In December, CrowdStrike reported that it had seen a rise in attacks targeting telco and BPO industries starting in June 2022. The company tentatively linked the campaign to the financially-motivated Scattered Spider threat group. It, furthermore, noted that the group had attempted to conduct a Bring Your Own Vulnerable Driver (BYOVD) attack—using vulnerable third-party drivers—to evade detection by EDR.
Diving into details
Scattered Spider was seen attempting to exploit a high-severity vulnerability (CVE-2015-2291) in the Intel Ethernet diagnostics driver.
This vulnerability allows an attacker to execute arbitrary code with kernel privileges using specially crafted calls.
While it was fixed in 2015, the threat actor may still be able to exploit it by planting an older, vulnerable version on compromised devices.
The driver used by Scattered Spider is a small 64-bit kernel driver with 35 functions and is signed by different certificates stolen from NVIDIA and Global Software LLC, among others, so Windows doesn't block it.
Why this matters
The threat actors use these drivers to disable EDR, which limits the defenders' visibility and prevention capabilities and prepares the targeted networks for subsequent attacks.
Upon startup, the driver decrypts a hard-coded string of targeted security products and patches the target drivers at hard-coded offsets.
The injected malware routine ensures that the security software drivers appear to be functioning normally, but in reality, they no longer protect the computer.
Other BYOVD attacks
In October 2022, the BlackByte ransomware group was found exploiting the CVE-2019-16098 vulnerability in Micro-Star’s MSI AfterBurner 4.6.2.15658 to disable more than 1,000 drivers.
Earlier the same month, the North-Korean state-sponsored Lazarus APT group launched organized spear-phishing campaigns against Belgium and the Netherlands.
The campaign leveraged the BYOVD technique to exploit the CVE-2021-21551 in Dell dbutil hardware driver.
The bottom line
Microsoft urges Windows users to lock their doors with the driver blocklist feature to fend off BYOVD attacks. Meanwhile, Crowdstrike cautions that although Scattered Spider has been known to have a specific target in mind, no one should consider themselves immune from these BYOVD attacks.