Scattered Spider, a financially motivated threat actor was seen trying to install Intel Ethernet diagnostics drivers as part of a BYOVD attack (Bring Your Own Vulnerable Driver), to avoid detection by EDR security products.
BYOVD is a technique where threat actors use a kernel mode driver that’s vulnerable to exploits to attack Windows to get higher privileges.
Device drivers are granted kernel access to Windows operating systems, so if they have a vulnerability in their code, threat actors can execute Windows code with the most privileges.
Crowdstrike noticed this tactic immediately after last month’s .
shows that the hackers tried to use BYOVD to bypass Microsoft Defender For Endpoint, Palo Alto Networks Cortex XDR and SentinelOne.
Security products that are not working
CrowdStrike reported that the Scattered Spider threat actor attempted to exploit . This high-severity flaw in Intel Ethernet diagnostics driver allows attackers to run arbitrary code using kernel privileges and specially-crafted calls.
This vulnerability was corrected in 2015. However, attackers can still exploit it by putting an older version of the vulnerable code on breached devices.
Scattered Spider uses a 64-bit driver that has 35 functions. It is signed with different certificates taken from NVIDIA or Global Software LLC so Windows won’t block it.
These drivers are used by threat actors to disable endpoint security devices and reduce the visibility of defenders and preventive capabilities. This sets the stage for the subsequent phases of their operations on targeted networks.
The driver will decrypt a string of targeted security products at startup and patch the drivers using hard-coded offsets.
The infected malware routine makes sure that security software drivers continue to function normally, even though they are no longer protecting the computer.
Crowdstrike claims that ‘Scattered Spider’ has a narrow targeting scope, but cautions that organizations cannot afford to overlook the potential for BYOVD attacks.
We have reported recently on some other highly-profile threats actors such as the , and the who used BYOVD attacks in order to generate high Windows privileges.
Windows has been experiencing a longstanding problem
Microsoft attempted to solve this security issue on Windows with introduced in 2021.
The issue was not resolved, however, because Windows doesn’t block drivers automatically unless you have Windows 11 2022 or later (which came out in September 2022).
It’s worse that Microsoft doesn’t update the driver block lists with every Windows major release, as October. This makes devices more vulnerable to malware attacks. Microsoft to correct this issue and update the driver blocklist properly.
Microsoft suggests that Windows users activate the driver blocklist in order to guard against BYOVD attacks. The explains how to enable the driver blocklist via Windows Memory Integrity or Windows Defender Application Control (WDAC).
It can sometimes be challenging to enable Memory Integrity on older drivers.