GhostHook Attacks For Windows 10

Security experts have discovered a method of bypassing Windows PatchGuard protections and hooking malicious code into the Windows kernel, which allows an attacker to plant rootkits on systems previously thought to be impregnable.

PatchGuard, known under its official name of Kernel Patch Protection (KPP), is a security feature for Windows 64-bit editions that prevents third-party code from patching the Windows kernel with additional routines.

Microsoft introduced PatchGuard in 2005, starting with Windows XP, and the feature has prevented most rootkits from working on 64-bit editions.

GhostHook attack leverages Intel PT feature

Today, security researchers from CyberArk published research on a new technique named GhostHook that successfully bypasses PatchGuard using a feature of Intel CPUs.

According to researchers, GhostHook works only against systems running Intel Processor Trace (PT), a feature of Intel CPUs that uses dedicated hardware to capture information about current software execution to aid with debugging operations and the detection of malicious code.

Normally, tapping into Intel PT operations would require an attacker to patch his malicious functions into kernel-level code, an operation that PatchGuard would immediately detect and block.

CyberArk researchers said they found that by allocating an extremely small buffer for the processing of Intel PT packets would result in the CPU running out of buffer space and opening a PMI handler to manage the overflowing code.

The problem is that PatchGuard doesn't monitor the PMI handler and an attacker could hook his malicious code to patch kernel operations via that PMI handler.

This provides attackers with an undetectable method of patching the Windows kernel and embedding rootkits on Windows 64-bit versions. GhostHook works even on Windows 10, where very few rootkits have proven to be effective since the operating system's launch in the summer of 2015.

Microsoft won't patch GhostHook attack vector

CyberArk says it contacted Microsoft about the GhostHook attack, but the OS maker declined to issue a security update. Microsoft said it might patch the issue during its regular bug fixing cycle, but would not treat GhostHook as a security flaw.

Microsoft justified its decision by saying that an attacker needs to have kernel-level access on an infected machine to perform a GhostHook attack. An attacker with kernel-level rights could perform many other malicious actions, and users should focus on preventing an attacker from gaining this much level of access in the first place.

Responding to Microsoft's refusal to patch this attack vector, CyberArk reiterated that the issue is "the bypassing of PatchGuard" which opens the door for rootkits on 64-bit Windows versions, and not necessarily the attacker's access level.

The real problem is that attackers have a technique at their disposal to implant rootkits on platforms they did not have access in past years.

Currently, 64-bit malware makes up less than 1% of the entire malware landscape, and PatchGuard was one of the reasons that helped keep 64-bit versions secure and harder to infect.

Nuclear Power Plants Was Hacked

The attack was contained to the business associated side of the plant, and evidence indicates that critical infrastructure was not affected.But cyber security experts say that now that the network has been infiltrated, the nuclear systems have become "much more vulnerable."

Hackers have been penetrating the computer networks of companies that operate nuclear power stations and other energy facilities, as well as manufacturing plants in the United States and other countries.

But hackers can’t affect a nuclear power plant operations or safety systems. They can hack some business, personnel and other non-essential files, which may be embarrassing and costly, but not dangerous. These reactors are truly operational islands wholly disconnected from the Internet.

The origins of the hackers are not known, although a joint report from the DHS and the FBI suggests many of the hackers are backed by governments like Russia. In a joint statement, the government agencies said, “There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks.”

America’s nuclear plants are one of the best protected of all systems from possible cyber threats. The safety and control systems for our nuclear reactors and other vital plant components are not connected to business networks or the Internet. We learned a lot from Stuxnet, the malicious computer worm that substantially damaged Iran’s nuclear program and that was introduced with a thumb drive.

Unlike other industries, the nuclear power industry conducts regular briefings, and receives quarterly classified briefings on cyber and physical threats, with the FBI and the DHS to discuss threat assessments, to strategize on guarding against them and to maintain situational awareness.

The nuclear industry does not use firewalls to isolate these systems, that’s not good enough. The plants use hardware based data diode technologies developed for high assurance environments, like the DOD. Data diodes allow information to be sent out, like operational and monitoring data, but ensure that information cannot flow back into the plant.

Updating software and equipment using portable devices, have strict restrictions. Outside laptops and thumb drives cannot be used without serious scrubbing, if at all.

The NRC has established regulations that thoroughly monitor and inspect cyber security at all U.S. reactors. But the nuclear energy industry took the initiative to implement a cyber security program for those digital assets needed to maintain nuclear safety and continuity of power well before the NRC mandated such a program. The Nuclear Energy Institute’s cyber security task force, formed in 2002, continuously monitors possible cyber threats and upgraded protective approaches needed to counter them.