CyberArk Labs Identifies “GhostHook” Technique That Bypasses PatchGuard in Windows OS

June 22, 2017 Amy Burnis

Today on CyberArk’s Threat Research Blog, CyberArk Labs has published details about a new attack technique that bypasses PatchGuard in Windows OS. For our business readers, we offer this executive summary with highlights of the potential security impact:

Up until now, we haven’t seen many successful rootkits on Windows 10 64-bit, thanks in large part to PatchGuard (Kernel Patch Protection). Research by CyberArk Labs has uncovered an attack technique called GhostHook in the Windows OS that can let an attacker bypass PatchGuard, making it easy for an attacker to gain rootkit abilities on Windows x64 OS machines. This attack technique gives cyber attackers full control over the network including the ability to intercept anything on the system.

More than 400 million devices worldwide currently run on Windows 10. GhostHook is the first attack technique identified that will bypass PatchGuard – giving attackers the ability to take full control over 64-bit systems at the kernel level.

Attackers will now be able to go completely unnoticed by all security measures that rely on retrieving reliable information from the OS Kernel – this includes AV, personal firewalls, HIPS, and many next-gen endpoint products.

Attackers can now easily bury a rootkit in the kernel – completely undetectable to security solutions and invisible to MSFT’s PatchGuard itself. This attack technique could also lead to the proliferation of more sophisticated, 64-bit malware – typically used in APT campaigns by nation states.

Of note, 64-bit malware currently makes up less than 1% of the current threat landscape. 64-bit malware includes Shamoon, the disk-wiping malware used on Saudi Aramco, and Flame. Both examples are country-grade espionage malware.

Please read the original post for the full technical details and Microsoft’s response to the reported vulnerability.

Previous Article
5 Ways to Address the General Data Protection Regulation (GDPR) With CyberArk
5 Ways to Address the General Data Protection Regulation (GDPR) With CyberArk

On May 25, 2018, the General Data Protection Regulation (GDPR) will be enforced across the European Union (...

Next Article
CyberArk Customer Spotlight: Texas A&M University, College of Architecture
CyberArk Customer Spotlight: Texas A&M University, College of Architecture

In this CyberArk Customer Spotlight video, we speak with Laura Melton, Senior Information Technology Associ...