Microsoft has outlined why its new breed of Secured-core PCs, such as the Surface Pro X, are equipped to fight off ransomware and other malware that attack vulnerable hardware drivers to compromise a machine.
The two key ways Secured-core PCs block ransomware attacks such as RobbinHood are by defending against vulnerable and malicious drivers and by blocking unverified code execution.
As security vendor Sophos noted recently, RobbinHood stood out from other ransomware because it shipped with a properly signed but vulnerable third-party driver that patched the Windows kernel in-memory.
It then loaded its own unsigned malicious driver and disabled security products from the kernel. The driver was for a motherboard from Taiwan manufacturer Gigabyte.
The Gigabyte GDRV.sys driver contained a privilege escalation vulnerability that allowed it to read and write to memory, giving the attacker the ability to temporarily disable the Windows driver signature enforcement mechanism in the kernel.
Microsoft created Secured-core PCs in response to a rise in firmware vulnerabilities that open the possibility for attacks on components like drivers, which have higher privileges than the hypervisor and the Windows kernel. Such an attack would undermine Secure Boot and could be invisible to antivirus.
Microsoft notes that RobbinHood is part of a growing trend of attacks from cybercriminals and state-backed hackers that use vulnerable drivers. Others include Uroburos, Derusbi, GrayFish, and Sauron, and malware campaigns by the state-sponsored hacking group that Microsoft calls STRONTIUM, aka Fancy Bear or ATP 28.
Of particular concern are the use of so-called 'wormhole drivers', or drivers that are, by design, vulnerable and undermine platform-level security by opening up direct access to kernel-level arbitrary memory read and write capabilities.
"In our research, we identified over 50 vendors that have published many such wormhole drivers," Microsoft Windows Platform Security Team noted.
"We actively work with these vendors and determine an action plan to remediate these drivers. To further help customers identify these drivers and take necessary measures, we built an automated way in which we can block vulnerable drivers, and that is updated through Windows update."
The way Secured-core PCs combat this threat is by guaranteeing that hardware-backed security features are enabled by default so that admins don't need to configure them in BIOS and OS settings.
Enabled features include a Trusted Platform Module (TPM), virtualization-based security, Windows Defender System guard, hypervisor-protected code integrity (HVCI), tools to block unverified code execution, kernel Direct Memory Access (KDP) protection for Thunderbolt 3 to protect against attacks requiring physical access, and Credential Guard.
According to Microsoft, HVCI and KDP should thwart attacks like RobbinHood by respectively blocking its ability to use a driver to change variables within the system memory and preventing kernel data-corruption attacks.
KDP offers the makers of driver software that runs in the Windows kernel, and the OS code itself, "the ability to mark some kernel memory containing sensitive information as read-only protected".
"The memory is protected through the second level address translation (SLAT) tables by the hypervisor, such that no software running in VTL0 have access to the protected memory. KDP does not protect executable pages, as those are already protected with HVCI," it states.
While Secured-core PCs remove some of the complexity of deploying large fleets of PCs, they do come at a price.
Lenovo, HP, Dell, Panasonic, Dynabook, and Getac offer Secured-core PCs, but the cheapest available is Microsoft's $1,099 Surface Pro X. Most of the Secured-core PCs cost north of $1,500 per device.