Hackers use open-source software to sneak in Windows malware and bypass Microsoft’s driver restrictions. In addition, they are penetrating the most critical layer of the operating system: the Windows kernel.
Hackers are abusing two software tools from GitHub to spread malware on Windows devices. Hackers can thus break into the Windows kernel, giving them access to the operating system’s most critical and sensitive features.
Researchers from the Talos security team, part of Cisco, discovered the activities. According to the report, Chinese hacker collectives are exploiting open-source tools. The tools were previously used only for cheating in video games. Now hackers are throwing themselves at the tools.
Tools activate Microsoft’s exception rule
They found a way through an exception rule that Microsoft set in the restrictions it imposes on drivers. The exception gives drivers with a certificate issued before July 29, 2015 access to Windows systems.
“As a result, multiple open-source tools have been developed to exploit this loophole. This is a known technique though often overlooked despite posing a serious threat to Windows systems and being relatively easy to perform due in part to the tooling being publicly available,” the researchers write.
Hackers first design malware they want to get into the Windows kernel and add a stolen or expired Windows certificate which was released before July 29, 2015. Then they use tools on GitHub to disable Microsoft’s CertTimeValidity feature. That function judges whether a certificate qualifies for Microsoft’s exception rule.
Windows update partially fixes the problem
Talos named several of these certificates. The researchers also notified Microsoft of the problem, whereupon the Windows creator already blocked the known certificates with the most recently released update.
Windows is a popular operating program and therefore attracts the attention of hackers. After all, one successfully developed malware can be immediately spread to a large part of the population. Recently, other security researchers discovered a new ransomware masquerading as a Windows update.