GhostHook Attack Bypasses Window 10 Patchguard
Security experts have recently discovered a method of bypassing Windows 10 PatchGuard protections and deploying malicious code into the Windows kernel, allowing attackers to plant rootkits on systems previously thought to be impregnable.
More than 400 million devices worldwide currently run on Windows 10. GhostHook is the first attack technique identified that will bypass PatchGuard – giving attackers the ability to take full control over 64-bit systems at the kernel level. Researchers at CyberArk, however, found a way around PatchGuard through a relatively new feature in Intel processors called Processor Trace (Intel PT).
GhostHook, which is the name of this bypass, is a post-exploitation attack and requires an attacker already be present on a compromised machine and running code in the kernel. As a result, Microsoft said it will not patch the issue, but may address it in a future version of Windows, CyberArk reports.
“This technique requires that an attacker has already fully compromised the targeted system. We encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers,” a Microsoft representative claimed in a statement provided to Threatpost.
Attackers can now easily bury a rootkit in the kernel – completely undetectable to security solutions and invisible to MSFT’s PatchGuard itself. This attack technique could also lead to the proliferation of more sophisticated, 64-bit malware – typically used in APT campaigns by nation states.
Of note, 64-bit malware currently makes up less than 1% of the current threat landscape. 64-bit malware includes Shamoon, the disk-wiping malware used on Saudi Aramco, and Flame. Both examples are country-grade espionage malware.
Please read the original post by Cyberark for the full technical details and Microsoft’s response to the reported vulnerability.