SoylentNews is people
SoylentNews
A kernel-level driver for old PC motherboards has been abused by criminals to hijack Windows computers, disable antivirus, and hold files to ransom.
Sophos this month reported that an arbitrary read-write flaw in a digitally signed driver for now-deprecated Gigabyte hardware was recently used by ransomware, dubbed Robbinhood, to quietly switch off security safeguards on Windows 7, 8 and 10 machines.
The problem, said Sophos, is that while Gigabyte stopped supporting and shipping the driver a while back, the software's cryptographic signature is still valid. And so, when the ransomware infects a computer – either by some other exploit or by tricking a victim into running it – and loads the driver, the operating system and antivirus packages will allow it because the driver appears legit.
At that point, the ransomware exploits the security flaw in the Gigabyte driver to alter memory to bypass protection mechanisms and inject malicious code into kernel space, completely compromising the box and allowing the file-scrambling component to run unhindered.
Also at: threatpost.
If only they used their powers for good.
(Score: 3, Informative) by vux984 on Wednesday February 12 2020, @01:55AM (17 children)
It's neat on a technical level, but unless I've missed something its really not a particularly big threat.
Sure the driver is signed, and sure it has an exploit. But if installing it comes down to:
"either by some other exploit or by tricking a victim into running it"
Then its no different than any other threat. Once you've tricked your victim into running it as administrator, then the whole signed driver thing is kind of moot. I mean, if the attackers need admin rights to install it, then it doesn't do them a lot of good. And if they have admin rights, then really this is just the cherry on top, they're ALREADY in with admin rights -- they can do plenty of damage without installing an exploitable kernel driver.
Again: "unless I've missed something"?
(Score: 0) by Anonymous Coward on Wednesday February 12 2020, @02:04AM (3 children)
Yeah, You missed the bigger picture... "Windows".
(Score: 1, Redundant) by aristarchus on Wednesday February 12 2020, @03:17AM (1 child)
Picture Windows? Sounds like the security flaw in the "security safeguards on Windows 7, 8 and 10 machines." Which made me lol, you know. Like "security safeguards on Windows" was a real thing! Ha!
(Score: 2) by fido_dogstoyevsky on Wednesday February 12 2020, @04:44AM
Well... it is.
Just not in this particular universe.
It's NOT a conspiracy... it's a plot.
(Score: 0) by Anonymous Coward on Wednesday February 12 2020, @08:12AM
And the other part of the problem - Gigabyte. I have had a very bad experience with an expensive replacement (gaming level 17" laptop) for my ageing rig lasting less than 2 years. The brand: Gigabyte. So my now ancient rig has outlasted its replacement. I would never buy anything Gigabyte again. /rant
(Score: 2) by c0lo on Wednesday February 12 2020, @02:44AM
Opportunism isn't necessarily a winning strategy even in the black-hat world.
Fro instance, I imagine that exfiltrating lotsa files from the compromised computer and sift through them will be taking a bit more time than a simple admin session. As it would be attempting to find other, possibly more juicy (than the compromised) targets in the network.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by TheReaperD on Wednesday February 12 2020, @03:40AM (1 child)
The part your missing is that, while you are boned if you've already ran a virus as admin, the difference is your ability to remove it. Standard virus can be removed by an anti-virus, even if it requires a CD or USB boot. The problem here is that the driver will not show up as a virus and it will not be removed, even from an external boot and to slave boot your primary drive and manually removing the driver and replacing it with a legitimate one then modifying the Windows registry to match is way beyond and normal user and even most of tech support, leaving the only choice to wipe the drive.
Ad eundum quo nemo ante iit
(Score: 2) by vux984 on Wednesday February 12 2020, @05:44PM
That's an interesting point, but not necessarily true -- the driver could and should simply be flagged in the virus signature lists, and quarantined like any other simple virus. The fact that it's signed makes it particularly easy to keep track of because it can't be modified to evade the antivirus checks.
(Score: 4, Interesting) by SomeGuy on Wednesday February 12 2020, @03:54AM (9 children)
What you missed is that in a few more years it will be basically illegal to own anything "old" because security. In the mean time let's fuel the paranoia and get everyone to buy all new things with all new exploits.
(Score: 2) by takyon on Wednesday February 12 2020, @03:56AM
Let's get programmable hardware.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by sjames on Wednesday February 12 2020, @08:13AM (5 children)
I don';t think you actually have yo have the motherboard in question to be exploited.
(Score: 2) by kazzie on Wednesday February 12 2020, @11:07AM (4 children)
But you would, presumably, need the drivers to be installed? And why would you install drivers for somebody else's motherboard?
(Score: 1) by jurov on Wednesday February 12 2020, @12:18PM (1 child)
Why would anyone install useless browser toolbars? Yet many did.
(Score: 2) by kazzie on Wednesday February 12 2020, @12:29PM
Granted, but if you're dupeing people into installing a toolbar, you can get them to install anything; it doesn't have to be some unsupported driver.
(Score: 3, Informative) by dwilson on Wednesday February 12 2020, @04:36PM
You don't need it previously installed, and you don't need the hardware present.
As I understood it, the flow goes something like this:
Bad actor uses some sort of browser exploit (ideally with no privilege escalation or user input required. We see these pop up somewhat regularly, sadly) to download their NastyCode(tm) packaged in with this driver, in the background. User remains clueless.
The download is executed on completion by the same or a separate exploit, again ideally with no privilege escalation or user input. Because the driver is 'Signed", standard safeguards don't raise any red flags and allow it run, again silently. It gains admin rights as it installs without a hiccup, which the payload then uses to do... whatever it wants.
- D
(Score: 2) by sjames on Wednesday February 12 2020, @09:40PM
The bad guy does that. But since it's signed by all the right people it gets installed without question.
(Score: 2) by epitaxial on Wednesday February 12 2020, @01:15PM (1 child)
*cough* bullshit *cough*
(Score: 3, Informative) by FatPhil on Wednesday February 12 2020, @01:43PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves