Windows Policy Loophole: Old Certificate, New Signature Windows Kernel Cyber Threat
Cisco Talos discovered a troubling revelation. Threat actors have seized upon a cunning Windows policy loophole, exploiting it to their advantage. This loophole allows them to sign and load cross-signed kernel mode drivers with signature timestamps.
These malicious actors have cunningly embraced open-source tools’ power, manipulating kernel mode drivers’ signing date. They aim to introduce a horde of unverified and malevolent drivers with expired certificates.
We discovered more than a dozen code signing certificates, their keys, and passwords tucked away within a PFX file. This file was openly hosted on GitHub, a catalyst for their nefarious activities.
Chinese Speakers Behind the Tools
Most of the drivers we unearthed contained metadata revealing a language code. This revelation suggests a strong likelihood that the actors behind these tools are none other than native Chinese speakers, using them as their modus operandi.
But wait, there’s more. Our vigilant eyes caught sight of a particular open-source tool employed to re-sign cracked drivers, circumventing the seemingly impenetrable fortress of digital rights management (DRM). Such audacious acts only further emphasize the dangerous capabilities of these threat actors.
We have taken an extra step to shed light on the gravity of the situation. Cisco Talos proudly presents a second blog post, which accompanies this one. It unveils a tangible example of the loophole we describe, a living embodiment of the havoc it can wreak.
Allow us to introduce you to RedDriver—an undocumented malicious driver that serves as a chilling testament to the real-world abuse of this unsettling loophole.
With this knowledge, we urge you to stay vigilant and take proactive measures to safeguard against these insidious threats. Together, let us face the challenges in this threatening cyberspace.
How will Microsoft Prevent the Threat of Malicious Drivers?
The Windows operating system operates in two modes: user mode and kernel mode. While user mode contains files and applications that users interact with, the kernel mode handles essential functions and kernel-mode drivers, forming the backbone of the Windows system.
Through the Windows API, drivers facilitate communication between these modes, utilizing system libraries and their functions.
The division of the operating system into these two modes serves as a crucial safeguard, establishing a controlled barrier between regular users and the Windows kernel. This barrier is vital for maintaining the security and integrity of the operating system since gaining access to the kernel translates to complete control over the entire system.
Exploiting a malicious driver allows an attacker to breach this barrier, resulting in the complete compromise of the targeted system.
To counter the threat of malicious drivers, Microsoft introduced a requirement for kernel-mode drivers to be digitally signed with a certificate from a trusted certificate authority, starting with Windows Vista 64-bit.
This signature enforcement is essential as it significantly enhances the defense against malicious drivers. Without it, such drivers could easily evade anti-malware software and endpoint detection systems, rendering them difficult to combat effectively.
Recommended: Most Common Malware and Software Security Threats
Analysis of these samples presents difficulties. Standard malware sandboxes cannot monitor drivers’ behavior, necessitating considerable manual analysis. Threat actors have begun utilizing code obfuscation techniques. VMProtect is used to impede driver analysis.
From an attacker’s perspective, leveraging a malicious driver offers numerous advantages. These include evading endpoint detection mechanisms, manipulating system and user mode processes, and establishing persistence on an infected system.
The allure of these benefits provides significant motivation for attackers to discover methods to circumvent Windows driver signature policies.
Cisco Talos has identified threat actors exploiting a Windows policy loophole. This loophole allows them to forge signatures on kernel-mode drivers, bypassing the certificate policies embedded within Windows.
They employ open-source tools, utilize non-revoked certificates issued before July 29, 2015, and exploit the vulnerabilities within the Windows driver signing framework.
Microsoft’s Modified Driver Signing Policy:
Microsoft’s driver signing policy changed significantly, starting with Windows 10 version 1607. The new policy mandated that all kernel-mode drivers must be submitted to and signed by Microsoft’s Developer Portal, ensuring compliance with their security standards.
