirements in Windows. According to researchers, a new loophole being actively exploited, primarily by Chinese-speaking threat actors, is allowing them to forge the signature on Kernel-Mode drivers. The flaw allows a handful of open-source tools to alter the signing date (on expired certificates) of kernel mode drives to load malicious drivers. Leveraging this bypass can lead to complete compromise of the targeted system.
Cisco Talos and others revealed the flaw to Microsoft following responsible disclosure methods. This has allowed Microsoft to put mitigations in place to prevent widespread abuse of this serious flaw. For right now Microsoft has said that they are revoking all of the certificates involved and that the malicious developer accounts have been suspended. They note that it appears to only have been a small number of accounts we used to abuse certificates from the Windows Hardware Developer Program and that no actual Microsoft accounts were compromised.
“Microsoft was informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity. In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers. An investigation was performed when we were notified of this activity by Sophos on February 9, 2023; Trend Micro and Cisco subsequently provided reports containing additional details. This investigation revealed that several developer accounts for the Microsoft Partner Center (MPC) were engaged in submitting malicious drivers to obtain a Microsoft signature. All the developer accounts involved in this incident were immediately suspended.”
Microsoft has also released Windows Security Updates for all of their operating systems and added blocked driver detections to Windows Defender. Microsoft did something similar back in late 2022 when ransomware groups were found to be abusing signed drivers for post exploitation activities.
The core of the flaw/loophole is due to Microsoft attempting to extend compatibility. It allows cross platform drives is they were issued prior to July 29, 2015. The certificate must also have a supported cross-signed certificate authority in its certificate chain. Attackers do still have to find an unrevoked certificate that was signed in before the July 2015 date and gain access to the private key and passphrase. Once the correct certificate is found, the attacker uses a time stomping tool like HookSignTool to change the singing date back to the accepted time frame. Once this is done the new malicious driver can be loaded.
On the topic of finding certificates that meet the profile listed above. The reuse of valid certificates to resign drivers is a well-established process. It has been widely used in game cracking to get around digital rights management utilities built into Windows. If you frequent the darker sides of the internet you can find compromised certificates, signing authorities, developer accounts, and more which would allow you to gain access to the right items. While the path to compromise here is more complex, it is not that hard given the wealth of tools and resources available to attackers.
Currently this threat appears to have been limited to Chinese speaking targets, but it does not mean that this group could not expand their horizons. They appear to have significant development experience and are likely to be able to refine their technique quickly to account for updates to Microsoft’s security tools. Campaigns like this do highlight the dangers of allowing any software to be safe listed based on the existence of a signature, although there is no immediate answer to removing trusted authorities. The simple removal of certificate-based trust would be a massive disruption to the way modern systems work and communicate. Sadly, threat actors know this and are likely to continue to abuse this avenue to gain additional access to systems post-compromise, or as part of their initial access.