Latest BYOVD news

Lazarus hackers exploited Windows zero-day to gain Kernel privileges

North Korean threat actors known as the Lazarus Group exploited a flaw in the Windows AppLocker driver (appid.sys) as a zero-day to gain kernel-level access and turn off security tools, allowing them to bypass noisy BYOVD (Bring Your Own Vulnerable Driver) techniques.
- Bill Toulas
- February 28, 2024
- 12:24 PM
- 1
Kasseika ransomware uses antivirus driver to kill other antiviruses

A recently uncovered ransomware operation named 'Kasseika' has joined the club of threat actors that employs Bring Your Own Vulnerable Driver (BYOVD) tactics to disable antivirus software before encrypting files.
- Bill Toulas
- January 23, 2024
- 02:58 PM
- 0
MATA malware framework exploits EDR in attacks on defense firms

An updated version of the MATA backdoor framework was spotted in attacks between August 2022 and May 2023, targeting oil and gas firms and the defense industry in Eastern Europe.
- Bill Toulas
- October 18, 2023
- 11:17 AM
- 0
Windows 10 KB5028244 update released with 19 fixes, improved security

Microsoft has released the optional KB5028244 Preview cumulative update for Windows 10 22H2 with 19 fixes or changes, including an update to the Vulnerable Driver Blocklist to block BYOVD attacks.
- Lawrence Abrams
- July 26, 2023
- 01:04 PM
- 9
Terminator antivirus killer is a vulnerable Windows driver in disguise

A threat actor known as Spyboy is promoting a Windows defense evasion tool called "Terminator" on the Russian-speaking forum RAMP (short for Russian Anonymous Marketplace).
- Sergiu Gatlan
- May 31, 2023
- 03:25 PM
- 0
Ransomware gangs abuse Process Explorer driver to kill security software

Threat actors use a new hacking tool dubbed AuKill to disable Endpoint Detection & Response (EDR) Software on targets' systems before deploying backdoors and ransomware in Bring Your Own Vulnerable Driver (BYOVD) attacks.
- Sergiu Gatlan
- April 19, 2023
- 01:46 PM
- 5
Hackers backdoor Windows devices in Sliver and BYOVD attacks

A new hacking campaign exploits Sunlogin flaws to deploy the Sliver post-exploitation toolkit and launch Windows Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security software.
- Bill Toulas
- February 06, 2023
- 04:00 PM
- 0
Scattered Spider hackers use old Intel driver to bypass security

A financially motivated threat actor tracked as Scattered Spider was observed attempting to deploy Intel Ethernet diagnostics drivers in a BYOVD (Bring Your Own Vulnerable Driver) attack to evade detection from EDR (Endpoint Detection and Response) security products.
- Bill Toulas
- January 11, 2023
- 04:55 PM
- 6
Microsoft fixes Windows vulnerable driver blocklist sync issue

Microsoft says it addressed an issue preventing the Windows kernel vulnerable driver blocklist from being synced to systems running older Windows versions.
- Sergiu Gatlan
- October 26, 2022
- 05:22 AM
- 3
The Week in Ransomware - October 7th 2022 - A 20 year sentence

It was a very quiet week regarding ransomware news, with the most significant news being the sentencing of a Netwalker affiliate to 20-years in prison.
- Lawrence Abrams
- October 07, 2022
- 06:14 PM
- 0
BlackByte ransomware abuses legit driver to disable security products

The BlackByte ransomware gang is using a new technique that researchers are calling "Bring Your Own Driver," which enables bypassing protections by disabling more than 1,000 drivers used by various security solutions.
- Bill Toulas
- October 05, 2022
- 03:44 PM
- 0
Lazarus hackers abuse Dell driver bug using new FudModule rootkit

The notorious North Korean hacking group 'Lazarus' was seen installing a Windows rootkit that abuses a Dell hardware driver in a Bring Your Own Vulnerable Driver attack.
- Bill Toulas
- October 01, 2022
- 10:05 AM
- 0