However, to maintain compatibility with older drivers, Microsoft made exceptions for specific scenarios:
- Upgrade a PC from a previous Windows version to Windows 10, version 1607.
- Disabling Secure Boot in the BIOS.
- Sign drivers with an end-entity certificate issued before July 29, 2015, which chains to a supported cross-signed certificate authority.
It is the third exception that creates a notable loophole. It enables signing newly compiled drivers with non-revoked certificates issued before or expired on July 29, 2015, as long as they chain to a supported cross-signed certificate authority.
If successfully signed, they can be installed and started as services without any prevention measures. This loophole has not gone unnoticed, leading to the development of various open-source tools.
Trusted Code Signing Certificate Starting at $199.99/yr to Protect your Software Code
Although this technique is widely recognized, it is often overlooked despite its potential to threaten Windows systems seriously. Exploiting this loophole is relatively straightforward, partly due to the publicly available tooling that makes it easily accessible.
As a result, the loophole represents a critical vulnerability that demands attention to protect Windows systems from potential harm.
How Threat Actors Exploiting the Windows Policy Loophole?
Cisco Talos has observed a concerning trend where multiple threat actors exploit the Windows policy loophole to deploy many malicious and signed drivers without undergoing Microsoft’s verification process.
These actors have been using well-known open-source tools, such as HookSignTool and FuckCertVerifyTimeValidity, to achieve their goals.
Although these tools initially gained popularity in the game cheat development community, our research has revealed their usage in deploying malicious Windows drivers unrelated to gaming cheats.
To demonstrate the severity of this issue, we have documented a real-world example in our blog post featuring RedDriver. This browser hijacker operates through a malicious driver signed using HookSignTool.
FuckCertVerifyTimeValidity
FuckCertVerifyTimeValidity, also known as FuckCertVerify, was released on GitHub on December 13th, 2018. While it may lack the comprehensive functionality of HookSignTool, it serves the same purpose of forging signature timestamps.
This tool was likely developed for signing game cheating software, and since its release, it has been copied and uploaded to various GitHub repositories.
The operation of FuckCertVerifyTimeValidity is similar to HookSignTool in that it employs the Microsoft Detours package to intercept the “CertVerifyTimeValidity” API call and manipulate the timestamp to a specified date.
However, in the case of FuckCertVerifyTimeValidity, the added function to the legitimate signing tool import table is “FuckCertVerifyTimeValidity.dll!test”.
Notably, this tool does not leave any discernible artifacts in the signed binary, making it exceptionally challenging to identify its usage.
HookSignTool
HookSignTool, on the other hand, is a driver signature forgery tool that modifies the signing date during the signing process. It achieves this by combining Windows API hooking techniques and manual alterations to the import table of a legitimate code signing tool.
Initially released in 2019 on the Chinese software cracking forum “52pojie[.]cn” by its author, “JemmyLoveJenny,” HookSignTool has been available on GitHub since at least 2020.
The exploitation of these open-source tools, along with the Windows policy loophole, highlights a significant security concern.
Security professionals and organizations must stay vigilant, adapt to emerging threats, and take proactive measures to protect Windows systems from the potential harm caused by these malicious drivers.
Use EV Code Signing Certificate for Better Security
SignMyCode is a powerful code signing platform that enables developers to enhance the security and trustworthiness of their software applications.
Developers can further strengthen the security measures and instill confidence in their users by utilizing an EV (Extended Validation) Code Signing Certificate with SignMyCode.
Here’s a brief overview of how to leverage an EV Code Signing Certificate for better security with SignMyCode:
Obtain an EV Code Signing Certificate:
Start by obtaining an EV Code Signing Certificate from a reputable certificate authority (CA) like DigiCert, Certera, Comodo, and Sectigo.
Recommended: How To Code Sign Windows Kernel Drivers using EV?
