Security News > 2020 > February > BYO-Bug Tactic Attacks Windows Kernel with Outdated Driver
Specifically, they're updating the Windows kernel in-memory with the Gigabyte driver, according to the research - and the kernel accepts it as a "Patch" thanks to the signed certificate.
Once that's loaded, they can then exploit that driver using the known vulnerability in order to load their own, unsigned, malicious driver.
"The malware authors abuse this vulnerability in order to disable driver signature enforcement in Windows - on-the-fly, in kernel memory. by changing a single variable that lives in kernel space.Once driver signature enforcement is disabled, the attackers are able to load their unsigned malicious driver," said researchers.
"The process handles opened by the malicious driver are kernel handles, and kernel handles cannot be filtered. So, the malicious kernel driver can kill these processes without interference of endpoint security controls."
"There are many other vulnerable drivers in addition to the Gigabyte driver that these or other attackers may choose to abuse later, such as ones from VirtualBox, Novell, CPU-Z, or ASUS. But in these attacks, we've only seen the Gigabyte driver being abused in this way."
News URL
https://threatpost.com/byo-bug-windows-kernel-outdated-driver/152762/
Related news
- Microsoft fixes Windows zero-day exploited in QakBot malware attacks (source)
- Windows Quick Assist abused in Black Basta ransomware attacks (source)
- Black Basta ransomware gang linked to Windows zero-day attacks (source)
- CISA warns of Windows bug exploited in ransomware attacks (source)
- New attack uses MSC files and Windows XSS flaw to breach networks (source)