A Microsoft Windows policy loophole has been observed being exploited primarily by native Chinese-speaking threat actors to forge signatures on kernel-mode drivers.
“Actors are leveraging multiple open-source tools that alter the signing date of kernel mode drivers to load malicious and unverified drivers signed with expired certificates,” Cisco Talos said in an exhaustive two-part report shared with The Hacker News. “This is a major threat, as access to the kernel provides complete access to a system, and therefore total compromise.”
Following responsible disclosure, Microsoft said it has taken steps to block all certificates to mitigate the threat.