A financially motivated threat actor tracked as Scattered Spider was observed attempting to deploy Intel Ethernet diagnostics drivers in a BYOVD (Bring Your Own Vulnerable Driver) attack to evade detection from EDR (Endpoint Detection and Response) security products.
The BYOVD technique involves threat actors using a kernel-mode driver known to be vulnerable to exploits as part of their attacks to gain higher privileges in Windows.
Because device drivers have kernel access to the operating system, exploiting a flaw in them allows threat actors to execute code with the highest privileges in Windows.
Crowdstrike saw this new tactic right after the publication of the cyberintelligence firm’s previous report on Scattered Spider at the start of last month.
According to the latest Crowdstrike report, the hackers attempted to use the BYOVD method to bypass Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne.
Disabling security products
CrowdStrike reports that the Scattered Spider threat actor was seen attempting to exploit CVE-2015-2291, a high-severity vulnerability in the Intel Ethernet diagnostics driver that allows an attacker to execute arbitrary code with kernel privileges using specially crafted calls.
Although this vulnerability was fixed in 2015, by planting an older, still vulnerable version on the breached devices, the threat actors can leverage the flaw no matter what updates the victim has applied to the system.
The driver used by Scattered Spider is a small 64-bit kernel driver with 35 functions, signed by different certificates stolen from signing authorities like NVIDIA and Global Software LLC, so Windows doesn’t block it.
The threat actors use these drivers to disable endpoint security products and limit the defenders’ visibility and prevention capabilities, laying the ground for subsequent phases of their operation on the targeted networks.
Upon startup, the driver decrypts a hard-coded string of targeted security products and patches the target drivers at hard-coded offsets.
The injected malware routine ensures that the security software drivers still appear to be functioning normally even though they no longer protect the computer.
Crowdstrike says ‘Scattered Spider’ has a very narrow and specific targeting scope but warns that no organizations can afford to ignore the possibility of BYOVD attacks.
Recently, we reported on other high-profile threat actors, such as the BlackByte ransomware gang and the North Korean hacking group Lazarus utilizing BYOVD attacks to power their intrusions with elevated Windows privileges.
A long-standing Windows problem
Microsoft tried to fix this known security problem on Windows by introducing a blocklist in 2021.
However, the issue wasn’t addressed decisively, as Windows does not block these drivers by default unless you run Windows 11 2022 and later, which came out in September 2022.
Even worse, as ArsTechnica reported in October, Microsoft only updated the driver block list on every major release of Windows, leaving devices vulnerable to these types of attacks. Microsoft has since released updates that fix this servicing pipeline to update the driver block list properly.
Microsoft recommends that Windows users enable the driver blocklist to protect against these BYOVD attacks. This support article provides information on enabling the blocklist using the Windows Memory Integrity feature or Windows Defender Application Control (WDAC).
Unfortunately, enabling Memory Integrity on devices that may not have newer drivers can be difficult.