Windows Policy Loophole allows Malware to Operate Undetected
Windows Policy Loophole Exploited at Kernel Level
Last week, a dangerous discovery was made by the “Cisco Talos Intelligence Group”, one of the largest threat intelligence teams in the world, found that threat actors have been using a Microsoft Windows Policy loophole to forge kernel-mode driver signatures with an end-entity certificate on 29th of July, 2015 which allowed hackers to deploy malicious drivers onto unsuspecting victims, the malware being called “RedDriver”.
This comes as a big concern as malicious drivers running on kernel mode functions on any Windows operating system and evade any sort of detection from any firewall or anti-malware software. Malware having access to kernel mode means total compromise on the device infected, and no procedure executed on the device is safe from a threat actor.
Image from ‘Microsoft Learn’ diagram of Kernel ModeIt was suggested by Cisco Talos that the “RedDriver'' malware was created and frequently used by Chinese-speaking threat actors as the malware was operated by simplified Chinese language code and all domains and forums associated with the malware were based in China. It is also reported that the RedDriver’s primary target was also Chinese-speaking people as malicious drivers being deployed were mainly for Chinese Software.
It was discovered that hacking tools available since 2018 have been used to deploy the RedDriver malware to victims across the globe.
Image of hacking tool called “HookSignTool” involved in deploying 'RedDriver' malwareAfter Cisco Talos forwarded their findings to Microsoft, Microsoft responded by blocking all found certificates related to the threat to mitigate the malware from spreading to further devices. They also stated that its investigation found "…the activity was limited to the abuse of several developer program accounts and that no Microsoft account compromise has been identified."
It has been recommended for all users of Windows to keep up to date with patches released for all programs, anti-virus software, and endpoint detection programs. Downloading the latest software updates WILL keep your devices safe from discovered exploits and can prevent future threats from occurring. Check out our article here to see more on the essentials of Patch Management.
Your Security is our Priority
Your friendly Support Team
Speak to us about all your computer needs
This is Part of our Cyber Security awareness educational campaign. Through this training, you will learn awareness and key principles, and best practices to protect yourself, your organisation, and the public from cyber attackers. You will also be equipped with the knowledge to identify potential threats and take action before any damage can occur.