• Old certificate, new signature: Open-source tools forge signature timestamps..

    Home » Forums » Cyber Security Information and Advisories » Cyber Security for Business users » Old certificate, new signature: Open-source tools forge signature timestamps..

    Author
    Topic
    Alex5723
    AskWoody Plus
    July 12, 2023 at 3:46 am #2572972

    Old certificate, new signature: Open-source tools forge signature timestamps on Windows drivers

    Cisco Talos has observed threat actors taking advantage of a Windows policy loophole that allows the signing and loading of cross-signed kernel mode drivers with signature timestamp prior to July 29, 2015.

    Actors are leveraging multiple open-source tools that alter the signing date of kernel mode drivers to load malicious and unverified drivers signed with expired certificates.

    We have observed over a dozen code signing certificates with keys and passwords contained in a PFX file hosted on GitHub used in conjunction with these open source tools.

    The majority of drivers we identified that contained a language code in their metadata have the Simplified Chinese language code, suggesting the actors using these tools are frequently used by native Chinese speakers.

    Cisco Talos has further identified an instance of one of these open-source tools being used to re-sign cracked drivers to bypass digital rights management (DRM).

    We have released a second blog post alongside this one demonstrating real-world abuse of this loophole by an undocumented malicious driver named RedDriver

    1 user thanked author for this post.
    windbg
    Reply | Quote
    Viewing 2 reply threads
    Author
    Replies
    • b
      AskWoody_MVP
      July 12, 2023 at 5:21 am #2572985

      During the research phase for this blog post we reached out to Microsoft to notify them of our findings. In response, Microsoft has blocked all certificates discussed in this blog and has released an advisory. We would like to thank the Microsoft team for their assistance and cooperation in mitigating this threat.

      Microsoft, in response to our notification, has blocked all certificates discussed in this blog post. Please refer to the advisory published by Microsoft for further information on their response.

      Microsoft has released Window Security updates (see Security Updates Table) [11 JUL 2023 Security Updates] that untrust drivers and driver signing certificates for the impacted files and has suspended the partners’ seller accounts. Additionally, Microsoft has implemented blocking detections (Microsoft Defender 1.391.3822.0 and newer) to help protect customers from legitimately signed drivers that have been used maliciously in post-exploit activity.

      Recommended Actions:

      Microsoft recommends that all customers install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date with the latest signatures and are enabled to prevent these attacks.

      How do I determine if any drivers are affected that were installed prior to the available detections were implemented?

      Offline scans will be required to detect malicious drivers which might have been installed prior to March 2, 2023, when new Microsoft detections were implemented. For more information see Remove malware from your Windows PC.

      ADV230001 Guidance on Microsoft Signed Drivers Being Used Maliciously

      Reply | Quote
      • Microfix
        AskWoody MVP
        July 12, 2023 at 5:34 am #2572990

        This has all been dealt with via MS Defender v1.391.3822.0 together with the July Cumulative update.
        What of those that don’t use MS Defender and are waiting for July update clearance?

        Windows - commercial by definition and now function...
        Reply | Quote
        • b
          AskWoody_MVP
          July 12, 2023 at 5:56 am #2572994
          Microfix wrote:

          This has all been dealt with via MS Defender v1.391.3822.0 together with the July Cumulative update.

          That Defender update was released five days ago.

          Microfix wrote:

          What of those that don’t use MS Defender and are waiting for July update clearance?

          Ask AV vendor if they should just feel lucky?

          Reply | Quote
        • Susan Bradley
          Manager
          July 12, 2023 at 6:43 pm #2573151

          At this time the attacks have been seen going after Chinese targets – for this attack anyway.

          Only install anything from trusted sources.

          Only open emails from trusted senders.

          As always remember that if you have a backup even IF you install updates earlier than when I say to – should something happen you can roll back.  That is always the ultimate protection.

          Susan Bradley Patch Lady/Prudent patcher

          1 user thanked author for this post.
          Alex5723
          Reply | Quote
    • Alex5723
      AskWoody Plus
      July 12, 2023 at 11:56 am #2573054

      Guidance on Microsoft Signed Drivers Being Used Maliciously

      ..Details:

      Microsoft was informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity. In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers…

      [Moderator edit] trimmed quote to reduce potential copyright issues

      • This reply was modified 1 year, 11 months ago by Alex5723.
      • This reply was modified 1 year, 11 months ago by b.
      • This reply was modified 1 year, 11 months ago by b.
      Reply | Quote
    • Microfix
      AskWoody MVP
      July 12, 2023 at 1:01 pm #2573081
      Microfix wrote:

      This has all been dealt with via MS Defender v1.391.3822.0 together with the July Cumulative update.

      b wrote:

      That Defender update was released five days ago.

      pre-emptive mitigations.

      Microfix wrote:

      What of those that don’t use MS Defender and are waiting for July update clearance?

      b wrote:

      Ask AV vendor if they should just feel lucky?

      that’s encouraging…

      Windows - commercial by definition and now function...
      Reply | Quote
    Viewing 2 reply threads
    Reply To: Old certificate, new signature: Open-source tools forge signature timestamps..

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    June 2025
    S M T W T F S
    1234567
    891011121314
    15161718192021
    22232425262728
    2930  

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.