Old certificate, new signature: open-source tools forge signature timestamps on Windows drivers

• Cisco Talos has observed threat actors taking advantage of a Windows policy loophole that allows the signing and loading of cross-signed kernel mode drivers with signature timestamp prior to July 29, 2015.


• Actors are leveraging multiple open-source tools that alter the signing date of kernel mode drivers to load malicious and unverified drivers signed with expired certificates.


• We have observed over a dozen code signing certificates with keys and passwords contained in a PFX file hosted on GitHub used in …

certificate cisco cisco talos drivers forge july kernel mode old policy signature signing talos threat threat actors tools windows