Zero Trust Applies to Everything, Including “Trusted” Certificates

The security landscape is rapidly evolving as bad actors obtain new and innovative ways to gain access into a wide array of vulnerable vectors. This underscores the need for all organizations to secure their technology trust mechanisms, including security certificates for software drivers targeted by bad actors.

The most recent example of how hackers use signed security certificates involved hackers who tricked Microsoft into signing their third-party Netfilter driver, which was loaded with rootkit malware. This was a serious error that put Microsoft in a terrible situation, as all third-party drivers and code running on the Windows kernel must be tested and digitally signed by Microsoft. Having a signed root security certificate is a requirement for all third-party drivers, to ensure the security and reliability of the Windows OS, its kernel, and its various functions with hardware devices.

The kernel is the foundational layer of an operating system and the highest level of privilege within a computer. The kernel is a computer program in the core of a computer’s operating system, and has complete control over everything in the system. It facilitates the interactions between software and hardware components. Kernel functions include process, memory and device management, interrupt handling, and input/output communication. It functions at a basic level, communicating with hardware and managing resources, like RAM and CPU.

We can no longer place blind confidence in the CA chain of trust

It is common practice for digital certificates to be issued by one Certificate Authority (CA), and then used to sign the public key of the root certificate from another CA. These cross-certificates create a chain of trust from one root CA to multiple other CAs. A cross-signature offers assurance that a third-party driver is the work of a verified known entity. In the Microsoft case, the threat actor submitted the third-party driver for certification through the Windows Hardware Compatibility Program. The Windows Hardware Quality Labs, or WHQL, signed the driver with a certificate from a private key that Microsoft holds. In this case, Microsoft is the only CA that can sign the certificate.

The Microsoft certificate authenticates TLS-encrypted traffic going to third-party servers to ensure they are legitimate. After Microsoft endorsed the malicious Netfilter driver, its rootkit decrypted the secure communications and sent gaming users to hacker-controlled command-and-control, or C2, servers located in China. This Microsoft oversight enabled rootkit-concealed malware to be installed on user’s computers, without their knowledge.

Microsoft stated that techniques employed in the attack occurred post-exploitation. This means the hacker had previously gained administrative privileges in order to have installed the driver during system startup. Or they somehow deceived an administrator with privileged access into doing it. This is significant and highlights the importance of having privileged access management, or PAM, capabilities to ensure a strong security posture.

Acknowledging the necessity of a zero trust model

A zero trust architecture encompasses encryption, computing, networking, applications, users, and devices. The zero-trust concept automatically trusts nothing, whether inside or outside an organization’s perimeters. Rather, everything that attempts to connect to its systems must be verified, before access is granted. This strategy must also apply to digital certificates, both signed and unsigned.

All this is to say, protecting an enterprise’s digital assets requires layered security and a zero trust model for everything. In this case, it would require at least endpoint security that has robust anti-rootkit capabilities, and also reiterates the need for identity solutions with privileged account management, or PAM. A robust zero trust model will not trust anything, including people, devices, applications, and security certificates. This is where RevBits Cyber Intelligence Platform (CIP) and its suite of integrated security products, plays a unique key role in enabling a zero trust architecture.

Microsoft Windows 10, and all newer versions, require Microsoft to counter-sign driver certificates. Unfortunately, this can obfuscate the trust factor for a driver with a signed certificate, because most endpoint security products automatically trust an application or device that has a driver counter-signed by Microsoft and another CA. This is a serious problem, creating tremendous risk, as we saw from the malicious Netfilter driver counter-signed by Microsoft. However, with RevBits endpoint security, regardless of who signs a driver certificate, RevBits will detect, block, and remove rootkit malware.

RevBits is unique among security vendors, providing a unified security platform that simplifies management, secures enterprise digital assets, and enables rapid responses. RevBits CIP delivers a broad suite of endpoint detection and response (EDR), identity and privileged access management (PAM), email security, deception technology, and zero trust networking (ZTN) for on-premises, cloud, and hybrid environments.

Click here to learn more about RevBits patented anti-rootkit technology for protecting business-critical computer systems.

Click here for a demo on how RevBits helps detect threats early, and remediate them quickly.

Originally published at https://www.revbits.com on July 26, 2021.