Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 934
- Points
- 113
Microsoft has blocked 13 code signing certificates. They were used by Chinese hackers and developers to sign and load malicious Kernel-Mode Drivers into compromised systems using the FuckCertVerify and HookSignTool tools.
Certificate offers on websites
The tools have been around since 2018 and 2019. They allow you to change the signature dates of malicious drivers to dates before July 29, 2015. FuckCertVerify was previously also used as a tool for cheating in games.
As a result, more than 100 malicious drivers received valid signatures through the Windows Hardware Compatibility Program (WHCP).
“Attackers use several open source tools that modify the signing date of kernel mode drivers to load malicious and unverified drivers signed with expired certificates. This is a serious threat because access to the kernel allows full access to the system and therefore complete compromise,” said cybersecurity researchers.
Kernel mode drivers run with the highest level of privileges in Windows. They give attackers full access to the attacked system. In this case, the kernel mode driver can disrupt the operation of security solutions or deliberately change the configuration to avoid detection.
Windows Kernel Architecture
With the release of Windows Vista, Microsoft limited the loading of kernel mode drivers into the operating system. Developers were required to submit their drivers for verification and sign them through a special portal. However, for working with older applications, Microsoft has introduced exceptions if the PC is upgraded from an earlier version of Windows to Windows 10 version 1607; Secure Boot is disabled in BIOS; The drivers are signed with an end-entity certificate issued before July 29, 2015, which is associated with a supported cross-signed certificate authority.
Abuses were discovered by experts from Sophos, Cisco Talos and Trend Micro. According to them, Chinese hackers launched drivers for browser malware, rootkits and game cheats. Researchers found that this method began to be used back in April 2021 to abuse exceptions in the Microsoft WHCP program and sign drivers. Hackers could use old and unrevoked certificates to sign drivers and then load them into Windows to escalate privileges.
Cisco Talos gives the example of a malicious RedDriver driver signed using HookSignTool. RedDriver is a browser malware that can intercept traffic in Chrome, Edge, Firefox, and other browsers.
Implementation of detection bypass in HookSignTool
FuckCertVerifyTimeValidity works in a similar way. It uses the Microsoft Detours package to attach to the CertVerifyTimeValidity API call and sets a timestamp to the selected date, but does not leave artifacts in the binary it signs.
Experts have identified numerous certificates in repositories on GitHub and on various Chinese forums that can be used by these tools.
There were 13 most commonly used certificates, including:
Microsoft has already revoked certificates associated with malicious activity and blocked the accounts of developers caught using them.
At the same time, the company updated the Windows Driver.STL recall list and began blocking problems (Microsoft Defender 1.391.3822.0 and later).
However, experts do not believe that this completely eliminates the risks. Other certificates remain unprotected or have already been stolen.
Certificate offers on websites
The tools have been around since 2018 and 2019. They allow you to change the signature dates of malicious drivers to dates before July 29, 2015. FuckCertVerify was previously also used as a tool for cheating in games.
As a result, more than 100 malicious drivers received valid signatures through the Windows Hardware Compatibility Program (WHCP).
“Attackers use several open source tools that modify the signing date of kernel mode drivers to load malicious and unverified drivers signed with expired certificates. This is a serious threat because access to the kernel allows full access to the system and therefore complete compromise,” said cybersecurity researchers.
Kernel mode drivers run with the highest level of privileges in Windows. They give attackers full access to the attacked system. In this case, the kernel mode driver can disrupt the operation of security solutions or deliberately change the configuration to avoid detection.
Windows Kernel Architecture
With the release of Windows Vista, Microsoft limited the loading of kernel mode drivers into the operating system. Developers were required to submit their drivers for verification and sign them through a special portal. However, for working with older applications, Microsoft has introduced exceptions if the PC is upgraded from an earlier version of Windows to Windows 10 version 1607; Secure Boot is disabled in BIOS; The drivers are signed with an end-entity certificate issued before July 29, 2015, which is associated with a supported cross-signed certificate authority.
Abuses were discovered by experts from Sophos, Cisco Talos and Trend Micro. According to them, Chinese hackers launched drivers for browser malware, rootkits and game cheats. Researchers found that this method began to be used back in April 2021 to abuse exceptions in the Microsoft WHCP program and sign drivers. Hackers could use old and unrevoked certificates to sign drivers and then load them into Windows to escalate privileges.
Cisco Talos gives the example of a malicious RedDriver driver signed using HookSignTool. RedDriver is a browser malware that can intercept traffic in Chrome, Edge, Firefox, and other browsers.
Implementation of detection bypass in HookSignTool
FuckCertVerifyTimeValidity works in a similar way. It uses the Microsoft Detours package to attach to the CertVerifyTimeValidity API call and sets a timestamp to the selected date, but does not leave artifacts in the binary it signs.
Experts have identified numerous certificates in repositories on GitHub and on various Chinese forums that can be used by these tools.
There were 13 most commonly used certificates, including:
- Open Source Developer, William Zoltan,
- Luca Marcone,
- HT Srl,
- Beijing JoinHope Image Technology Ltd.,
- Shenzhen Luyoudashi Technology Co., Ltd.,
- Jiangsu innovation safety assessment Co., Ltd.,
- Baoji zhihengtaiye co.,ltd,
- Zhuhai liancheng Technology Co., Ltd.,
- Fuqing Yuntan Network Tech Co.,Ltd.,
- Beijing Chunbai Technology Development Co., Ltd,
- 绍兴易游网络科技有限公司,
- 善君韦,
- NHN USA Inc.
Microsoft has already revoked certificates associated with malicious activity and blocked the accounts of developers caught using them.
At the same time, the company updated the Windows Driver.STL recall list and began blocking problems (Microsoft Defender 1.391.3822.0 and later).
However, experts do not believe that this completely eliminates the risks. Other certificates remain unprotected or have already been stolen.