The EV certificate ensures rigorous verification of your identity as a code signer, establishing trust with your users. SignMyCode works seamlessly with EV certificates, allowing you to harness their enhanced security features.
| Best EV Products | Price |
| Certera EV Code Signing Certificate | $269.99/yr |
| Comodo EV Code Signing Certificate | $274.99/yr |
| Sectigo EV Code Signing Certificate | $274.99/yr |
| DigiCert EV Code Signing Certificate | $519.99/yr |
Protect the Private Key:
The private key associated with your EV Code Signing Certificate is crucial for maintaining the security of your signed code. Store the private key securely, such as a Hardware Security Module (HSM) or a secure key vault.
Restrict access to the private key to authorized personnel only, preventing unauthorized use or tampering.
Regularly Update and Renew Certificates:
It is essential to monitor the validity of your certificate and ensure timely renewal. Regularly updating and renewing your Code Signing certificates maintains uninterrupted signing capabilities and keeps your users’ trust intact.
Sign All Relevant Software Components:
Utilize SignMyCode to sign all relevant software components, including executables, libraries, and drivers. By signing every component of your software, you ensure end-to-end code integrity and mitigate the risk of unauthorized modifications or tampering.
Educate Users about Code Signing:
Ensure to educate your users about the importance of code signing and how it enhances security. Explain that code signing demonstrates that your software has undergone stringent verification and is from a trusted source. Encourage them to verify digital signatures before installing any software.
The combination of SignMyCode’s seamless integration and the stringent verification process of an EV certificate helps protect against tampering, guaranteeing the authenticity and integrity of your applications.
How forging signatures with HookSignTool and FuckCertVerifyTimeValidity becomes Successful?
The successful forging of signatures by tools like HookSignTool and FuckCertVerifyTimeValidity relies on the availability of certain elements: a non-revoked code signing certificate, which must have expired or been issued before July 29, 2015, and the corresponding private key and password.
During our research, we made a significant discovery—an archived PFX file on GitHub within a fork of FuckCertVerifyTimeValidity. This file contained over a dozen expired code signing certificates frequently used with both tools to carry out signature forgery.
Notably, many of these certificates are non-revoked and are commonly employed for forging signatures on game cheating software and malicious drivers.
Interestingly, the PFX file included stolen certificates from the infamous 2015 Hacking Team leaks and certificates from a leak posted on a Chinese-language software cracking forum. However, the exact origins of these certificates before the leaks remain unclear.
There are Hacking Team Certificates like Open Source Developer, William Zoltan, Luca Marcone, and HT Srl.
Stats to Support How Tools are Prevalent among Native Chinese Speakers
Notably, using tools like HookSignTool and FuckCertVerifyTimeValidity is primarily prevalent among native Chinese speakers.
Despite the availability of HookSignTool since 2019, its popularity and adoption have mainly remained within the native Chinese-speaking community. Its limited spread to other language communities may be attributed to language barriers and other factors.
Upon analyzing the GitHub repositories associated with both tools, it becomes apparent that the authors of HookSignTool and FuckCertVerifyTimeValidity are likely native Chinese speakers. The language used in their repositories provides strong indications in this regard.
A metadata analysis revealed exciting findings in a random sample of 300 instances where HookSignTool artifacts were identified.
Among these samples, 30% contained the “Chinese (Simplified)” language code, 10% contained “English (US),” 1% contained “English (British),” and 51% had no specific language code assigned.
Notably, of the samples that did include a language code, a staggering 71% were categorized as “Chinese (Simplified).” These statistics further support that the tools’ usage is predominantly associated with Chinese speakers.
Recommended: What are the Best Code Signing Practices?
This data underscores the importance of understanding the linguistic patterns and demographics surrounding the utilization of these tools. Such insights can aid in effectively addressing and combating the risks associated with their usage.
Stay committed to regular certificate updates and educate your users about code signing to ensure a safe and secure software experience for all.
Safeguard your software, application, script and drivers using trusted code signing certificates from reputed CAs at lowest cost.
