CIGslip Technique Can Let Hackers Bypass Microsoft’s Code Integrity Guard

Security researchers uncovered an attack vector that can enable attackers to circumvent Microsoft’s Code Integrity Guard (CIG) inject malicious libraries into CIG-protected applications and processes, including Microsoft Edge.

How does CIG work?

CIG is part of Device Guard, a security feature in Windows 10 and Windows Server 2016. Microsoft Edge also supports CIG. Third-party developers are also allowed to deploy CIG in their own applications. For instance, an application designed to support CIG will only load Microsoft and Windows Store-signed dynamic-link libraries (DLLs) and binaries. This helps deter the injection of unauthorized code into CIG-enabled applications. For instance, CIG will block the code necessary for displaying the phishing content of banking Trojans in an application like Edge.

[INFOSEC GUIDE: Mitigating Web Injections]

How can CIGslip bypass CIG?

The technique called CIGslip relies on bypassing CIG’s security mechanisms without having to inject or insert an unsigned image code page into the system’s memory. A CIGslip-toting malware can sneak past CIG’s protections by mimicking how legitimate (DLL) are loaded into a process. In turn, a non-CIG-enabled process’ code could be loaded into a CIG-protected process — this serves as an entry point for loading an attacker's code into applications.

[INFOSEC GUIDE: Domain Monitoring — Detecting Phishing Attacks]

What’s the impact?

According to the researchers, banking trojans can use CIGslip to load their phishing content. Attackers can also use CIGslip to deliver adware and other threats typically delivered through web browsers, such as information stealers. Banking malware, which usually overlays their own fraudulent content over legitimate ads, is one of these threats.

Has CIGslip been fixed?

The security researchers disclosed their findings to Microsoft, but they reasoned that CIGslip is “outside the scope of CIG.” However, Microsoft will still address the issue through a security patch in the future.

How does secure DevOps figure into this?

Indeed, vulnerabilities and security gaps are projected to be a mainstay for cybercriminals breaching into systems and applications. In fact, as many as one-third of containers that deploy and run applications can contain known vulnerabilities or security gaps. For instance, given that CIG is extended for developers to use in their application program interfaces (API), an attacker can exploit CIGslip to trojanize the application or use it as entry point to load their malicious codes.

Organizations, particularly those that develop their own software or use custom applications, are addressing them by taking a programmatic and layered approaches to managing and securing them. This means securing all layers of an application’s lifecycle — from planning, development, and monitoring, even securing the infrastructure or environment they run on — so it can be deployed and used in a scalable manner.