CyberArk Labs Identifies “GhostHook” Technique That Bypasses PatchGuard in Windows OS

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Today on CyberArk’s Threat Research Blog, CyberArk Labs has published details about a new attack technique that bypasses PatchGuard in Windows OS. For our business readers, we offer this executive summary with highlights of the potential security impact:

Up until now, we haven’t seen many successful rootkits on Windows 10 64-bit, thanks in large part to PatchGuard (Kernel Patch Protection). Research by CyberArk Labs has uncovered an attack technique called GhostHook in the Windows OS that can let an attacker bypass PatchGuard, making it easy for an attacker to gain rootkit abilities on Windows x64 OS machines. This attack technique gives cyber attackers full control over the network including the ability to intercept anything on the system.

More than 400 million devices worldwide currently run on Windows 10. GhostHook is the first attack technique identified that will bypass PatchGuard – giving attackers the ability to take full control over 64-bit systems at the kernel level.

Attackers will now be able to go completely unnoticed by all security measures that rely on retrieving reliable information from the OS Kernel – this includes AV, personal firewalls, HIPS, and many next-gen endpoint products.

Attackers can now easily bury a rootkit in the kernel – completely undetectable to security solutions and invisible to MSFT’s PatchGuard itself. This attack technique could also lead to the proliferation of more sophisticated, 64-bit malware – typically used in APT campaigns by nation states.

Of note, 64-bit malware currently makes up less than 1% of the current threat landscape. 64-bit malware includes Shamoon, the disk-wiping malware used on Saudi Aramco, and Flame. Both examples are country-grade espionage malware.

Please read the original post for the full technical details and Microsoft’s response to the reported vulnerability.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About CyberArk
CyberArk is the only security company that proactively stops the most advanced cyber threats – those that exploit insider privileges to attack the heart of the enterprise. The company has pioneered a new category of targeted security solutions to lock down privileged accounts and protect against cyber threats before attacks can escalate and do irreparable business damage. CyberArk is trusted by the world’s leading companies – including more than 40 of the Fortune 100 – to protect their highest value information assets, infrastructure and applications, while ensuring tight regulatory compliance and audit requirements.
Promoted Content
Advanced cyber attacks involve compromised privileged accounts. Cyber attackers target them because they represent the keys to the IT kingdom. Effective enterprise security includes proactively protecting privileged accounts. Industry experts have identified practices that increase an organization’s vulnerability to a cyber attack. How many of these are common at your organization?

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?