![Building](https://res.aon.com/image/fetch/ar_16:9,c_fill,f_auto,g_auto,h_184,w_327/https://assets.aon.com//-/media/images/photos/places/city-dallas-buildings-1288537096.jpg)
Support
Aon's Stroz Friedberg Incident Response Services ("Stroz Friedberg") has observed ransomware actors utilizing an Endpoint Detection and Response (“EDR”) solution bypass technique dubbed “Retrosigned Driver EDR Bypass” to terminate EDR and to limit visibility of EDR telemetry. This technique involves loading a malicious driver signed with an out-of-date code signing certificate and then manipulating the system time on the target system during the loading process. Once loaded, the driver is utilized to terminate running processes.
Drivers are essential pieces of software that allow the operating system to communicate with hardware devices. They serve as a bridge between the system and the hardware, ensuring that peripheral devices like printers, graphics cards, and network adapters function correctly. Given their critical role, drivers operate with high privileges within the system, making them a prime target for malicious exploitation.
To mitigate the risks associated with driver installation, Microsoft Windows enforces a driver signing process. Driver signing involves the use of cryptographic certificates issued by trusted authorities to verify that the driver code has not been tampered with and originates from a legitimate source. This process ensures that only authorized drivers can be installed, adding a layer of security. However, when attackers find ways to bypass these protections, it opens the door for malicious drivers to be loaded, posing significant threats to system integrity.
Due to the privileged nature of kernel drivers and their potential for abuse, starting in Windows Vista, Microsoft implemented restrictions that required drivers to be signed by trusted software developers, preventing the loading of unsigned drivers. This required developers to obtain code signing certificates from a certificate authority to cryptographically attest that they were the authors of the driver being loaded. Beginning in Windows 10 1607 Microsoft tightened these requirements to only allow drivers that were signed by Microsoft to be loaded. However, to ensure backwards compatibility, Microsoft still allowed for kernel mode drivers to be loaded under certain circumstances, including if the driver was signed with “an end-entity certificate issued prior to July 29th 2015 that chains to a supported cross-signed CA.”1
These restrictions, combined with the increasing deployment of EDR across the industry lead threat actors to explore an alternate class of attack termed “Bring Your Own Vulnerable Driver” or “BYOVD” in which a threat actor would use a vulnerability in a legitimately signed driver to gain kernel level access. This access can then be used to kill processes such as EDR. Stroz Friedberg has previously written about this technique here. Microsoft addressed this technique through the creation of the vulnerable driver blocklist which prevented known vulnerable drivers from being loaded.
Cisco Talos previously documented a technique in which threat actors forged certificate validity dates in order to make expired cross-signing code certificates appear valid during the signing process. The Retrosigned Driver technique Stroz Friedberg observed employs a distinct methodology and relies on manipulating the certificate validity time checks on targeted systems as opposed to manipulating the signing process. However, both techniques leverage on the same architectural decision in Windows to trust cross-signed code from third party certificates prior to 2015 and result in similar impact.
Retrosigned Drivers extends previous techniques by altering the system clock on the target system to load malicious kernel drivers that were signed by historically compromised expired cross-signing certificates. The following Retrosigned Driver attack pattern was observed by Stroz Friedberg:
Stroz Friedberg analyzed the recovered sample and confirmed that it was able to successfully load the driver and kill the targeted EDR, but only when the system time was changed to a period within the validity date of the driver. Stroz Friedberg observed similar samples across several engagements involving threat actors which deployed the Medusa and Abysslocker ransomware variants.
The recovered samples had code overlaps with previously known malware samples tracked as POORTRY and STONESTOP. When these malware families were previously identified, they were signed using a Microsoft Hardware Compatibility Program certificate as opposed to an out-of-date signing certificate.
Stroz Friedberg reported their findings to the targeted EDR vendor and provided Microsoft the malicious drivers and associated certificates, along with a description of the technique. Stroz Friedberg held publication of this post for a 60-day period after the disclosure.
If you suspect you are compromised or need assistance in assessing compromise, please call our Incident Response hotline. If you are from a Law Enforcement Agency or Endpoint Detection and Response vendor and wish for more details, please contact Aon Cyber Solutions.
Support
About Cyber Solutions:
Aon’s Cyber Solutions offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents.
General Disclaimer
This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document. While care has been taken in the preparation of this material and some of the information contained within it has been obtained from sources that Stroz Friedberg believes to be reliable (including third-party sources), Stroz Friedberg does not warrant, represent, or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article and accepts no liability for any loss incurred in any way whatsoever by any person or organization who may rely upon it. It is for informational purposes only. You should consult with your own professional advisors or IT specialists before implementing any recommendation or following the guidance provided herein. Further, we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. Further, this article has been compiled using information available to us up to 9/13/2024.
Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.
Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.
Expert Views on Today's Risk Capital and Human Capital Issues
Expert Views on Today's Risk Capital and Human Capital Issues
Expert Views on Today's Risk Capital and Human Capital Issues
The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.
Stay in the loop on today's most pressing cyber security matters.
Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.
Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.
Explore Aon's latest environmental social and governance (ESG) insights.
Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.
How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.
Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.
Explore our hand-picked insights for human resources professionals.
Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.
Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.
How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?
Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.
Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.
Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.
Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.
Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.
Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.
With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.
Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.
Cyber Labs 3 mins
This client alert provides an overview of the current global IT outage that is related to a CrowdStrike update. We provide an overview of CrowdStrike's response and guidance, and Aon Cyber Solutions' recommendations for affected clients.
Cyber Labs 8 mins
Stroz Friedberg Digital Forensics and Incident Response has observed an uptick in SIM swapping across multiple industries, with several recent incidents targeting crypto and crypto-adjacent companies.