Home > Cyber News > GhostHook Exploit Bypasses Windows 10 PatchGuard
CYBER NEWS

GhostHook Exploit Bypasses Windows 10 PatchGuard

Windows 10 is vulnerable to a bypass of PatchGuard kernel protection in the operating system. The bypass, dubbed GhostHook, makes the OS vulnerable to rootkits. Even though Windows 10’s protection against rootkit attacks has been known to be quite efficient thanks to PatchGuard and DeviceGuard, researchers at CyberArk established a way to bypass the guard via a new feature in Intel processors known as Processor Trace (Intel PT).

What Is GhostHook: Technical Details

GhostHook is a post-exploitation attack. In order for the exploit to take place, the attacker should already be present on the targeted system, running code in the kernel.

As a matter of fact, Microsoft is not planning to patch the issue, as revealed by a statement the company provided to Threatpost. The reason for Microsoft’s unwillingness to deal with it is because it needs the attacker to have already compromised the system. However, they may deal with it in a future version of Windows.

Related: Hot Potato Exploit Endangers Recent Windows Versions

According to CyberArk, GhostHook’s fix is most likely challenging for Microsoft. The quickest way to address it is through security vendors whose products are hooked into PatchGuard. That being said, Intel PT, released shortly after PatchGuard, allows vendors to monitor stacks of commands executed in the CPU so that attacks are identified before they get close to the OS.

As explained by CyberArk’s Kobi Ben Naim:

We are able to execute code in the kernel and go unnoticed by any security feature Microsoft produces. Many other security vendors rely on PatchGuard and on DeviceGuard in order to receive reliable information and analyze whether it’s benign or an attack. This bypass enables us to go unnoticed versus the security vendors we checked (this includes antimalware, firewalls, host-based intrusion detection and more) that rely on those security layers to provide reliable information.

In addition, such an attack is most likely to be carried out by a nation-state actor known for targeted intrusions such as Flame and Shamoon, based on 64-bit malware. If GhostHook’s exploit code makes it to the public and attackers employ it in ransomware campaigns, the results could be catastrophic, Naim warned. The security expert also believes that Microsoft is making a huge mistake, delaying the fix for this serious issue.

We got an answer from Microsoft saying that because you are already an administrator on the machine, it’s already compromised. But in this case, it’s the wrong answer. All of those new security layers weren’t designed to combat administrators or code that runs with administrator rights. This is a problematic answer.

CyberArk researchers think that the flaw resides in Microsft’s implementation of Intel PT, at the point where Intel PT communicates with the OS. The Intel feature is in fact an API that the kernel code can ask to receive and read information from the CPU. The issue is found in the way Microsoft implemented the API, the researcher explained. This issue not only enabled CyberArk to read information but also to enter their code into a secure location in the kernel.

Related: Eugene Kaspersky vs. Windows Defender: the Antivirus War of 2017

If an attacker interacts at that layer, he could run code quietly without being detected.

Kaspersky Lab Thinks the Issue Is Not That Serious

Kaspersky Lab also commented on the issue:

Kaspersky Lab is aware of the hooking technique described by CyberArk researchers, that allows using Intel processor’s feature to circumvent Windows’ security. As conducting such an attack would require that a hacker is already running code in the kernel, this hooking technique doesn’t significantly extend an attack surface.

On the contrary, CyberArk believes that this type of attack is most likely employed by nation-state hackers, making it quite critical.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Stay tuned
Subscribe for our newsletter regarding the latest cybersecurity and tech-related news.