Security News > 2022 > October > BlackByte ransomware abuses legit driver to disable security products
The BlackByte ransomware gang is using a new technique that researchers are calling "Bring Your Own Driver," which enables bypassing protections by disabling more than 1,000 drivers used by various security solutions.
Exploiting the security issue allowed BlackByte to disable drivers that prevent multiple endpoint detection and response and antivirus products from operating normally.
Security researchers at cybersecurity company Sophos explain that the abused MSI graphics driver offers I/O control codes directly accessible by user-mode processes, which violates Microsoft's security guidelines on kernel memory access.
The attackers then exploit the driver's vulnerability to remove Kernel Notify Routines that correspond to security tool processes.
The retrieved callback addresses are used to derive the corresponding driver name and compared to a list of 1,000 targeted drivers that support the function of AV/EDR tools.
System administrators can protect against BlackByte's new security bypassing trick by adding the particular MSI driver to an active blocklist.