Windows loophole exploited by Chinese threat actors

A loophole in Microsoft Windows policy has been exploited by threat actors, primarily native Chinese speakers, to falsify signatures on kernel-mode drivers.

Cisco Talos reported that threat actors are using open-source tools to modify the signing date of kernel-mode drivers, allowing them to load malicious and unverified drivers with expired certificates. This poses a significant threat as compromising the kernel provides complete access to a system.

Source: Talos

After responsible disclosure, Microsoft has blocked all certificates to mitigate the risk.

Does Driver signature hold any significance?

Driver signature enforcement is an essential defense against malicious drivers, ensuring they are digitally signed with a Microsoft Dev Portal certificate. This measure prevents them from evading security solutions, tampering with system processes, and maintaining persistence.

The vulnerability discovered by Cisco Talos bypasses Windows certificate policies by exploiting an exception created by Microsoft for compatibility purposes. 

This exception would allow cross-signed drivers if signed with an end-entity certificate issued before July 29, 2015, chaining to a supported cross-signed certificate authority.

What’s the loophole?

The loophole permits newly compiled drivers to be signed with non-revoked or expired certificates before July 29, 2015, as long as they chain to a supported cross-signed certificate authority. 

This enables threat actors to load thousands of malicious signed drivers without submitting them for Microsoft’s verification.

The rogue drivers are deployed using signature timestamp forging tools such as HookSignTool and FuckCertVerifyTimeValidity, which have been publicly available since 2019 and 2018, respectively.

Source: Talos

HookSignTool modifies the signing date of a driver during the signing process by hooking into the Windows API and altering the import table of a legitimate code signing tool. 

FuckCertVerifyTimeValidity installs hooks to CertVerifyTimeValidity, manipulating the signing timestamp during execution.

Where’s the process hosted?

While successful forgery requires a non-revoked code-signing certificate issued before July 29, 2015, along with the certificate’s private key and passphrase, Cisco Talos discovered over a dozen code-signing certificates with keys and passwords hosted on GitHub. It remains to be seen how these certificates were obtained.

Source: Talos

Additionally, HookSignTool has been used to re-sign cracked drivers to bypass digital rights management (DRM) integrity checks. An actor named “Juno_Jr” released a cracked version of PrimoCache, a legitimate software caching solution, in a Chinese software cracking forum. The cracked version re-signed the patched driver with a certificate originally issued to “Shenzhen Luyoudashi Technology CoLtd.”

Source: Talos

Furthermore, HookSignTool is employed by a previously undocumented driver called RedDriver, which forges its signature timestamp. Active since at least 2021, RedDriver operates as a driver-based browser hijacker, intercepting and redirecting browser traffic to localhost (127.0.0.1). 

The target browsers are randomly chosen from a list that includes popular Chinese browsers like Liebao, QQ Browser, and Sogou, Google Chrome, Microsoft Edge, and Mozilla Firefox.

Source: Talos

The exact purpose of this browser traffic redirection is unclear, but it can potentially tamper with browser traffic at the packet level.

RedDriver infections start with the execution of a binary named “DnfClientShell32.exe,” which establishes encrypted communications with a command-and-control server to download the malicious driver.

Cisco Talos believes that RedDriver was developed by highly skilled threat actors with experience in software development lifecycles. While the threat primarily targets native Chinese speakers, the authors are likely Chinese speakers, demonstrating familiarity and expertise in development.

Final takeaways

The deployment of such techniques suggests the expertise of threat actors. Addressing this issue requires continuous vigilance and collaboration amongst security teams. It is crucial to know more about emerging threats, keep systems updated, and implement a security posture that’s difficult to exploit.