Security News > 2022 > October > BlackByte Ransomware Abuses Vulnerable Windows Driver to Disable Security Solutions
In yet another case of bring your own vulnerable driver attack, the operators of the BlackByte ransomware are leveraging a flaw in a legitimate Windows driver to bypass security solutions.
"The evasion technique supports disabling a whopping list of over 1,000 drivers on which security products rely to provide protection," Sophos threat researcher Andreas Klopsch said in a new technical write-up.
BYOVD is an attack technique that involves threat actors abusing vulnerabilities in legitimate, signed drivers to achieve successful kernel-mode exploitation and seize control of compromised machines.
Weaknesses in signed drivers have been increasingly co-opted by nation-state threat groups in recent years, including Slingshot, InvisiMole, APT28, and most recently, the Lazarus Group.
What's more, an analysis of the ransomware sample has uncovered multiple similarities between the EDR bypass implementation and that of a C-based open source tool called EDRSandblast, which is designed to abuse vulnerable signed drivers to evade detection.
To protect against BYOVD attacks, it's recommended to keep track of the drivers installed on the systems and ensure they are up-to-date, or opt to blocklist drivers known to be exploitable.
News URL
https://thehackernews.com/2022/10/blackbyte-ransomware-abuses-vulnerable.html
Related news
- Windows 10 users urged to upgrade to avoid "security fiasco" (source)
- Security pros baited with fake Windows LDAP exploit traps (source)
- 7-Zip fixes bug that bypasses Windows MoTW security warnings, patch now (source)
- Microsoft: January Windows security updates break audio playback (source)
- Security pros more confident about fending off ransomware, despite being battered by attacks (source)
- Microsoft shares workaround for Windows security update issues (source)