A newly discovered advanced attack technique, named Ghosthook, has been generating headlines since CyberArk researchers discovered it last week. Unlike the recent WannaCry attack, the hype in this case is more due to Ghosthook’s unique functionality, rather than its potential to cause immediate harm.
Before we begin unpacking some of these unusual characteristics, it should be noted this is a ‘post-exploitation’ technique. This means an attacker must already have complete control over the victim machine in order to use it. Theoretically, the technique could be used to establish a rootkit on a device running the latest 64-bit version of Windows – something which has been rarely seen since the introduction of PatchGuard to the OS in 2005.
Researchers also note that given the vulnerability’s complexity, nation-state or state-sponsored groups are the only attackers they expect to exploit (or be exploiting) it.
That said, if exploit code were to somehow become public, researchers have warned the results could be ‘catastrophic’.
With the prophecies of doom out of the way, let’s take a look at what makes Ghosthook so interesting.
Bypassing the Impregnable PatchGuard
In the cyber security world, it is taken for granted that 64-bit Operating Systems are rarely attacked.
There are two main reasons for this; 32-bit systems are much more vulnerable, and 64-bit systems feature Kernel Patch Protection (aka PatchGuard). I won’t go into this too much (you can read more about it here) but PatchGuard basically makes it near-impossible to modify the kernel and make unsupported changes to the OS.
You can technically patch the kernel in a 32-bit machine, but you probably shouldn’t.
Ghosthook bypasses this ever-vigilant PatchGuard, allowing an attacker to execute code in the kernel of a 64-bit system. Because many security vendors rely on this function to identify malicious activity, executing code in the kernel allows the attacker to move through a network without a trace.
Why now? APIs, that’s why.
Researchers have said this vulnerability exists because of a newly introduced API named Intel Processor Trace (Intel PT). Intel PT can trace any software (including hypervisors) the CPU runs and is generally used for performance monitoring, diagnostics and malware analysis.
Due to a weakness in the API’s implementation, this vulnerability exists at the point where Intel PT ‘talks’ to the OS, allowing attackers to intercede and execute code in the kernel.
For this reason, it is important to remember that PatchGuard continues to be an extremely reliable tool for anyone running a 64-bit machine.
Upon successful exploitation, an attacker gains the local admin rights needed to maintain persistence, install further root kits at kernel level, and ultimately take full control of the network.
Once established, the attacker can then perform any task they wish. Common malicious tasks we see executed when a machine (or network) has been completely compromised include network traffic interception, the installation of additional malware, and remote code execution.
This latest vulnerability shows us that the ‘fortresses’ many believe they have built around their organisations is a myth. In cyber security, nothing is sacred or impenetrable. Attackers always remain a step ahead, evolving in response to defensive technologies and revisiting systems that were previously secure.
In this environment, complacency is criminal. While no defence can be perfect, there are some basic ‘cyber-hygiene’ steps you can take to avoid having to call ‘Ghostbusters’:
- Avoid using SHIFT+F10 as it disables BitLocker
- Don’t click on email attachments from unknown/untrusted sources
- Check for fake/tampered email domains before opening attachments
- Keep software and OS patched with the latest updates
- Don’t install unwanted plug-ins/add-ons
- Run all software under minimal user rights