Update: Cisco also shared additional details on RedDriver malware which never BSOD'd once during testing.
Earlier today, Microsoft released its Patch Tuesday updates for Windows 10 (KB5028166) and Windows 11(KB5028185). The company announced separately about the new Dynamic SafeOS updates meant for hardening the security mitigations put in place against Secure Boot vulnerabilities.
Alongside changes made to its Secure Boot DBX, Microsoft also added several malicious drivers to its Windows Driver.STL revocation list. Microsoft was informed of these vulnerable drivers by security research firms Cisco Talos, Sophos, and Trend Micro.
On a dedicated security advisory ADV230001, Microsoft explains the issue (CVE-2023-32046) which was a result of maliciously signed WHQL drivers:
Microsoft was recently informed that drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP) were being used maliciously in post-exploitation activity. In these attacks, the attacker gained administrative privileges on compromised systems before using the drivers.
Microsoft has completed its investigation and determined that the activity was limited to the abuse of several developer program accounts and that no Microsoft account compromise has been identified. We’ve suspended the partners' seller accounts and implemented blocking detections for all the reported malicious drivers to help protect customers from this threat.
Microsoft has required kernel mode drivers to be signed using its WHDP program since Vista. However, as this has happened before, the certification is not a foolproof method. Cisco Talos contacted Neowin explaining that threat actors have been using various driver signature-forging utilities like HookSignTool to bypass the WHCP measures. Aside from forged signs, such utilities have also been used for re-signing patched software like that of PrimoCache.
During our research we identified threat actors leveraging HookSignTool and FuckCertVerifyTimeValidity, signature timestamp forging tools that have been publicly available since 2019 and 2018 respectively, to deploy these malicious drivers.
HookSignTool is a driver signature forging tool that alters the signing date of a driver during the signing process through a combination of hooking into the Windows API and manually altering the import table of a legitimate code signing tool.
The signing of malicious drivers isn’t the only issue that arises from the existence of these tools. During our research, we encountered HookSignTool being used to re-sign drivers after being patched to bypass digital rights management.
Microsoft has added all such drivers to the Vulnerable Driver Blocklist with Windows Security updates (Microsoft Defender 1.391.3822.0 and newer).