Listen to this Post
A threat actor is actively targeting Colombian government entities by exploiting a driver vulnerability developed two years ago. Despite Microsoft’s usual practice of revoking certificates for widely abused drivers, this particular driver remains unrevoked, posing a significant security risk.
You Should Know:
1. Check for Vulnerable Drivers
To identify if your system is using a vulnerable driver, use the following PowerShell command:
Get-WindowsDriver -Online -All | Select-Object Driver, Version, Date | Export-Csv -Path "Drivers_List.csv" -NoTypeInformation
This exports a list of installed drivers for analysis.
2. Verify Driver Signing Status
Check if a driver is properly signed using `sigcheck` from Sysinternals:
sigcheck.exe -v -e C:\Windows\System32\drivers\
Look for “Verified: Unsigned” or revoked certificates.
3. Disable or Remove Malicious Drivers
If a malicious driver is detected, disable it using:
sc stop [bash] sc delete [bash]
Then, remove the associated `.sys` file from `C:\Windows\System32\drivers\`.
4. Monitor Driver Loads with Sysmon
Deploy Sysmon to log driver loads:
<Sysmon schemaversion="4.90"> <EventFiltering> <DriverLoad onmatch="exclude"> <Signature condition="is">Microsoft Windows</Signature> </DriverLoad> </EventFiltering> </Sysmon>
Use this config to log non-Microsoft driver loads.
5. Revoke Certificates Manually (If Possible)
If Microsoft hasn’t revoked a malicious certificate, block it via Group Policy:
1. Open `gpedit.msc`
2. Navigate to:
Computer Configuration → Windows Settings → Security Settings → Public Key Policies → Certificate Path Validation Settings
3. Enable “Define these policy settings” and add the malicious certificate hash to the “Untrusted Certificates” list.
6. Linux Alternative: Check Kernel Modules
For Linux systems, verify loaded kernel modules:
lsmod | grep suspicious_module
Remove a malicious module:
sudo rmmod suspicious_module
Blacklist it in `/etc/modprobe.d/blacklist.conf`.
What Undercode Say:
This incident highlights the risks of unrevoked drivers in cyber attacks. Organizations must:
– Regularly audit drivers using `sigcheck` and PowerShell.
– Implement strict driver whitelisting via AppLocker or WDAC.
– Monitor driver loads with Sysmon or AuditD (Linux).
– Apply Microsoft’s KB5005039 patch if applicable.
– Use YARA rules to detect known malicious drivers.
Stay vigilant—attackers often repurpose old exploits when vendors overlook revocation.
Expected Output:
- List of installed drivers (
Drivers_List.csv). - Sysmon logs of unsigned driver loads.
- Blacklisted kernel modules in Linux.
- Blocked malicious certificates via Group Policy.
References:
Reported By: Anashadane It – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
