Over the previous 15 years, Microsoft has made large progress fortifying the Home windows kernel, the core of the OS that hackers should management to efficiently take management of a pc. A cornerstone of that progress was the enactment of strict new restrictions on the loading of system drivers that might run in kernel mode. These drivers are essential for computer systems to work with printers and different peripherals, however they’re additionally a handy inroad that hackers can take to permit their malware to achieve unfettered entry to probably the most delicate elements of Home windows. With the appearance of Home windows Vista, all such drivers might solely be loaded after they’d been authorised prematurely by Microsoft after which digitally signed to confirm they had been secure.
Final week, researchers from safety agency ESET revealed that a couple of 12 months in the past, Lazarus, a hacking group backed by the North Korean authorities, exploited a mile-wide loophole final 12 months that existed in Microsoft’s driver signature enforcement (DSE) from the beginning. The malicious paperwork Lazarus was capable of trick targets into opening had been capable of acquire administrative management of the goal’s laptop, however Home windows’ trendy kernel protections offered a formidable impediment for Lazarus to attain its goal of storming the kernel.
Path of least resistance
So Lazarus selected one of many oldest strikes within the Home windows exploitation playbook—a method referred to as BYOVD, brief for carry your personal weak driver. As an alternative of discovering and cultivating some unique zero-day to pierce Home windows kernel protections, Lazarus members merely used the admin entry they already needed to set up a driver that had been digitally signed by Dell previous to the invention final 12 months of a vital vulnerability that could possibly be exploited to achieve kernel privileges.
ESET researcher Peter Kálnai mentioned Lazarus despatched two targets—one an worker of an aerospace firm within the Netherlands and the opposite a political journalist in Belgium—Microsoft Phrase paperwork that had been booby-trapped with malicious code that contaminated computer systems that opened it. The hackers’ goal was to put in a sophisticated backdoor dubbed Blindingcan however to make that occur, they first needed to disable varied Home windows protections. The trail of least resistance, on this case, was merely to put in dbutil_2_3.sys, the buggy Dell driver, which is accountable for updating Dell firmware via Dell’s customized Bios Utility.
“For the primary time within the wild, the attackers had been capable of leverage CVE-2021-21551 for turning off the monitoring of all safety options,” Kálnai wrote, referring to the designation used to trace the vulnerability within the Dell driver. “It was not simply accomplished in kernel area, but additionally in a sturdy method, utilizing a collection of little- or undocumented Home windows internals. Undoubtedly this required deep analysis, growth, and testing abilities.”
Within the case involving the journalist, the assault was triggered however was rapidly stopped by ESET merchandise, with only one malicious executable concerned.
Whereas it might be the primary documented case of attackers exploiting CVE-2021-21551 to pierce Home windows kernel protections, it is certainly not the primary occasion of a BYOVD assault. A small sampling of earlier BYOVD assaults embrace:
- Malware dubbed SlingShot that hid on contaminated techniques for six years till it was found by safety agency Kaspersky. Lively since 2012, SlingShot exploited vulnerabilities that had been discovered as early as 2007 in drivers together with Speedfan.sys, sandra.sys, and https://cve.mitre.org/cgi-bin/cvename.cgi?title=CVE-2009-0824. As a result of these drivers had been digitally signed at one time, Microsoft had no viable method to stop Home windows from loading them, despite the fact that the vulnerabilities had been well-known.
- RobbinHood, the title of ransomware that installs the GIGABYTE motherboard driver GDRV.SYS after which exploits the recognized vulnerability CVE-2018-19320 to put in its personal malicious driver.
- LoJax, the primary UEFI rootkit recognized for use within the wild. To realize entry to targets’ UEFI modules, the malware put in a robust utility referred to as RWEverything that had a sound digital signature.