Over the past 15 years, Microsoft has made great strides in hardening the Windows kernel. Windows kernel is the core of the operating system that hackers must control in order to successfully control your computer. The cornerstone of this progress was the enactment of strict new restrictions on which system drivers might be loaded in kernel mode. These drivers are essential for your computer to work with printers and other peripherals, but they’re also a handy hacking tool that hackers can use to give malware unfettered access to the most sensitive parts of Windows. There is, too. With the advent of Windows Vista, all of these drivers can only be loaded following pre-approval from Microsoft and digitally signed to ensure they are secure.
Last week, researchers at security firm ESET discovered that nearly a year ago, Lazarus, a North Korean government-backed hacking group, opened a mile-wide vulnerability that had existed from the start in Microsoft’s Driver Signing Enforcement (DSE). to misuse. A malicious document that Lazarus managed to open by tricking a target into gaining administrative control of the target computer, while Modern Kernel Protection in Windows claims that Lazarus is attacking the kernel, presenting a formidable obstacle to achieving the target.
The path of least resistance
As such, Lazarus has chosen one of the oldest playbooks to exploit Windows. This is a technology called BYOVD, which stands for bringing in at-risk drivers. Instead of finding and breeding some funny zero days of Windows kernel protection breaches, Lazarus members already used their administrator access before a serious vulnerability was discovered last year. I installed a driver that was digitally signed by Dell. Abuse of kernel privileges.
According to ESET researcher Peter Kálnai, Lazarus sent two targets: an employee of a Dutch airline and a Belgian political journalist. A Microsoft Word document was embedded with malicious code that infected your computer when you opened it. The hackers wanted to install a complex backdoor called Blindingcan, but to do so, they first had to disable various Windows protections. In this case, the path of least resistance was to install dbutil_2_3.sys, the buggy Dell driver responsible for updating Dell firmware via Dell’s custom BIOS utility.
“For the first time ever, an attacker was able to take advantage of CVE-2021-21551 to turn off monitoring for all security solutions,” Kálnai wrote, using this to track vulnerabilities in Dell drivers. This indicates the specified assignment. “Not only was it done in the kernel space, it was also done in a robust way using a small or undocumented set of internal Windows. It required deep research, development, and testing skills.”
In the case involving my journalist, the attack was initiated, but quickly thwarted by ESET products because it contained a single malicious executable.
While it may be the first documented case of an attacker exploiting CVE-2021-21551 to breach Windows kernel protection, it is not the first case of a BYOVD attack. A small sample of past BYOVD attacks includes:
- The malware, nicknamed SlingShot, hid in infected systems for six years before it was discovered by security firm Kaspersky. SlingShot has been around since 2012 and was discovered in 2007 in drivers such as Speedfan.sys, sandra.sys, and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009. They took advantage of this vulnerability. -0824. These drivers were simultaneously digitally signed, so the vulnerability was well known, but Microsoft had no effective way to prevent Windows from loading the drivers.
- RobbinHood is the name of the ransomware that installs the GDRV.SYS motherboard driver from GIGABYTE and exploits the known CVE-2018-19320 vulnerability to install its own malicious drivers.
- LoJax was the first UEFI root toolkit known to be used in the wild. In order to gain access to the targeted UEFI modules, the malware has installed a powerful utility called RWEverything with a valid digital signature.