No fix in sight for mile-wide loophole plaguing a key Windows defense for years

Over the past 15 years, Microsoft has made huge progress fortifying the Windowskernel, the core of the OS that hackers must control to successfully take control of a computer There were strict new restrictions on the loading of system drivers that were enacted. These drivers are important for computers to work with printers and other peripherals, but they are also a convenient way for hackers to gain access to the most sensitive parts of Windows. All such drivers had to be approved by Microsoft before they could be loaded, and then digitally signed to make sure they were safe.

A year ago, Lazarus, a hacking group backed by the North Korean government, exploited a mile-wide loophole in Microsoft's driver signature enforcement (DSE) from the start. The malicious documents Lazarus was able to trick targets into opening were able to gain administrative control of the target's computer, but Windows' modernkernel protections presented a formidable obstacle for Lazarus to achieve its objective of storming the kernels.

Path of least resistance

So Lazarus chose one of the oldest moves in the Windows exploitation playbook—a technique known as BYOVD, short for bring your own vulnerable driver. Instead of finding and cultivating some exotic zero-day to pierce Windows kernel protections, Lazarus members simply used the admin access they already had to install a driver that had been digitally signed by Dell prior to the discovery last year of a critical vulnerability that could be exploited to gain kernel privileges.

According to Peter Klnai, Lazarus sent Microsoft Word documents to two targets, one of which was a political journalist in Belgium. The goal of the hackers was to install an advanced backdoor called Blindingcan, but they had to disabling various Windows protections. The path of least resistance was to install the buggy Dell driver.

Advertisement

Klnai wrote that for the first time in the wild, attackers were able to turn off the monitoring of all security solutions. It was done using a series of little- or undocumented Windows internals. This needed deep research, development, and testing skills.

The attack on the journalist was stopped by the products of ESET.

While it may be the first documented case of attackers exploiting CVE-2021-21551 to pierce Windows kernel protections, it's by no means the first instance of a BYOVD attack. A small sampling of previous BYOVD attacks include:

• Malware dubbed SlingShot that hid on infected systems for six years until it was discovered by security firm Kaspersky. Active since 2012, SlingShot exploited vulnerabilities that had been found as early as 2007 in drivers including Speedfan.sys, sandra.sys, and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0824. Because these drivers had been digitally signed at one time, Microsoft had no viable way to prevent Windows from loading them, even though the vulnerabilities were well known.
• RobbinHood, the name of ransomware that installs the GIGABYTE motherboard driver GDRV.SYS and then exploits the known vulnerability CVE-2018-19320 to install its own malicious driver.
• LoJax, the first UEFI rootkit known to be used in the wild. To gain access to targets' UEFI modules, the malware installed a powerful utility called RWEverything that had a valid digital signature.