What is GhostHook? New technique allows hackers to bypass Windows 10 PatchGuard
GhostHook allows hackers to plant rootkits onto systems previously thought to be impenetrable.
A new attack technique identified by security experts allows hackers to bypass Windows 10 PatchGuard kernel protections and install rootkits onto systems previously thought to be impenetrable.
Dubbed GhostHook, the new technique is "post-exploitation" attack, and requires hackers to already have control over a compromised system. However, GhostHook also works on Windows 10.
Windows PatchGuard is a security feature for 64-bit systems that prevents attackers from patching Windows kernel with third-party codes. It was introduced in 2005 with XP and has since thwarted most rootkits from effectively working on 64-bit Windows systems.
Security experts at CyberArk, who discovered GhostHook said that the new technique can provide hackers with "the ability to hook almost any piece of code running on the machine."
According to CyberArk researchers, the attack only works on systems running Intel Processor Trace (PT), which is a feature of Intel CPUs that has been designed to provide support in debugging operations and hunting malicious code.
Microsoft is not going to patch GhostHook
CyberArk said that it reached out to Microsoft about GhostHook but the tech giant responded by saying since the technique involved attackers present on an already compromised system, it would not treat it as a security flaw.
"This technique requires that an attacker has already fully compromised the targeted system. We encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers," a Microsoft representative told Threatpost.
While CyberArk acknowledged that this may a tricky case and it would be difficult for Microsoft to issue a fix, the vulnerability still needs to be addressed.
"We got an answer from Microsoft saying that because you are already an administrator on the machine, it's already compromised. But in this case, it's the wrong answer," CyberArk senior director of cyber research Kobi Ben Naim said. "All of those new security layers weren't designed to combat administrators or code that runs with administrator rights. This is a problematic answer [from Microsoft]."
GhostHook essentially nullifies Microsoft's own as well as other security vendors' features, which would allow hackers to conduct attacks potentially undetected.
"We are able to execute code in the kernel and go unnoticed by any security feature Microsoft produces Naim said. "Many other security vendors rely on PatchGuard and on DeviceGuard in order to receive reliable information and analyze whether it's benign or an attack. This bypass enables us to go unnoticed versus the security vendors we checked (this includes antimalware, firewalls, host-based intrusion detection and more) that rely on those security layers to provide reliable information."
State-sponsored hackers may already be using GhostHook
Although CyberArk has not yet observed an attack leveraging GhostHook in the wild, Niam reportedly believes that hackers could already be using it.
According to Niam, analysis of malware variants such as Shamoon or Flame indicate that it may not be too long before state-sponsored hackers begun conducting attacks against such vulnerabilities.
"We think attackers are already using it in country- or military-grade malware," Naim said. "The real impact is if an attacker uses it, they can go uncovered for many months before someone will notice something is wrong. If we can take this capability and add it to ransomware, it would be pretty catastrophic. No player will be able to stop them once they are executing code behind PatchGuard. Today ransomware works in user mode because of PatchGuard. If they were able to execute this code behind PatchGuard, it will be a catastrophic effect."
© Copyright IBTimes 2024. All rights reserved.