Security researchers from the Eclypsium research team have discovered a vulnerability in the Windows Platform Binary Table (WPBT) that allows attackers to install rootkits on all Windows devices shipped since 2012.
WBPT is a fixed firmware ACPI (Advanced Configuration and Power Interface), introduced in Windows 8 to allow vendors to execute programs when the devices boots. However, this mechanism also allows attackers to deploy Malware. These attacks can use multiple techniques which enable writing to the memory space of ACPI tables (including WPBT) or load a malicious boot loader.
The impact:
This issue impacts all Windows devices post 2012, including Windows 8 and above. This feature allows for binaries to persistently execute in the context of the Windows operating system. If an attacker can abuse this vulnerability, they can gain persistence with system-level privileges on the machine, thus allowing them complete power over the compromised device.
The remediation:
For Windows versions 10 1903 and above or Windows Server 2016 and above, Microsoft recommends implementing a robust Windows Defender Application Control Policy (WDAC).
On older Windows releases, AppLocker policies should be configured in the absence of WDAC.
Please see the following guides for advice on how to configure AppLocker and WDAC per best practices:
Source: Bleeping Computer