Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Chinese Hackers Exploit Windows Loophole

July 12, 2023
Reading Time: 2 mins read
in Alerts
Chinese Hackers Exploit Windows Loophole

 

Chinese hackers have been exploiting a loophole in Windows policies to sign and load malicious kernel mode drivers on compromised systems, granting them elevated privileges and evading detection.

By altering the signing date of malicious drivers before July 29th, 2015, using tools like ‘HookSignTool’ and ‘FuckCertVerify,’ threat actors can utilize older, leaked certificates for privilege escalation.

These tools employ Windows API hooking and code signing manipulation techniques, leaving artifacts in some cases, while others remain undetectable.

The Windows policy loophole was introduced by Microsoft to restrict the loading of kernel mode drivers, but exceptions were made for older drivers. Chinese hackers have been using ‘HookSignTool’ and ‘FuckCertVerify’ to alter the signing date of malicious drivers, exploiting the exception.

‘HookSignTool’ utilizes API hooking and the Microsoft Detours library to perform driver signing, while ‘FuckCertVerify’ modifies signature timestamps. These tools require non-revoked code-signing certificates issued before the policy change in 2015.

Cisco Talos researchers have identified more than a dozen certificates available in GitHub repositories and Chinese forums that can be used with these tools. These certificates, often used for game cracks and bypassing DRM checks, have been employed for malicious purposes, including the signing of the browser hijacker ‘RedDriver.’ Microsoft has revoked the associated certificates and suspended developer accounts involved in this abuse.

The company has released security updates and implemented blocking detections to protect customers from the exploitation of legitimately signed drivers.

Although Microsoft has taken action, the risk persists as additional certificates may still be exposed or stolen. The use of malicious kernel mode drivers highlights the need for ongoing monitoring and proactive security measures.

While Microsoft does not classify this issue as a vulnerability, it underscores the importance of staying vigilant and regularly updating security measures to prevent further abuse of Windows policy loopholes by threat actors.

Reference:
  • Guidance on Microsoft Signed Drivers Being Used Maliciously

Tags: API SecurityChinaCyber AlertCyber Alerts 2023CyberattackCybersecurityFuckCertVerifyHackersJuly 2023VulnerabilitiesWindows
ADVERTISEMENT

Related Posts

Chrome Extensions Leak Data And API Keys

Chrome Extensions Leak Data And API Keys

June 6, 2025
Chrome Extensions Leak Data And API Keys

AMOS Stealer Hits macOS Via Fake CAPTCHA

June 6, 2025
Chrome Extensions Leak Data And API Keys

BADBOX Turns 1M+ IoT Devices Into Proxies

June 6, 2025
UNC6040 Vishing Group Target Salesforce Data

UNC6040 Vishing Group Target Salesforce Data

June 5, 2025
New Chaos RAT Variant Hits Windows and Linux

New Chaos RAT Variant Hits Windows and Linux

June 5, 2025
New Chaos RAT Variant Hits Windows and Linux

FBI Warns Hedera NFT Airdrop Crypto Scam

June 5, 2025

Latest Alerts

AMOS Stealer Hits macOS Via Fake CAPTCHA

Chrome Extensions Leak Data And API Keys

BADBOX Turns 1M+ IoT Devices Into Proxies

FBI Warns Hedera NFT Airdrop Crypto Scam

New Chaos RAT Variant Hits Windows and Linux

UNC6040 Vishing Group Target Salesforce Data

Subscribe to our newsletter

    Latest Incidents

    German Dog Rescue IG Hacked For Ransom

    Hack Attempt Hits German Police Phone System

    InfoJobs Spain Hit By Credential Stuffing

    KiranaPro Startup Hacked All Data Wiped

    Nervos Bridge Paused After $3.9 Million Hack

    Ukraine GUR Claims Tupolev Data Theft Hack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial