Windows Policy Loophole allows Malware to Operate Undetected

A woman biting down on a pencil, highlighting the seriousness of the issue.

Windows Policy Loophole Exploited at Kernel Level

Last week, a dangerous discovery was made by the “Cisco Talos Intelligence Group”, one of the largest threat intelligence teams in the world, found that threat actors have been using a Microsoft Windows Policy loophole to forge kernel-mode driver signatures with an end-entity certificate on 29th of July, 2015 which allowed hackers to deploy malicious drivers onto unsuspecting victims, the malware being called “RedDriver”. 

This comes as a big concern as malicious drivers running on kernel mode functions on any Windows operating system and evade any sort of detection from any firewall or anti-malware software. Malware having access to kernel mode means total compromise on the device infected, and no procedure executed on the device is safe from a threat actor.

diagram of Kernel
Image from ‘Microsoft Learn’ diagram of Kernel Mode

It was suggested by Cisco Talos that the “RedDriver'' malware was created and frequently used by Chinese-speaking threat actors as the malware was operated by simplified Chinese language code and all domains and forums associated with the malware were based in China. It is also reported that the RedDriver’s primary target was also Chinese-speaking people as malicious drivers being deployed were mainly for Chinese Software.

It was discovered that hacking tools available since 2018 have been used to deploy the RedDriver malware to victims across the globe.

hacking tool called HookSignTool
Image of hacking tool called “HookSignTool” involved in deploying 'RedDriver' malware

After Cisco Talos forwarded their findings to Microsoft, Microsoft responded by blocking all found certificates related to the threat to mitigate the malware from spreading to further devices. They also stated that its investigation found "…the activity was limited to the abuse of several developer program accounts and that no Microsoft account compromise has been identified."


It has been recommended for all users of Windows to keep up to date with patches released for all programs, anti-virus software, and endpoint detection programs. Downloading the latest software updates WILL keep your devices safe from discovered exploits and can prevent future threats from occurring. Check out our article here to see more on the essentials of Patch Management.


Your Security is our Priority

Your friendly Support Team

The Computer Department Logo

Speak to us about all your computer needs

This is Part of our Cyber Security awareness educational campaign. Through this training, you will learn awareness and key principles, and best practices to protect yourself, your organisation, and the public from cyber attackers. You will also be equipped with the knowledge to identify potential threats and take action before any damage can occur.

 
Previous
Previous

Microsoft rolls out 80 Cyber Security fixes for potential vulnerabilities

Next
Next

Hackers Upload Luxury Eyewear Customer Data to the Dark Web