Windows 10 is vulnerable to a bypass of PatchGuard kernel protection in the operating system. The bypass, dubbed GhostHook, makes the OS vulnerable to rootkits. Even though Windows 10’s protection against rootkit attacks has been known to be quite efficient thanks to PatchGuard and DeviceGuard, researchers at CyberArk established a way to bypass the guard via a new feature in Intel processors known as Processor Trace (Intel PT).
What Is GhostHook: Technical Details
GhostHook is a post-exploitation attack. In order for the exploit to take place, the attacker should already be present on the targeted system, running code in the kernel.
As a matter of fact, Microsoft is not planning to patch the issue, as revealed by a statement the company provided to Threatpost. The reason for Microsoft’s unwillingness to deal with it is because it needs the attacker to have already compromised the system. However, they may deal with it in a future version of Windows.
According to CyberArk, GhostHook’s fix is most likely challenging for Microsoft. The quickest way to address it is through security vendors whose products are hooked into PatchGuard. That being said, Intel PT, released shortly after PatchGuard, allows vendors to monitor stacks of commands executed in the CPU so that attacks are identified before they get close to the OS.
As explained by CyberArk’s Kobi Ben Naim:
We are able to execute code in the kernel and go unnoticed by any security feature Microsoft produces. Many other security vendors rely on PatchGuard and on DeviceGuard in order to receive reliable information and analyze whether it’s benign or an attack. This bypass enables us to go unnoticed versus the security vendors we checked (this includes antimalware, firewalls, host-based intrusion detection and more) that rely on those security layers to provide reliable information.
In addition, such an attack is most likely to be carried out by a nation-state actor known for targeted intrusions such as Flame and Shamoon, based on 64-bit malware. If GhostHook’s exploit code makes it to the public and attackers employ it in ransomware campaigns, the results could be catastrophic, Naim warned. The security expert also believes that Microsoft is making a huge mistake, delaying the fix for this serious issue.
We got an answer from Microsoft saying that because you are already an administrator on the machine, it’s already compromised. But in this case, it’s the wrong answer. All of those new security layers weren’t designed to combat administrators or code that runs with administrator rights. This is a problematic answer.
CyberArk researchers think that the flaw resides in Microsft’s implementation of Intel PT, at the point where Intel PT communicates with the OS. The Intel feature is in fact an API that the kernel code can ask to receive and read information from the CPU. The issue is found in the way Microsoft implemented the API, the researcher explained. This issue not only enabled CyberArk to read information but also to enter their code into a secure location in the kernel.
If an attacker interacts at that layer, he could run code quietly without being detected.
Kaspersky Lab Thinks the Issue Is Not That Serious
Kaspersky Lab also commented on the issue:
Kaspersky Lab is aware of the hooking technique described by CyberArk researchers, that allows using Intel processor’s feature to circumvent Windows’ security. As conducting such an attack would require that a hacker is already running code in the kernel, this hooking technique doesn’t significantly extend an attack surface.
On the contrary, CyberArk believes that this type of attack is most likely employed by nation-state hackers, making it quite critical.