CyberWire Daily - On the hunt for popping up kernel drives. [Research Saturday]
Episode Date: December 9, 2023Dana Behling, researcher from Carbon Black, sharing their work on "Hunting Vulnerable Kernel Drivers." The Carbon Black Threat Analysis Unit (TAU) discovered 34 unique vulnerable drivers, six of which... allow kernel memory access, accepting firmware access. TAU reported the issues to the vendors whose drivers had valid signatures at the time of discovery, but only two vendors fixed the vulnerabilities. TAU is calling for more comprehensive approaches in the future than the current banned-list method used by Microsoft. The research states "By exploiting the vulnerable drivers, an attacker without the system privilege may erase/alter firmware, and/or elevate privileges." The research can be found here: Hunting Vulnerable Kernel Drivers Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
As part of this research, we were looking at new and novel ways that you could leverage
vulnerable drivers or drivers in general in an attack sequence.
Our guest today is Dana Beeling, a researcher from VMware Carbon Black's Threat Analysis Unit.
The research we're discussing today is titled Hunting Vulnerable Kernel Drivers.
Well, bring your own vulnerable driver attacks are becoming more common
on the threat landscape in general.
One of the most important reasons
that VMware and Carbon Black are interested in them is that drivers are commonly used to turn off security processes.
And being a security process ourselves, we don't want that to happen, right?
So as part of this research, we were looking at new and novel ways that you could leverage vulnerable drivers or drivers in general in an attack sequence.
Well, let's dig into the research together here.
Can you give us an overview?
Exactly what are we looking at here today?
So the research was initially conducted by my colleague, Takahiro Haruyama,
and he was looking at a method to automate the process of searching for vulnerable drivers.
When he initially created his framework for looking for the vulnerable drivers,
we found such a huge number of vulnerable drivers.
He ended up having to scale it back a bit.
So what we did was we looked for only vulnerable drivers
that could access very specific kernel resources,
so a specific function call within the kernel driver framework. And what his research demonstrated
was that the function call for rewriting firmware. Firmware is the software that resides on the
actual hardware chips themselves. The reason that it's
so important to protect firmware from rewriting is that, well, first of all, most people don't
pay attention to it once they purchase a hardware device. Whatever firmware is on it is what's going
to be on it until the device is discarded. But secondly, even if you reinstall your operating
system, that firmware will stay there, right? So if an actor is able to rewrite that software
that's on the hardware itself, there's a very, very small chance that it will get upgraded to
a patched version just because people aren't
paying attention to it. And secondly, it will allow the attack or whatever the purpose is
for rewriting the hardware to live on until that device is discarded.
Well, let's go through the research together here. What was the process
by which you all hunted these down?
So one of the most troublesome things about vulnerable drivers is that by necessity, the kernel is divided into two different sections.
There's the kernel mode and the user mode, okay, in an operating system. The kernel mode is where all of the protected processes happen,
and the user mode is like the public area.
I consider it sort of like a bank, right?
There's the public area, and then there's the private area.
The private area is the kernel mode.
The public area is the user mode.
the public area is the user mode. Because hardware, the users need to make changes in the kernel mode, there's these things called IO control commands, I-O-C-T-L, which allows a user to send a command
from the user mode, the unprotected spot of the operating system, into that very protected spot.
And by making those commands, you can affect the kernel resources and negate all the things that
Windows or Microsoft has put into place to protect the kernel itself. Takahiro's research showed that that you could make calls directly to a function called mmmapio space,
which allows you to write memory directly to addresses in the real address space
because it allows you to map from the real addresses to the virtual addresses,
which basically is like saying,
rather than giving someone your home address, like 123 Elm Street, you're giving them the
GPS coordinates. And so they could write directly to that place.
We'll be right back.
Transat presents a couple trying to beat the winter blues. We'll be right back. With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security. Thank you. specific apps, not the entire network. Continuously verifying every request based on identity
and context. Simplifying
security management with AI-powered
automation. And detecting
threats using AI to analyze
over 500 billion daily
transactions. Hackers can't
attack what they can't see. Protect
your organization with Zscaler
Zero Trust and AI.
Learn more at zscaler.com slash security.
And so is this a case where there's a legitimate and needed functionality that is out there unprotected,
and that's what allows it to potentially be used for bad things?
Oh, sure. Well, I'm thinking that the reason that the original authors left that in there
is so that way they would have the ability to upgrade the firmware themselves. But in this
case, because it's left open to the world, anyone is allowed to, quote, upgrade the firmware, right, with whatever they want or not at all and just make the hardware completely unusable, which was also demonstrated.
What is your sense for the degree to which this is a problem out there?
How widespread this could be?
So the bring your own vulnerable driver attacks is extremely widespread.
I think there's been less research into the area of firmware re driver attack negates all of the patch guard and
virtualization-based security that Microsoft has implemented to allow any actor to access the
protected resources in the kernel that are normally thought of as being protected.
And all you really need is admin access to do it, which there are numerous tools available,
you know, even on GitHub to elevate a person's access to admin in order to enumerate all of
these protected resources in the kernel that would normally not be accessible by a normal user.
Oh, you anticipated my next question, which was, you know, what degree of
access do you need to have? So admin will get you in there with no problem. That's right. So you can,
once you install the driver, in many cases for the vulnerable drivers, almost all of its resources
are available to you. Microsoft does recommend that the driver authors themselves implement
access protected resources and add an additional layer of security.
But from what I've seen in drivers, that's very rare.
Is this a case of kind of out of sight, out of mind where they're, I don't know,
almost a security by obscurity thing where
they're banking on the fact that not many people have firmware top of mind? I think that could be
part of it. I think another part of it is that as a culture and industry, we think of drivers as
these very complex things that are not understandable by the normal person. But in reality, a driver is just another type of software,
just like in the user space.
It uses different libraries and it has some different rules
that it has to abide by.
But in reality, it's just software and it has all the same vulnerabilities
plus additional vulnerabilities that other software has and that we're all very familiar with.
What are your recommendations then for folks who may be concerned about this? What sort of things can they put in place to protect themselves?
There is a website, loldrivers.io.
And so that LOL stands for Living Off the Land Drivers. That provides a list of
all of the drivers with known vulnerabilities. You can put those on a protected list. And if you
have any of those drivers in your environment, the first thing that I would do is look to see
if there is an updated version of that driver. And just like with all other software,
you want to be running the most up-to-date version of your drivers.
So that way you aren't at risk of that vulnerable driver
being used even without admin rights in your environment.
Another thing you can do is have security products in place
that are watching for new drivers being loaded.
In most corporate environments, drivers should not be being installed on a regular basis.
So if you do see drivers being installed, that's a very good clue that
a bring your own vulnerable driver attack is about to happen or has already happened.
Our thanks to Dana Bealing from Carbon Black for joining us.
The research is titled Hunting Vulnerable Kernel Drivers.
We'll have a link in the show notes. And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday podcast is a production of N2K Networks.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making
your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin. Our mixer is
Elliot Peltzman. Our executive producers are Jennifer Iben and Brandon Karpf. Our executive editor is Peter Kilby.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.