Kernel level anticheat software opens up a new attack vector for malicious actors
This is one of my favorite techniques used by threat actors.
Essentially, for those of you who aren’t familiar with the BYOVDD technique, code is signed by companies when it is set to publish. This signature is proof that the company actually released the code, and generally, if the code is signed by someone you trust, it means that it doesn’t contain malware.
However, programmers are often bad about writing secure code. Security is hard, and kernel-level code is complex, so things slip through the cracks and the code becomes vulnerable to exploitation from the threat actor.
The fun part is when there is signed code that operates at the kernel level. To an OS and many security systems, signed code is good code. If a threat actor exploits signed code to arbitrarily do things like download and execute malware, or just behave maliciously, security software often throws up its hands and goes “Well, it is signed by a trusted company, it’s probably fine lol.” But because this code operates at such a privileged level, the amount of damage that can be done is devastating.
This was used in 2022 by threat actors to spread ransomware. The vulnerable kernel-level software they used was Genshin Impact’s anticheat.
Thankfully, crafting an exploit like this is pretty difficult to do, and since the signatures used for the code is revoked when malicious activity is seen, it is unlikely that you will see this specific technique used against you on your personal computer. But your IT and/or cybersecurity team might see the Helldivers anticheat used to ransom their systems sometime in the future.
This is one of my favorite techniques used by threat actors.
Essentially, for those of you who aren’t familiar with the BYOVDD technique, code is signed by companies when it is set to publish. This signature is proof that the company actually released the code, and generally, if the code is signed by someone you trust, it means that it doesn’t contain malware.
However, programmers are often bad about writing secure code. Security is hard, and kernel-level code is complex, so things slip through the cracks and the code becomes vulnerable to exploitation from the threat actor.
The fun part is when there is signed code that operates at the kernel level. To an OS and many security systems, signed code is good code. If a threat actor exploits signed code to arbitrarily do things like download and execute malware, or just behave maliciously, security software often throws up its hands and goes “Well, it is signed by a trusted company, it’s probably fine lol.” But because this code operates at such a privileged level, the amount of damage that can be done is devastating.
This was used in 2022 by threat actors to spread ransomware. The vulnerable kernel-level software they used was Genshin Impact’s anticheat.
Thankfully, crafting an exploit like this is pretty difficult to do, and since the signatures used for the code is revoked when malicious activity is seen, it is unlikely that you will see this specific technique used against you on your personal computer. But your IT and/or cybersecurity team might see the Helldivers anticheat used to ransom their systems sometime in the future.