ESET Research has released an in-depth blogpost offering an in-depth look into the abuse of vulnerable kernel drivers. Vulnerabilities in signed drivers are mostly utilized by game cheat developers to circumvent anti-cheat mechanisms, but they have also been observed being used by several APT groups and in commodity malware.
The blogpost discusses the types of vulnerabilities that commonly occur in kernel drivers, provides several case studies of malware utilizing such vulnerable drivers, analyzes examples of vulnerable drivers discovered during our research, and outlines effective mitigation techniques against this type of exploitation. These drivers can often become unguarded gateways to Windows’ core for malicious actors.
Among the various types of kernel (the central component of the Windows operating system) drivers are “software” drivers that provide specific, non-hardware related features like software debugging and diagnostics, system analysis, etc. These are prone to extend the attack surface significantly. Although directly loading a malicious, unsigned driver is no longer possible in the newer versions of Windows, and kernel rootkits are considered to be a thing of the past, there are still ways to load malicious code into the kernel, especially by abusing legitimate, signed drivers. Indeed, there are many drivers from various hardware and software vendors available that offer functionality to fully access the kernel with minimal effort.
The vulnerabilities most frequently observed in kernel drivers include:
- failures to add checks that restrict read and write access to critical model-specific registers (MSRs);
- exposing the ability to map physical memory from user mode for reading and writing; and
- exposing the ability to access virtual kernel memory from user mode for reading and writing.
“When malware actors need to run malicious code in the Windows kernel on x64 systems with driver signature enforcement in place, carrying a vulnerable signed kernel driver seems to be a viable option for doing so. This technique is known as Bring Your Own Vulnerable Driver, abbreviated as BYOVD, and has been observed being used in the wild by both high-profile APT actors and in commodity malware,” explains Peter Kálnai, one of the co-investigators of this research.
Examples of malicious actors using the BYOVD technique include the Slingshot APT group, which implemented their main module, called Cahnadr, as a kernel-mode driver that can be loaded by vulnerable signed kernel drivers. Another example is the InvisiMole APT group, which was uncovered by ESET researchers in 2018. A newer variant of the InvisiMole malware is the only case to date that ESET has observed of MSR exploitation on Windows 10 x64 systems being used in the wild by a malicious actor.
Yet another example is the RobbinHood ransomware which, as commodity malware, aims to reach as many people as possible. Thus, seeing it use a BYOVD technique is rare but powerful. This ransomware leverages a vulnerable GIGABYTE motherboard driver to disable driver signature enforcement and install its own malicious driver. Finally, LoJax, another ESET discovery in 2018 and the first-ever UEFI rootkit used in the wild, used the RWEverything driver to gain access to victims’ UEFI modules.
ESET researchers not only catalogued existing vulnerabilities, but also looked for new ones — a full list of the discovered vulnerabilities can be found in the published in-depth blogpost. The vendors that ESET contacted were very proactive during the disclosure process and eager to fix the uncovered vulnerabilities.
“Although there are several mechanisms employed by the CPU and/or the operating system, most of them can be bypassed with some clever techniques and are not very effective if the attacker prepares for them ahead of time,” says Kálnai.
The blogpost offers the following useful mitigation techniques:
- Virtualization-based security: This is a feature introduced in Windows 10 that leverages hardware virtualization to place the kernel in a sandbox thus securing the operating system with various protections.
- Certificate revocation: On modern Windows systems, drivers need to have a valid signature based on an “acceptable” certificate. Hence, revoking the certificate of a vulnerable driver would be an easy way to “disarm” it and render it useless in most cases.
- Driver blocklisting: This is a practice adopted by both Microsoft and various third-party security product vendors, including ESET, to detect and delete the most notorious vulnerable drivers when found on a system.
(For more technical details about vulnerable signed kernel drivers, read the blogpost “Signed kernel drivers – Unguarded gateway to Windows’ core” on WeLiveSecurity).