covering the week's top tech dorks like
Linux bias attackers behind one of the
world's most more destructive pieces of
ransomware
have found a new way to defeat defenses
that that might otherwise prevent the
attack from Incred encrypting data
installing a buggy driver first and then
hacking it to burrow deeper into the
targeted computer the ransomware in this
case is Robin Hood known for taking down
the city of Baltimore networks and
systems in Greenville North Carolina
Robin Hood can easily encrypt sensitive
files once a vulnerability has allowed
the malware to gain a toehold
for networks that are better fortified
the ransomware ax has a harder time
breaking in now Robin Hood has found a
way to defeat these defenses in two
recent attacks researchers from security
firm Sophos said the ransomware has used
its access to a targeted machine to
install a driver from taiwan-based
motherboard manufacturer gigabyte that
has a known vulnerability in it it's the
same vulnerability that led to gigabyte
officials discontinuing the use of the
driver but since it contains gigabytes
cryptographic signature the Windows
operating system trusts it and allows it
it allows it to run in the highly
sensitive Windows kernel region of the
OS without question whisks a benign but
buggy driver installed Robin Hood then
exploited the vulnerability to gain the
ability to read and write to virtually
any memory region chosen by the attacker
the Robin Hood exploit changed a single
byte to disable the windows requirement
that drivers be signed with that Robin
Hood installed its own unsigned driver
that used its highly privileged kernel
access to kill processes and files
belonging to endpoint security products
the advanced status of the driver gave
it greater ability than other techniques
to ensure that the targeted processes
are permanently stopped
there are other windows trusted drivers
with known vulnerabilities that could be
used in the same way of gigabytes
drivers these include sign drivers from
VirtualBox novel cpu-z and asus and
while the gigabyte driver may be the
first known instance of this type of
hack it is it very well may not be the
last
and points to a need for Microsoft to
reassess the way their certificate
revocation procedures hmm that's tough
mm-hmm because the the part of me wants
to say Oh we'll just revoke the
certificate anytime there's an exploit
but remember that then that would
nullify everybody's drivers right so
this is all mole I mean as I'm hearing
it this is like a new wave of Trojan
attacks so to speak yeah that's what it
feels like like you're coming in through
yeah trusted source to get access is
that not the basic principle of behind
it or is it a whole different way of
just feels like so they're using it as
an elevated privilege tactic so they're
using a driver that windows trusts
because of the signature being valid so
it's not a fake driver it's not like a
malware it is a legitimate driver but it
has a bug in it mm-hmm that caused it to
be recalled basically but the Windows
operating system no matter what version
you're running still trusts the
Installer for that driver because of the
certificate that is applied to it and so
the hackers are using that to then be
able to elevate their privileges and do
whatever the heck they want and that's
the scary thing because how do you stop
that how can you possibly stop that I
think it comes down to where's your
first line of defense I think the only
thing you have to do that you can look
at is how did they get in in the first
place was it a phishing scam was it
somebody clicked on an email that had
some file this malware that allowed
somebody to run some
resident in their computer is it that
you have remote desktop turned on on one
of your computers on your network and
that's really easy to hack now I don't
know how certificates work just because
I haven't delved into that but does each
certificate in each driver have its own
like a certificate identifier no the
driver doesn't have its own certificate
but the company that manufactures the
driver does so that certificate says yes
to Microsoft this is a gigabyte driver
provided by gigabyte because it contains
the certificate that proves that this is
a legitimate driver from gigabyte so
what if the certificate system changed
in such a way that you have your your
main certificate safer gigabyte but then
you have your sub certificates for each
driver roll out so that it identifies
this driver is this subset yeah a
developer I feel like that's your you're
giving me nightmares right now Jeff like
where you're going but it just sounds
like a logistical nightmare as far as
managing those certificates like it
could just be a nightmare I think maybe
some kind of an aristocrat is able to
identify maybe it's a checksum that
identifies known faulty drivers or
deprecated drivers so that Windows could
say yes this is a valid certificate
however gigabyte has marked this
certificate there this installer as bad
it's got to be some kind of an
identifier yeah it's good it'll be
interesting
yeah dude oh yeah that's the answer