Security News > 2020 > February > BYO-Bug Tactic Attacks Windows Kernel with Outdated Driver

BYO-Bug Tactic Attacks Windows Kernel with Outdated Driver
2020-02-10 21:07

Specifically, they're updating the Windows kernel in-memory with the Gigabyte driver, according to the research - and the kernel accepts it as a "Patch" thanks to the signed certificate.

Once that's loaded, they can then exploit that driver using the known vulnerability in order to load their own, unsigned, malicious driver.

"The malware authors abuse this vulnerability in order to disable driver signature enforcement in Windows - on-the-fly, in kernel memory. by changing a single variable that lives in kernel space.Once driver signature enforcement is disabled, the attackers are able to load their unsigned malicious driver," said researchers.

"The process handles opened by the malicious driver are kernel handles, and kernel handles cannot be filtered. So, the malicious kernel driver can kill these processes without interference of endpoint security controls."

"There are many other vulnerable drivers in addition to the Gigabyte driver that these or other attackers may choose to abuse later, such as ones from VirtualBox, Novell, CPU-Z, or ASUS. But in these attacks, we've only seen the Gigabyte driver being abused in this way."


News URL

https://threatpost.com/byo-bug-windows-kernel-outdated-driver/152762/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Kernel 3 0 7 4 1 12