Root Causes 320: Microsoft-signed Root Kit Attack

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  We have a news item today. This is from July 12, 2023. I'm looking at a Dark Reading article. The headline is Hackers Target Gamers With Microsoft Signed Root Kit written by Jay Vijayan. So hackers target gamers with Microsoft signed rootkits. That sounds bad.

• 

  Jason Soroko

  It is bad, Tim. Look, what happened here, let's actually back up a little bit before we get even into what we usually talk about what the root cause is, because I think I don’t want to bury the lead, right? First of all, we haven't heard or talked about rootkits in a while.

• 

  Tim Callan

  For a long time. In more than a year, I'm sure.

• 

  Jason Soroko

  Exactly. And so this is really insidious stuff where whenever you're talking about something that is working down at the kernel level of your computer, this is probably working in, still in the user land or user space part of memory. It's things that are going on typically within the booting sequence of your computer, and then all kinds of crazy things can then happen with this. We could have a whole re-talk about what we're dealing with here but we really are talking about down at the driver level. Down at the – and below. Below that. Down at basically at the boot kit and driver level of your computer. The problem is, if you take a look at even in an automobile, we talked about this just recently, electronic control units and cars have signed firmware. And a lot of IoT devices have signed firmware, and the idea being your Android device, your Apple iPhone, iPad, it all has signed boot kits and signed operating systems. The reason for this is the manufacturers of these devices want you to have the intended experience. They want you to have genuine software running on your computer. It's not just the applications that we run. Therefore, you're not just signing software, you're signing the applications you see with your own eyes. There's a lot of other firmwares and drivers going on in the subsystems of your computer.

• 

  Tim Callan

  Well, and all that stuff has to be authentic, right? Because if you go and you own that, you own everything.

• 

  Jason Soroko

  The genuineness of your boot loaders and your firmware are absolutely critical. And so I find it interesting now, Tim, when if you and I would have been doing this podcast 10, 15 years ago kernel level attacks were actually talked about a lot more because it was something that was a lot more common because things like code signing, assigning a genuineness of the software at that level was just not as common. You remember 1990s era of PCs with BIOS systems. The BIOS was not signed. And so therefore rootkits to be able to change the firmware, change the BIOS at that level was a lot more common. You look at a lot of the old, the vintage Black Hat and DEF CON talks. It was a lot about that. So this is what we're referring to here and sure enough, still to this day, we are talking about an attack on actual legitimate code signed software. The problem is this. The bad guys were able to get their hands on code signing certificates. Legitimate code signing certificates. That's why we're talking about on this podcast, Tim.

• 

  Tim Callan

  Right. And so that's what's unusual in this case. So they got real Microsoft code signing certificates, and therefore they could sign their malware as real, and it would appear to be real code. So how did that happen?

• 

  Jason Soroko

  I'm going to read right from the article because I think it says exactly what it needs to. Microsoft has blamed the issue of Microsoft signed malicious drivers on rogue developer accounts within its partner program. So that's, that's pretty bad.

• 

  Tim Callan

  So, I sign up to the partner program. I get in as if I am a traditional ISV and I get a code signing cert and I use this to sign code as if I'm a traditional ISP, but I am using this to - - I'm not really a developer. I'm really here just for purposes of another attack vector. Is that right?

• 

  Jason Soroko

  You got it. I'll read the second sentence. According to the company, several developer accounts for the Microsoft Partner Center (MPC) were engaged in submitting malicious drivers to obtain a Microsoft signature.

• 

  Tim Callan

  Yeah, and apparently they succeeded.

• 

  Jason Soroko

  They succeeded. And that's pretty bad. Because once that is signed, you know, malicious rootkits, malicious drivers, malicious anything that has now been code signed essentially by an authority as big as Microsoft, well, that's pretty bad. If you think about the way that endpoint protections work, Tim, and I'm sure everybody has their own heuristic, and that's there's a lot of secret sauce that goes off in that. But I gotta tell you, when a piece of software, especially down at the driver level is signed by Microsoft or signed by anything that's with a legitimate code signing certificate, then that carries a lot of weight in the heuristic of even, like I say, endpoint software that’s trying to go out and look for these kinds of things. Because if it's signed, it's essentially whitelisted for lack of a better term. And so something that is whitelisted, as being hey, this is legitimate software running on this computer, it's awfully tough for any antivirus heuristic to say, no, you're not. Especially if it's novel. If it’s a novel attack because of the fact that just how is it supposed to determine something that is whitelisted that is actually malicious? That’s what code signing is all about and the whole point of it is to try to - - It’s just bad.

• 

  Tim Callan

  Absolutely. And so, I mean, these can't be the first people in the world where this idea occurred to them. And I have to believe that Microsoft at least attempts to have measures in place to thwart this kind of thing and that on this occasion, they didn't work.

• 

  Jason Soroko

  Exactly. And it gets worse, Tim. It actually gets worse than that. Because the final final part of this article and Dark Reading great, great article here. That's why we're calling it out. Apparently, I think this was now Cisco Talos, who actually provided an extra piece of information here. The bad guys have really figured out something interesting. You could tell that they're reading the policies. These people are sharp and so there was a rule, there was a policy that basically says, Microsoft Windows driver signing policy says that if you have a, basically something that has been time stamped, something that's been code signed timestamp prior to July 29, 2015, that's a loophole. And so what Cisco has figured out is that some bad guys are also utilizing open source, timestamp forging tools to alter the signing date on kernel mode, Microsoft drivers.

• 

  Tim Callan

  So, for this to work, you have to predate the current requirements. So there's a backward compatibility requirement, especially in the world of Windows with such a broad ecosystem and so much hardware and software and services and peripherals and just the ecosystem you support is enormous and one of the things that Microsoft enforces is a great deal of backward compatibility. Because when I go and buy my new laptop, I want to install my software that I already own and use the sites and services that I like and plug my peripherals in, and I want all this stuff to work and if it doesn't work, then it's a really bad experience for me. And so they do have a lot of backward compatibility. So, in this case, even though it's 2023, I might be using software that dates back to 2015 or earlier and under those circumstances, they're giving me less strict requirements because back then the requirements were less strict, and they don't want to break my stuff. And then you're saying that the bad guys basically can forge or spoof or trick a timestamp. And in so doing, they can make their newly crafted software appear to be software from prior to that date, take advantage of this requirement for backward compatibility to inject their attack.

• 

  Jason Soroko

  You got it, Tim. So not a problem. Not a problem with the cryptography. Not a problem with code signing per se. Definitely a problem with a loophole in signing policies and also in the fact that if your developer program has rogue accounts that allows bad guys to come in and get their stuff signed, geez, there's not much that cryptography could do to help you there.

• 

  Tim Callan

  And a challenge with just the running, operating, a massively complex and enormous ecosystem, right, because - -

• 

  Jason Soroko

  If you put yourself in the shoes of a Microsoft product person, there's a reason why Microsoft obsesses over backwards compatibility because they know it's bad press when half your customers break it. That's just bad. And Microsoft just doesn't do that. So, interoperability trumps everything when it comes to Microsoft, and if I was a product guy there, I’d probably argue the same point. However, this is how you end up in situations just like this.

• 

  Tim Callan

  It's tough. It's tough. It's tough. Like I don't even want to say that Microsoft did something wrong, per se. I think this is more of this is tough. This is why it's tough.

• 

  Jason Soroko

  It's tough out there, folks. Absolutely. So, but there it is, we just wanted to call it a great article by this author at Dark Reading and thanks for that.

• 

  Tim Callan

  And I think a fascinating example of how systems, you think you've got the system all worked out and set and then something comes along, and it surprises you. Anyway, very interesting article. Thank you very much, Jason.