Cybersecurity researchers at Sophos recently detailed how a technique known as Bring Your Own Vulnerable Driver works and the dangers it poses to companies around the world.
According to the company’s research, ransomware BlackByte operators are exploiting the vulnerability tracked as CVE-2019-16098. It is located in RTCore64.sys and RTCore32.sys, the drivers used by MSI AfterBurner 184.108.40.20658 Micro-Star. Afterburner is a GPU overclocking utility that gives users more control over their hardware.
The vulnerability allows authenticated users to read and write to arbitrary memory, leading to elevation of privilege, code execution, and data theft — and in this case helped BlackByte disable more than 1,000 drivers required for security products to operate.
“They will likely continue to abuse legitimate drivers to bypass security products,” Sophos said in blog post (opens in a new tab) outlining the threat.
To protect against this new attack method, Sophos recommends that IT administrators add these specific MSI drivers to an active block list and ensure that they are not running on their endpoints. Additionally, they should closely monitor all drivers that are installed on their devices and regularly scan endpoints to look for fake injections without the appropriate hardware.
Bring Your Own Vulnerable Driver may be a new method, but its popularity is growing rapidly. Earlier this week, North Korea’s notorious state-sponsored Lazarus Group used the same technique against Dell. Cybersecurity researchers at ESET recently saw the group reaching out to aerospace experts and political journalists in Europe with fake job offers from Amazon. They will share fake job description pdf files which are essentially old, vulnerable Dell drivers.
What makes this technique particularly dangerous is that these drivers are not malicious in themselves and are not flagged as such by antivirus solutions.
Via: BleepingComputer (opens in a new tab)