A money-motivated threat actor identified as Scattered Spider was seen attempting to distribute Intel Ethernet diagnostics drivers in a BYOVD (Bring Your Own Vulnerable Driver) attack to avoid detection by EDR (Endpoint Detection and Response) security solutions. Using the BYOVD approach, attackers can elevate their privileges in Windows by exploiting a kernel-mode driver known to be susceptible.
Device drivers have access to the kernel of the operating system. Therefore, by taking advantage of a bug in them, threat actors can run code with the greatest privileges in Windows. Crowdstrike became aware of this new strategy shortly after the cyber-intelligence company’s prior report on Scattered Spider was made public at the beginning of last month. According to the most recent Crowdstrike report, the hackers tried to get against SentinelOne, Palo Alto Networks Cortex XDR, and Microsoft Defender for Endpoint by using the BYOVD technique.
The Scattered Spider threat actor has been observed attempting to exploit CVE-2015-2291, a high-severity flaw in the Intel Ethernet diagnostics driver that enables an attacker to run arbitrary code with kernel privileges using carefully crafted calls. Even though this vulnerability was patched in 2015, threat actors can still make use of it by installing an outdated version of the software on compromised devices.
Scattered Spider uses a modest 64-bit kernel driver with 35 functions that Windows unblock since it is certified by many certificates stolen from signing authority, including NVIDIA and Global Software LLC. In order to set up further stages of their operation on the targeted networks, the threat actors employ these drivers to deactivate endpoint security solutions and restrict the visibility and preventive abilities of the defenders. The target drivers are patched at hard-coded offsets after the driver starts up by decrypting a hard-coded string of targeted security products.
The security software drivers continue to appear to be in use even though they are no longer protecting the machine due to the introduced malware routine. However, Crowdstrike cautions that no business can afford to dismiss the threat of BYOVD attacks, although “Scattered Spider” has a very small and particular targeting scope. Recently, the media reported on additional, prominent threat actors using BYOVD attacks to fuel their breaches with elevated Windows capabilities, including the BlackByte ransomware gang and the North Korean hacker gang Lazarus.
In 2021, Microsoft attempted to address this well-known security issue with Windows by creating a blocklist. Since Windows does not automatically ban certain drivers unless you are on Windows 11 2022 and later released in September 2022, the problem was not effectively resolved. According to a report by ArsTechnica from October, Microsoft only updated the driver ban list with each significant edition of Windows, leaving devices open to these kinds of attacks. Since then, Microsoft has released patches that correct this servicing process and appropriately update the driver block list.
Microsoft suggests that to defend against these BYOVD threats, Windows users enable the driver blocklist. In order to activate the blocklist using Windows Memory Integrity or Windows Defender Application Control (WDAC), go to this support article. Unfortunately, enabling Memory Integrity on devices that do not have current drivers might be challenging.