Security News > 2020 > February > BYO-Bug Tactic Attacks Windows Kernel with Outdated Driver
Specifically, they're updating the Windows kernel in-memory with the Gigabyte driver, according to the research - and the kernel accepts it as a "Patch" thanks to the signed certificate.
Once that's loaded, they can then exploit that driver using the known vulnerability in order to load their own, unsigned, malicious driver.
"The malware authors abuse this vulnerability in order to disable driver signature enforcement in Windows - on-the-fly, in kernel memory. by changing a single variable that lives in kernel space.Once driver signature enforcement is disabled, the attackers are able to load their unsigned malicious driver," said researchers.
"The process handles opened by the malicious driver are kernel handles, and kernel handles cannot be filtered. So, the malicious kernel driver can kill these processes without interference of endpoint security controls."
"There are many other vulnerable drivers in addition to the Gigabyte driver that these or other attackers may choose to abuse later, such as ones from VirtualBox, Novell, CPU-Z, or ASUS. But in these attacks, we've only seen the Gigabyte driver being abused in this way."
News URL
https://threatpost.com/byo-bug-windows-kernel-outdated-driver/152762/
Related news
- JPCERT shares Windows Event Log tips to detect ransomware attacks (source)
- OilRig Exploits Windows Kernel Flaw in Espionage Campaign Targeting UAE and Gulf (source)
- Exploit released for new Windows Server "WinReg" NTLM Relay attack (source)
- New Windows Driver Signature bypass allows kernel rootkit installs (source)
- Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel (source)
- Windows infected with backdoored Linux VMs in new phishing attacks (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- Microsoft plans to boot security vendors out of the Windows kernel (source)