GhostHook attacks can bypass the tracking processor based on Windows 10 PatchGuard
CyberArk safety researchers found through Intel Processor Trace ( Intel PT bypassing the processor-based tracking new features) Windows 10 PatchGuard destroy the target system device.
This type of bypass is called GhostHook, which allows an attacker to compromise a compromised device and run malicious code in the kernel to completely destroy the target system. Microsoft said that while it is extremely difficult to fix the vulnerability, but they will try to solve this problem in future versions of Windows, CyberArk also confirmed the fastest repair route or support from PatchGuard security vendors.
Microsoft issued a statement stating that they encourage customers to use their computer applications to maintain good operating practices, including clicking on web links, opening unknown files or accepting file transfers. Intel PT is released after PatchGuard, which enables security vendors to monitor the execution of the command stack in the CPU so that malware attacks the operating system before identifying the attack activity.
“We can execute code in the kernel and will not be ignored by any security features that Microsoft has generated,” Kobi Ben Naim said, senior director of network research. It is learned that most security vendors rely on PatchGuard and DeviceGuard to obtain reliable information and analyze whether they are maliciously attacked. Researchers say the vulnerability can bypass security product testing (including anti-malware, firewall, host-based intrusion detection, etc.).
Naim said the attack was dominated by well-known hackers in the country. Like hackers, Flame and Shamoon have used 64-bit malware to build footholds on machine equipment and networks, if the malicious code is public or used to extort attacks, it will cause serious consequences.
CyberArk believes that Microsoft’s weakness lies in the Intel PT, especially when the Intel PT and the operating system to talk. In addition, Intel PT is a hardware-level debug tracking interface, the kernel code can request from the CPU to receive and read information. The way Microsoft implements the API is where the researchers find the problem, which allows hackers not only to read information but also to embed the code in a secure location in the kernel. As a result, an attacker can run arbitrary code while the security application layer interacts, without being detected by security software. At present, CyberArk did not find such attacks but believe that some countries have been using the vulnerability to attack.
Source: hackernews
