Delaware, USA – August 12, 2019 – Researchers found vulnerable kernel-mode drivers developed for the hardware of at least 20 vendors including NVIDIA, AMD, and Realtek. At the DEF CON conference, Eclypsium researchers presented their findings: over forty 64-bit kernel drivers, which are signed by Microsoft and can be used to bypass and disable Windows protection mechanisms. Vulnerabilities allow applications with low privileges to use legitimate driver functions to perform malicious actions in the most sensitive areas of the Windows operating system without any restriction or checks from Microsoft. Arbitrary hardware access via a vulnerable driver can allow malicious modification of firmware components, which will allow attackers to deploy persistent backdoors undetectable by antivirus solutions. Researchers say this is a common practice while creating drivers, and their authors do not keep security in a mind and enable drivers to perform arbitrary actions on behalf of userspace. Most vendors have already released updates, but three hardware vendors are still in the process of releasing fixes, so they are not yet named in the report. Researchers have promised to publish a script to search for vulnerable drivers and proof-of-concept code.
Such vulnerabilities are of interest to advanced threat actors and APT groups since their exploitation requires deep knowledge and is possible only on already compromised systems, but opens up many opportunities for cyber-espionage activities. For example, the Fancy Bear APT group created LoJax UEFI rootkit based on the code of the app that helps to track the location of devices in case of their theft. LoJax malware hides in SPI flash memory surviving even the hard disk replacing. To uncover sophisticated attacks, you can use your SIEM and APT Framework rule pack which connects the dots between low-level SIEM incidents and link them to high-confidence compromises: https://my.socprime.com/en/integrations/apt-framework-hpe-arcsight