A financially motivated threat actor tracked as Scattered Spider was observed attempting to deploy Intel Ethernet diagnostics drivers in a BYOVD (Bring Your Own Vulnerable Driver) attack to evade detection from EDR (Endpoint Detection and Response) security products.
The BYOVD technique involves threat actors using a kernel-mode driver known to be vulnerable to exploits as part of their attacks to gain higher privileges in Windows.
Because device drivers have kernel access to the operating system, exploiting a flaw in them allows threat actors to execute code with the highest privileges in Windows.
Crowdstrike saw this new tactic right after the publication of the cyberintelligence firm's previous report on Scattered Spider at the start of last month.
According to the latest Crowdstrike report, the hackers attempted to use the BYOVD method to bypass Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne.
Disabling security products
CrowdStrike reports that the Scattered Spider threat actor was seen attempting to exploit CVE-2015-2291, a high-severity vulnerability in the Intel Ethernet diagnostics driver that allows an attacker to execute arbitrary code with kernel privileges using specially crafted calls.
Although this vulnerability was fixed in 2015, by planting an older, still vulnerable version on the breached devices, the threat actors can leverage the flaw no matter what updates the victim has applied to the system.
The driver used by Scattered Spider is a small 64-bit kernel driver with 35 functions, signed by different certificates stolen from signing authorities like NVIDIA and Global Software LLC, so Windows doesn't block it.
The threat actors use these drivers to disable endpoint security products and limit the defenders' visibility and prevention capabilities, laying the ground for subsequent phases of their operation on the targeted networks.
Upon startup, the driver decrypts a hard-coded string of targeted security products and patches the target drivers at hard-coded offsets.
The injected malware routine ensures that the security software drivers still appear to be functioning normally even though they no longer protect the computer.
Crowdstrike says 'Scattered Spider' has a very narrow and specific targeting scope but warns that no organizations can afford to ignore the possibility of BYOVD attacks.
Recently, we reported on other high-profile threat actors, such as the BlackByte ransomware gang and the North Korean hacking group Lazarus utilizing BYOVD attacks to power their intrusions with elevated Windows privileges.
A long-standing Windows problem
Microsoft tried to fix this known security problem on Windows by introducing a blocklist in 2021.
However, the issue wasn't addressed decisively, as Windows does not block these drivers by default unless you run Windows 11 2022 and later, which came out in September 2022.
Even worse, as ArsTechnica reported in October, Microsoft only updated the driver block list on every major release of Windows, leaving devices vulnerable to these types of attacks. Microsoft has since released updates that fix this servicing pipeline to update the driver block list properly.
Microsoft recommends that Windows users enable the driver blocklist to protect against these BYOVD attacks. This support article provides information on enabling the blocklist using the Windows Memory Integrity feature or Windows Defender Application Control (WDAC).
Unfortunately, enabling Memory Integrity on devices that may not have newer drivers can be difficult.
Comments
h_b_s - 1 year ago
"Unfortunately, enabling Memory Integrity on devices that may not have newer drivers can be difficult."
Functionally impossible in most cases even if there are newer drivers available. The device manufacturer has to update their build process to properly push these out the door, change their signing certificates, revoke the certificates for the vulnerable driver, AND notify Microsoft that those certs have been revoked. Then Microsoft has to issue the revocations, publish the new certs, and users have to hope that Microsoft actually does so and something else doesn't break the revocation chain again - which is tenuous to begin with and doesn't keep up with how fast malicious hackers will adapt.
Waphle_Stomp - 1 year ago
The simple solution is to stop using Windows and switch to a secure OS. Every iteration of Windows is historically provable to have more security holes than a pasta sieve. Shiny be damned!!, I prefer a secure computer which protects my data; I'll stick to my combo of Debian and OpenBSD.
horsedoggs - 1 year ago
Good luck with that, the same thing would happen to Linux, hackers will always find a way to exploit regardless of os choice.
Elko_NV - 1 year ago
<p>Remote MS agents prefer insecurity, easier to repair =/ Ransomware aside, the remainder of the battle on windows (or any OS) involves controlling unsolicited outgoing connections & attempts to extricate data - while being notified to block said action (or allow, & add to list.)</p>
TsVk! - 1 year ago
Security through obscurity is not really security. But it does feel like it.
I'm a Debian user myself, but I'm not under any illusions that if Linux become the majority share OS that it wouldn't be the most targeted and compromised OS.
Sure it's a better model, and there's a lot to be said for root isolation, but I'm certain that could be made redundant if there was enough financial motivation.
Elko_NV - 1 year ago
& More....=0
"...There are a number of open-source exploits that demonstrate loading unsigned drivers via BYOVD. These four are some of the most well-known:
Stryker (using cpuz141.sys with CVE-2017-15303 and process explorer)
DSEFix (using CVE-2008-3841)
TDL (using CVE-2008-3841)
KDU (using multiple vulnerabilities including CVE-2015-2291, CVE-2018-19320, CVE-2019-18845, CVE-2019-16098, and CVE-2019-8372)
Each of these tools is authored by the same individual, hfiref0x. Stryker, DSEFix, and TDL are all deprecated or in read-only mode. Notably Stryker and DSEFix run afoul of PatchGuard and are no longer suitable for most situations. KDU, a tool that supports more than 14 different vulnerable drivers as the “provider,” is the unsigned driver loader of choice.
Once the attacker has loaded their unsigned driver into the kernel, they can accomplish a wide variety of tasks they wouldn’t be able to otherwise. Some obvious examples include unhooking EDR callbacks or hiding exploitation/rootkit artifacts. The attacker can write themselves a UEFI rootkit. Or just overwrite all data (resulting in BSoD). Or inject code into other processes.
Connor McGarr demonstrated Dell’s dbutil_2_3.sys (which is vulnerable to CVE-2021-21551) can be used to execute attacker code in kernel mode. Because the write-what-where condition persists in the follow-on drivers, dbutildrv2.sys 2.5 and 2.7, Dell has delivered three unique signed drivers that can execute attacker code in kernel mode.
LSA protection prevents non-protected processes from reading the memory of, or injecting code into, Windows' Local Security Authority Subsystem Service (lsass.exe). That means tools like Mimikatz can’t dump the memory contents of lsass.exe in order to retrieve Windows account credentials. However, an attacker with ring 0 access can reach into the lsass.exe EPROCESS struct and simply mask out the LSA protection. Once masked out, the attacker is free to dump lsass.exe’s memory. There are a couple of good open-source implementations of this: mimidrv (a signed driver that is part of mimikatz) and PPLKiller (uses RTCore64.sys)."