An attack type that is gaining popularity among hackers is the so-called “bring your own vulnerable driver” (BYOVD) attack, which is exactly what the BlackByte ransomware operators are using by taking advantage of a vulnerability in a legitimate Windows driver and thereby render security solutions inert.
Sophos threat researcher Andreas Klopsch explained, "The evasion technique supports disabling a whopping list of over 1,000 drivers on which security products rely to provide protection."
As mentioned above, BYOVD is an attack technique by which threat actors abuse flaws in legitimate, signed drivers to exploit kernel-level access, gaining control of targeted systems.
In recent years, the flaws that exist in many signed drivers have been exploited in ever greater volumes by nation-state threat actors, including InvisiMole, APT28, Slingshot and, most recently, the Lazarus Group.
The BlackByte ransomware group is believed to be a splinter cell springing from the Conti group, which has now been disbanded. BlackByte is thought to be one cybercrime crew that targets organizations of all sizes under its ransomware-as-a-service (RaaS) model.
Per Sophos’ write-up, attacks the group has perpetrated lately have taken advantage of a privilege escalation and code execution flaw (titled CVE-2019-16098 with a CVSS score of 7.8) that affects the Micro-Star MSI Afterburner RTCore64.sys driver, thereby disabling many security products.
BlackByte is only the latest of many ransomware deployers that has embraced the BYOVD method, following in the footsteps of AvosLocker and RobbinHood. The other two groups have utilized flaws in asWarPot.sys and gdrv.sys (CVE-2018-19320) to kill certain processes needed by endpoint protection software.
The best protection against BYOVD attacks is to keep track of drivers on your systems and update them when security patches are available. Alternatively, organizations can denylist drivers that are known to be exploitable. The effective management of risks such as those posed by drivers is to implement a security program that includes effective change management, which is where Webcheck Security can provide assistance.
Our Fractional Information Security Officer (FISO) consultants can provide your organization with the security leadership you need to secure your operations, become compliant with well-established security standards, and obtain compliance certifications. Contact Webcheck today to set up a conversation about how we can best help you!