sb-nz logo
Story image

New GhostHook attack technique outsmarts Microsoft PatchGuard

26 Jun 2017

A new attack technique called GhostHook may be the first malware ever to completely bypass Microsoft's PatchGuard, enabling it to gain rootkit on 64-bit Windows 10 devices.

CyberArk Labs researchers made the proof-of-concept last week, saying that GhostHook could be a major threat. Microsoft PatchGuard was designed to make Windows 10 more secure by preventing attackers from hooking a rootkit at the kernel level.

According to CyberArk Labs blog, hooking techniques gives attackers control over how software or an operating system behaves.

Researchers say that this kind of control is not part of an initial attack or elevation technique; rather it is something that can be used once attackers have control over the device. Essentially, it's a stealth mechanism.

While hooking is used for legitimate purposes such as programming, debugging and system utilities, it can also be exploited for malicious use.

Attackers are now able to easily bury a rootkit in the kernel - an area where security solutions such as antivirus, firewalls, endpoint products and PatchGuard itself can't detect the malware.

This kind of potential attack could pave the way for sophisticated 64-bit malware such as Shamoon. Attackers will be able to make network attacks longer for reconnaissance and conduct more devastating attacks, researchers warn.

However researchers contacted Microsoft about the vulnerability - only to be shrugged off. The blog details Microsoft's response, which said that the attacker must already be running kernel code on a system.

Because of that, it doesn't meet requirements for a security update - but it may be fixed in future Windows operating systems.

"Microsoft does not seem to realize that PatchGuard is a kernel component that should not be bypassed, since PatchGuard blocks rootkits from activities such as SSDT hooking, not from executing code in kernel-mode," researchers counter.

Story image
Cyberattacks on healthcare organisations "out of control" - Check Point
There has been a 45% increase in cyberattacks on healthcare organisations worldwide in the last two months, making healthcare the most targeted industry by cyber criminals.More
Story image
The current state of ransomware — and its future
Discoveries made by analysts at Sophos have unearthed a new development: ransomware code appears to have been shared across ‘families’, and some of the ransomware groups seemed to work in collaboration more than in competition with one another. More
Story image
Online gaming a 'hotbed' for DDoS attacks — report
The latency and availability issues present in online gaming, in particular, presented an attractive target to attackers, in addition to the enduring popularity of gaming in the era of COVID-19.More
Story image
Cybercriminals leverage AI to sustain attacks on enterprises
What is less discussed is how cybercriminals are taking advantage of those very same technologies to automate their attacks, too.More
Story image
Microsoft top targeted brand by cyber criminals in Q4 2020
In Q4, 43% of all brand phishing attempts related to Microsoft (up from 19% in Q3), as threat actors continued to try to capitalise on people working remotely during the COVID-19 pandemic’s second wave. More
Story image
BackupAssist partners with Wasabi for greater cyber-resilience
This partnership provides customers with an up to 80% less expensive solution that is faster than the competition for achieving enterprise-grade cyber-resilience, the company states. More