Unsecure Drivers Allow for Easy Windows Hacking: ReportStudy Identifies 40 Certified Drivers From 20 Vendors That Open the Door to Attacks
Researchers from the security firm Eclypsium have identified 40 poorly designed drivers from 20 vendors that can give attackers numerous ways to hack into various versions of Microsoft Windows.
See Also: Hybrid IT-OT Security Management
In their presentation of their findings at the 2019 DEF CON security conference in Las Vegas last week, Eclypsium researchers noted that all of these drivers - the code used for working with a computer's software and hardware - were developed by well-known vendors and had legitimate security certificates.
The Eclypsium researchers began their investigation in April and gave each of the vendors identified 90 days to address the various security issues before the report was published on Saturday.
"Our analysis found that the problem of insecure drivers is widespread, affecting more than 40 drivers from at least 20 different vendors," the study notes. "These drivers allow attackers to turn the very tools used to manage a system into powerful threats that can escalate privileges and persist invisibly on the host."
As part of their investigation, the Eclypsium researchers found that attackers could exploit these poorly designed drivers and gain additional levels of access and permissions within an infected device, including access to the core kernel of Windows.
Once attackers had access to the Windows kernel and the BIOS of an infected computer, they could gain additional permissions, such as the ability to gain read and write access to processor and chipset I/O space as well as gain access to the virtual or physical memory of a machine, the report notes.
Through these escalating levels of privilege within a Windows machine, an attacker could bypass nearly all security controls, the report notes.
In the study, Eclypsium notes that these driver issues were persistent in all versions of Windows, and the company is now working with Microsoft to blacklist these bad drivers.
The Eclypsium report did not identify any attacks using these drivers in the wild, but the researchers' presentation offered some scenarios of how attackers could exploit these flaws.
Microsoft plans to use Eclypsium’s hypervisor-enforced code integrity tool to blacklist other drivers with flaws that are brought to the company's attention in order to keep these drivers off of Windows, according to the Eclypsium presentation.
The issue of insecure drivers arises primarily from third-party vendors that could give attackers increased permission to access the device kernel, according to Eclypsium. Further, by manipulating the known weaknesses, a malicious actor could increase the kernel privileges to wage larger and larger attacks, the report notes.
"In other words, any malware running in the user space could scan for a vulnerable driver on the victim machine and then use it to gain full control over the system and potentially the underlying firmware," the researchers note.
Some of the hardware and BIOs vendors that created these faulty drivers are: American Megatrends International, ASRock, Asus, ATI Technologies, Biostar, EVGA, Getac, Gigabyte Technology, Huawei, Insyde, Intel, Micro-Star International, Nvidia, Phoenix Technologies, Realtek Semiconductor, SuperMicro and Toshiba. The Eclypsium report did not name all the vendors as some needed more time to fix the flaws in their drivers.
The report notes that all the drivers came from trusted third-party vendors, had been signed by valid certificate authorities and were certified by Microsoft.
Using drivers to leverage attacks against the operating system kernel or the BIOS of a computers has been seen before, according to the Eclypsium study.
Previous attacks by the so-called SlingShot advanced persistent threat group, as well as separate attacks that used malware called LoJax, showed how an attacker could take over the system and continue to persist invisibly on the host device for many years, the report notes.
In both cases, the attackers behind these malicious payloads gained administrative control by installing rootkits by exploiting read-write capabilities of drivers, the security firm notes.
In 2018, researchers at Kaspersky identified nearly 100 victims of Slingshot malware used by an unknown threat group that affected systems in the Middle East and Africa. The malware, which had been active since 2012, remained undetected until March 2018 (see: How 'Slingshot' Router Malware Lurked for Six Years).
The Kaspersky researchers discovered the origin of the Malware to Latvian computer networks and found that the malware was downloading malicious components to Windows computers. By downloading dynamic link libraries and by lading them directly to the computer memory, the payload affected the device kernel.
The Trouble With Drivers
The security problems associated with drivers is not limited to Windows.
Three year ago, security researcher Patrick Wardle described finding bugs in Apple's I/O kit drivers. Some of those drivers had the authority to interact with macOS's kernel, which is the most sensitive part of the operating system where a hacker could cause the most damage (see: Weak Drivers Key to Compromising macOS).