Many students or young adults will be familiar with the phrase Bring-Your-Own-Booze (BYOB) to denote that the person hosting the party is certainly not providing you drinks. There is something similar in the cyber security sector but it promises even less of a good time. The Bring-Your-Own-Vulnerable-Driver, referred to here on as just BYOVD, tactic allows the attacker to use legitimately signed, but vulnerable, drivers to perform malicious actions on systems.
The vulnerable driver is installed onto the compromised machine and used to grant the attacker privileged access which in turn is used to drop malware payloads onto the now thoroughly compromised system.
The BYOD technique has been frequently used against Windows machines over the past decade, and hackers continue to use it because the operating system's vulnerable-driver blocklist is not being updated correctly, according to security researchers.
This publication previously covered this topic when security researchers discovered that everybody’s favorite North Korean nation-state group Lazarus was using this tactic to compromise select targets.
Now, according to a new report by Crowdstrike, the financially motivated hacking group Scattered Spider is using a vulnerable Intel Ethernet driver to compromise Windows machines. Further, according to Crowdstrike, Scattered Spider was using the BYOVD tactic to hackers to bypass endpoint protection software like Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne.
The vulnerable driver used by Scattered Spider in attack attempts analyzed by Crowdstrike is CVE-2015-2291. For those familiar with vulnerability naming conventions you’ll see this one is dated to 2015 and the question naturally arises why has the flaw not been patched?
It has, and was in 2015, the threat actors purposefully use unpatched vulnerable drivers and install them on a machine in turn making that device now vulnerable to attack.
Further, even if the victim has a patched version of the driver, the attackers coded malware to find the patched version and replace it with the vulnerable one. Crowdstrike researchers explained further,
“The malicious driver then finds the target driver using the same method and patches it, in memory, at hard-coded offsets. The patching routine operates on a list where each element represents a hook structure that contains a pointer to the target function, a pointer to the malware routine and trampoline code to invoke that routine. The installed malware routines signal success to the Falcon sensor in every case even though the routines perform no operation.”
In 2021, Microsoft announced that it was looking to bolster the operating system's kernel security in an attempt to prevent BYOVD attacks. In an article published by Microsoft, it was stated,
“Increasingly, adversaries are leveraging legitimate drivers in the ecosystem and their security vulnerabilities to run malware…drivers with confirmed security vulnerabilities will be blocked on Windows 10 devices in the ecosystem using Microsoft Defender for Endpoint attack surface reduction (ASR) and Microsoft Windows Defender Application Control (WDAC) technologies to protect devices against exploits involving vulnerable drivers to gain access to the kernel.”
Sadly, despite these actions, security researchers have found several ways hackers have used signed vulnerable drivers to bypass this security requirement. In Crowdstrike’s research, it was found that the attackers used stolen certificates originally issued to NVIDIA and Global Software LLC, as well as a self-signed test certificate to bypass Microsofts signed certificate requirement.
To help mitigate this threat researchers have advised network admins to ensure they can locate and patch the vulnerable Intel Ethernet Driver specified in CVE-2015-2291. Further despite flaws in Microsoft’s verification process organizations should still prioritize the patching of vulnerable drivers can help mitigate this and similar attack vectors involving signed driver abuse.
Scattered Spider’s Other Tactics
Not long before Scattered Spider began using the BYOVD attack tactic, Crowdstrike released a report detailing another campaign of the above mentioned financially motivated group. This time the hacker group was targeting telecommunications and business process outsourcing (BPO) companies to gain access to mobile carrier networks and perform SIM swap attacks.
The campaign began in June 2022, with hackers setting up persistence mechanisms as well as reversing mitigation applied by network admins on targeted networks.
Initial access was gained via the threat actor leveraging social engineering tactics, including via phone calls, SMSes, and Telegram messages impersonating IT staff, to trick victims into entering their credentials on a phishing page, or downloading and installing remote monitoring tools controlled by the attackers.
If those tactics failed, threat actors would contact staff directly to try and trick them into giving one-time pins or multifactor authentication codes in an attempt to gain access to the victim’s IT infrastructure.
Once compromised, threat actors were seen deploying virtual private networks (VPNs) and remote access tools as the second phase of the operation to further assist in dropping payloads and preventing detection from security software packages. To prevent exploitation by Scattered Spider using these tactics Crowdstrike advised,
“In all investigations performed by CrowdStrike incident responders, the faster the organization implemented swift and bold security measures, the faster the adversary activity ceased. These containment and mitigation measures focused on secure identity and MFA controls and configurations, as highlighted below.”