Many students or young adults will be familiar with the phrase Bring-Your-Own-Booze (BYOB) to denote that the person hosting the party is certainly not providing you drinks. There is something similar in the cyber security sector but it promises even less of a good time. The Bring-Your-Own-Vulnerable-Driver, referred to here on as just BYOVD, tactic allows the attacker to use legitimately signed, but vulnerable, drivers to perform malicious actions on systems.
The vulnerable driver is installed onto the compromised machine and used to grant the attacker privileged access which in turn is used to drop malware payloads onto the now thoroughly compromised system.
The BYOD technique has been frequently used against Windows machines over the past decade, and hackers continue to use it because the operating system's vulnerable-driver blocklist is not being updated correctly, according to security researchers.
This publication previously covered this topic when security researchers discovered that everybody’s favorite North Korean nation-state group Lazarus was using this tactic to compromise select targets.
Now, according to a new report by Crowdstrike, the financially motivated hacking group Scattered Spider is using a vulnerable Intel Ethernet driver to compromise Windows machines. Further, according to Crowdstrike, Scattered Spider was using the BYOVD tactic to hackers to bypass endpoint protection software like Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne.
The vulnerable driver used by Scattered Spider in attack attempts analyzed by Crowdstrike is CVE-2015-2291. For those familiar with vulnerability naming conventions you’ll see this one is dated to 2015 and the ques ..
Support the originator by clicking the read the rest link below.
