Lazarus is the latest group to pull off “bring your own vulnerable device” attack.
Over the past 15 years, Microsoft has made huge progress fortifying the Windows kernel, the core of the OS that hackers must control to successfully take control of a computer. A cornerstone of that progress was the enactment of strict new restrictions on the loading of system drivers that could run in kernel mode. These drivers are crucial for computers to work with printers and other peripherals, but they’re also a convenient inroad that hackers can take to allow their malware to gain unfettered access to the most sensitive parts of Windows. With the advent of Windows Vista, all such drivers could only be loaded after they’d been approved in advance by Microsoft and then digitally signed to verify they were safe.
Last week, researchers from security firm ESET revealed that about a year ago, Lazarus, a hacking group backed by the North Korean government, exploited a mile-wide loophole last year that existed in Microsoft’s driver signature enforcement (DSE) from the start. The malicious documents Lazarus was able to trick targets into opening were able to gain administrative control of the target’s computer, but Windows’ modern kernel protections presented a formidable obstacle for Lazarus to achieve its objective of storming the kernel.
Path Of Least Resistance
So Lazarus chose one of the oldest moves in the Windows exploitation playbook—a technique known as BYOVD, short for bring your own vulnerable driver. Instead of finding and cultivating some exotic zero-day to pierce Windows kernel protections, Lazarus members simply used the admin access they already had to install a driver that had been digitally signed by Dell prior to the discovery last year of a critical vulnerability that could be exploited to gain kernel privileges.
ESET researcher Peter Kálnai said Lazarus sent two targets—one an employee of an aerospace company in the Netherlands and the other a political journalist in Belgium—Microsoft Word documents that had been booby-trapped with malicious code that infected computers that opened it. The hackers’ objective was to install an advanced backdoor dubbed Blindingcan but to make that happen, they first had to disable various Windows protections. The path of least resistance, in this case, was simply to install dbutil_2_3.sys, the buggy Dell driver, which is responsible for updating Dell firmware through Dell’s custom Bios Utility.
“For the first time in the wild, the attackers were able to leverage CVE-2021-21551 for turning off the monitoring of all security solutions,” Kálnai wrote, referring to the designation used to track the vulnerability in the Dell driver. “It was not just done in kernel space, but also in a robust way, using a series of little- or undocumented Windows internals. Undoubtedly this required deep research, development, and testing skills.”
In the case involving the journalist, the attack was triggered but was quickly stopped by ESET products, with just one malicious executable involved.
While it may be the first documented case of attackers exploiting CVE-2021-21551 to pierce Windows kernel protections, it’s by no means the first instance of a BYOVD attack. A small sampling of previous BYOVD attacks include:
- Malware dubbed SlingShot that hid on infected systems for six years until it was discovered by security firm Kaspersky. Active since 2012, SlingShot exploited vulnerabilities that had been found as early as 2007 in drivers including Speedfan.sys, sandra.sys, and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0824. Because these drivers had been digitally signed at one time, Microsoft had no viable way to prevent Windows from loading them, even though the vulnerabilities were well known.
- RobbinHood, the name of ransomware that installs the GIGABYTE motherboard driver GDRV.SYS and then exploits the known vulnerability CVE-2018-19320 to install its own malicious driver.
- LoJax, the first UEFI rootkit known to be used in the wild. To gain access to targets’ UEFI modules, the malware installed a powerful utility called RWEverything that had a valid digital signature.
This BYOVD primer, authored by ESET’s Michal Poslušný, lists a host of other known vulnerable drivers that have been used to break Microsoft’s DSE.
Given the history, you might think that Microsoft would have created a viable defense to stop BYOVD attacks, but sadly there’s no evidence that’s the case. The company claims that Windows users can enable a feature that automatically blocks known vulnerable drivers, but I was unable to make it work on my ThinkPad running the latest version of Windows 10, and as I’ll get to shortly, Microsoft has no interest in helping me.
The company also suggests elsewhere that turning on the combination of memory integrity and Hypervisor-protected code integrity will offer protection against BYOVD attacks, but at my request, Kálnai enabled both on a system running Windows 10 Enterprise, 10.0.19044 and then attempted to load the vulnerable Dell driver exploited by Lazarus. As the screenshot below shows, the driver loaded just fine.
In fairness to Microsoft, blocking a set of signed drivers from loading in Windows is a complicated process. At first blush, revoking the certificates used to sign the drivers may sound viable, but it’s not. The Internet servers that make certificate revocation work aren’t reliable enough. There are other complications as well, including the volume of drivers Microsoft must support through its massive ecosystem.
“Unfortunately, [blocking] signed drivers is complicated problem since it’s already trusted and [a] black/white listing approach will not work at such scale,” Alex Matrosov, founder and CEO of security firm Binarly and an expert in BYOVD attacks wrote in a private chat. “MS [is] trying to create some runtime prevention over blocking known vulnerable or malicious drivers but it doesn’t solve [the] industry-wide problem. You can block one, two or ten drivers but it’s thousands of them which can be used in such a way.”
Vulnerable drivers have been abused by the game-cheating community and malware authors alike for a long time. It is still an ongoing battle. The vendors are trying to fix the vulnerabilities; Microsoft is trying to strengthen the operating system from the inside and third-party security vendors are trying to detect such drivers themselves. But still, the industry doesn’t have a unified way of handling the problem and there’s no guarantee that [one] even exists.
Kálnai concurred, writing in an email:
Hear no evil, speak no evil
I also sent an email to people at WE Communications, the PR gatekeeper for all things Microsoft. “Is there anything Microsoft, Dell or anyone else can do to prevent these so-called bring your own vulnerable driver techniques from working?” I asked. “Maybe a blocklist or driver certificate revocation? If these remedies ARE in place, why didn’t it work in this case, and in past cases of BYOVD (e.g. Slingshot and InvisiMole APT groups, the RobbinHood, and LoJax)?”
I also asked for some basic history of Windows DSE to make sure my understanding was accurate.
A few hours later, I got a response: “Hi Dan, Heard from Microsoft on this and nothing to share here at this time.”
Contrast this curt response to tweets like this one, from Microsoft’s VP of OS Security and Enterprise, claiming “Windows has everything you need to block” buggy signed drivers.
Even if an enterprise with experienced admins gets driver blocking to work, ESET reports the protection may result in a performance hit of anywhere from 5 percent to 25 percent. For the time being, it would appear that BYOVD attacks are a fact of life for many Windows users. Microsoft declined to say if new Windows 11 protections will make any difference.
I tried to make the case to WE Communications that there’s no benefit to Microsoft or its customers to stay mum in cases like these, and that if there are no meaningful mitigations for this particular threat, the company would receive points for transparency and honesty by simply saying that.
Unfortunately, the “nothing to share” response is increasingly the dominant approach Microsoft and many of its competitors take to discussing unpleasant security realities in 2022. As enlightening as last week’s report from ESET is, it may be that its biggest takeaway is that people can’t count on the companies they trust to provide transparent, actionable security advice and instead willfully leave reporters in the dark.
Suggest an edit to this article
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.