Over the past 15 years, Microsoft has made great strides in hardening the Windows kernel, the heart of the operating system that hackers must control to successfully take control of a computer. A cornerstone of this progress was the enactment of strict new restrictions on loading system drivers that can run in kernel mode. These drivers are essential for computers to work with printers and other peripherals, but they’re also a handy breakthrough that hackers can borrow to allow their malware unhindered access to the most sensitive parts of Windows. With the advent of Windows Vista, all of these drivers could only be loaded after being first approved by Microsoft and then digitally signed to verify that they were safe.
Last week, researchers from security firm ESET revealed that about a year ago, Lazarus, a North Korean government-backed hacking group, exploited a one-kilometer loophole last year. broad that existed all along in Microsoft’s Driver Signature Enforcement (DSE). The malicious documents that Lazarus was able to trick the targets into opening were able to gain administrative control of the target’s computer, but modern Windows kernel protections presented a formidable obstacle to Lazarus achieving its goal of storming the core.
Path of least resistance
So Lazarus chose one of the oldest moves in the Windows operating manual, a technique known as BYOVD, short for bring your own vulnerable driver. Instead of finding and cultivating an exotic zero day to break through Windows kernel protections, the Lazarus members simply used the admin access they already had to install a driver that had been digitally signed by Dell before the discovery. year of a critical vulnerability that could be exploited to gain kernel privileges.
ESET researcher Peter Kálnai said that Lazarus sent two targets, one an employee of an aerospace company in the Netherlands and the other a political journalist in Belgium, Microsoft Word documents that had been trapped with malicious code that infected computers that opened it. The hackers’ goal was to install an advanced backdoor called Blindingcan, but to achieve that, they first had to disable various Windows protections. The path of least resistance, in this case, was to simply install dbutil_2_3.sys, the buggy Dell driver, which is responsible for updating Dell firmware through Dell’s custom Bios utility.
“For the first time in the wild, attackers were able to leverage CVE-2021-21551 to disable monitoring of all security solutions,” Kálnai wrote, referring to the designation used to track the vulnerability in the driver. Dell. “It was not only done in kernel space, but also in a robust way, using a series of little or undocumented Windows internals. It undoubtedly required extensive research skills, development and testing.”
In the journalist’s case, the attack was triggered but was quickly stopped by ESET products, with only one malicious executable involved.
While this may be the first documented case of attackers exploiting CVE-2021-21551 to breach Windows kernel protections, it is by no means the first instance of a BYOVD attack. Here is a small sample of previous BYOVD attacks:
- Malware called SlingShot lurked on infected systems for six years until it was discovered by security firm Kaspersky. Active since 2012, SlingShot exploited vulnerabilities discovered as early as 2007 in drivers such as Speedfan.sys, sandra.sys and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0824 . Since these drivers had at one point been digitally signed, Microsoft had no viable way to prevent Windows from loading them, even though the vulnerabilities were well known.
- RobbinHood, the name of the ransomware that installs the GIGABYTE GDRV.SYS motherboard driver and then exploits the known vulnerability CVE-2018-19320 to install its own malicious driver.
- LoJax, the first UEFI rootkit known to be used in the wild. To access the targets’ UEFI modules, the malware installed a powerful utility called RWEverything which had a valid digital signature.
Over the past 15 years, Microsoft has made great strides in hardening the Windows kernel, the heart of the operating system that hackers must control to successfully take control of a computer. A cornerstone of this progress was the enactment of strict new restrictions on loading system drivers that can run in kernel mode. These drivers are essential for computers to work with printers and other peripherals, but they’re also a handy breakthrough that hackers can borrow to allow their malware unhindered access to the most sensitive parts of Windows. With the advent of Windows Vista, all of these drivers could only be loaded after being first approved by Microsoft and then digitally signed to verify that they were safe.
Last week, researchers from security firm ESET revealed that about a year ago, Lazarus, a North Korean government-backed hacking group, exploited a one-kilometer loophole last year. broad that existed all along in Microsoft’s Driver Signature Enforcement (DSE). The malicious documents that Lazarus was able to trick the targets into opening were able to gain administrative control of the target’s computer, but modern Windows kernel protections presented a formidable obstacle to Lazarus achieving its goal of storming the core.
Path of least resistance
So Lazarus chose one of the oldest moves in the Windows operating manual, a technique known as BYOVD, short for bring your own vulnerable driver. Instead of finding and cultivating an exotic zero day to break through Windows kernel protections, the Lazarus members simply used the admin access they already had to install a driver that had been digitally signed by Dell before the discovery. year of a critical vulnerability that could be exploited to gain kernel privileges.
ESET researcher Peter Kálnai said that Lazarus sent two targets, one an employee of an aerospace company in the Netherlands and the other a political journalist in Belgium, Microsoft Word documents that had been trapped with malicious code that infected computers that opened it. The hackers’ goal was to install an advanced backdoor called Blindingcan, but to achieve that, they first had to disable various Windows protections. The path of least resistance, in this case, was to simply install dbutil_2_3.sys, the buggy Dell driver, which is responsible for updating Dell firmware through Dell’s custom Bios utility.
“For the first time in the wild, attackers were able to leverage CVE-2021-21551 to disable monitoring of all security solutions,” Kálnai wrote, referring to the designation used to track the vulnerability in the driver. Dell. “It was not only done in kernel space, but also in a robust way, using a series of little or undocumented Windows internals. It undoubtedly required extensive research skills, development and testing.”
In the journalist’s case, the attack was triggered but was quickly stopped by ESET products, with only one malicious executable involved.
While this may be the first documented case of attackers exploiting CVE-2021-21551 to breach Windows kernel protections, it is by no means the first instance of a BYOVD attack. Here is a small sample of previous BYOVD attacks:
- Malware called SlingShot lurked on infected systems for six years until it was discovered by security firm Kaspersky. Active since 2012, SlingShot exploited vulnerabilities discovered as early as 2007 in drivers such as Speedfan.sys, sandra.sys and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0824 . Since these drivers had at one point been digitally signed, Microsoft had no viable way to prevent Windows from loading them, even though the vulnerabilities were well known.
- RobbinHood, the name of the ransomware that installs the GIGABYTE GDRV.SYS motherboard driver and then exploits the known vulnerability CVE-2018-19320 to install its own malicious driver.
- LoJax, the first UEFI rootkit known to be used in the wild. To access the targets’ UEFI modules, the malware installed a powerful utility called RWEverything which had a valid digital signature.