Hello and welcome to the Monday, July 17th, 2003 edition of the Sandinut Storm Center's Stormcast. My name is Johannes Ulrich and the time recording from Jacksonville, Florida.

To start out, I just want to follow up a little bit on last week's patch Tuesday. Cisco has a blog post that was released last

Tuesday, but I don't think I mentioned it yet, that goes to a little bit more depth on these

kernel mode driver signing issue that Microsoft addressed last Tuesday. To support legacy systems,

Microsoft will accept cross-signed kernel mode drivers as long as the signature timestamp is set to a date before July 29, 2015.

And that's the real problem here, that there is sort of this fallback. So an attacker who somehow has obtained a signing

certificate that was valid back in 2015, well, they can now just backdate the signature.

Cisco also states that they observed over a dozen of code signing certificates that are often

being distributed as part of tools to create

these fake certificates.

This is available on GitHub.

The blog post also suggests that thousands of malicious drivers are taking advantage of

this particular problem.

The underlying vulnerability actually also still exists.

Microsoft only added known exploited signing certificates to a block list.

So these are like the ones that Cisco found on GitHub.

According to Cisco, it can be helpful to compare the compilation date of a driver

to the signature date.

If it was signed before it was compiled, well, then you probably have a problem.

But of course, that date can be faked too.

But how do attackers obtain these private keys? Researchers with the

Technical Hochschule in Aachen did analyze over 300 Docker images from DockerUp and about

...