DriverJack: Turning NTFS and Emulated Read-only Filesystems in an Infection and Persistence Vector

Presented at DEF CON 32 (2024), Aug. 11, 2024, noon (45 minutes).

This article reassesses the complex cyberattack tactics utilized by the Stuxnet worm, focusing specifically on existing security measures and emerging weaknesses. We begin our investigation by examining Stuxnet's initial methods of deployment, which allows us to investigate contemporary attacks, including those that focus on simulated read-only filesystems and NTFS vulnerabilities. Since the improvements made to the Windows security architecture in 2011, which include Device Guard Signature Enforcement (DSE) and Hypervisor-protected Code Integrity (HVCI), the nature of cyber threats has changed, requiring the need for new ways to carry out attacks. Our research presents a new method that takes advantage of previously uncovered weaknesses in emulated filesystems, allowing attackers to covertly install and maintain harmful programs in a way similar to the activities of Stuxnet. In addition, we uncover new NTFS vulnerabilities that enable attackers to conceal their presence and sustain persistence within victim systems. The study also introduces innovative techniques to identify susceptible drivers and investigates alternate methods for delivering and executing malware, similar to the strategies employed by Stuxnet. In addition, we create novel Indicators of Compromise (IOCs) to identify and detect these advanced tactics. The main techniques presented in this talk are based on a joint research with Jonas Lyk. A few references were used to explain the more general concept of BYOVD (Bring your own vulnerable driver). Other references can be found in the draft Whitepaper. 1. [link](https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/) 2. [link](https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/) 3. [link](https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/) 4. [link](https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Jacob%20Baines%20-%20Bring%20Your%20Own%20Print%20Driver%20Vulnerability.pdf) 5. [link](https://github.com/eset/vulnerability-disclosures) 6. [link](https://www.bleepingcomputer.com/news/security/github-comments-abused-to-push-malware-via-microsoft-repo-urls/)

Presenters:

• Alessandro Magnosi - Security Testing Team at BSI
  I am a Managing Consultant with more than 10 years of experience in the IT field. Currently, I am part of the Security Testing Team at BSI, which is the UK national standards body, and a Global certification, training and cybersecurity firm. On top of my normal work, I work as an independent researcher for Synack RT and Cobalt, and an independent OSS developer in my spare time.

Similar Presentations:

• DEF CON 32 (2024) / Modem Operandi, or: How I Owned Hundreds of Millions of Broadband Basebands
• DEF CON 32 (2024) / Laundering Money
• DEF CON 32 (2024) / Defeating EDR Evading Malware with Memory Forensics