CrowdStrike says cybercrime gang Scattered Spider has exploited longtime Windows security issues to use bring-your-own-vulnerable-driver (BYOVD) techniques against its own and other endpoint tools. Credit: Leo Lintang / Getty Images The Scattered Spider cybercrime group has recently been observed attempting to deploy a malicious kernel driver using a tactic called bring your own vulnerable driver (BYOVD) — a warning to security professionals that the technique, which exploits longstanding deficiencies in Windows kernel protections, is still being employed by cybercriminals, according to cybersecurity company CrowdStrike.In this latest BYOVD attack, which was observed and stopped by CrowdStrike’s Falcon security system, Scattered Spider attempted to deploy a malicious kernel driver via a vulnerability — CVE-2015-2291 in MITRE’s Common Vulnerability and Exposures program — in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys).The Intel Ethernet diagnostics driver vulnerability allows users to cause a denial of service or possibly execute arbitrary code with kernel privileges in Windows, according to the NIST National Vulnerability Database. “CrowdStrike customers should ensure they have the ability to locate and patch the vulnerable Intel Display Driver specified in CVE-2015-2291. Prioritizing the patching of vulnerable drivers can help mitigate this and similar attack vectors involving signed driver abuse,” CrowdStrike said in a blog about the Scattered Spider exploit. What is bring your own vulnerable driver (BYOVD)? BYOVD attacks generally use legitimately signed, but vulnerable, drivers to perform malicious actions on systems. In a BYOVD attack, the attacker can use the vulnerabilities in the drivers to execute malicious actions with kernel-level privileges. “Publicly available tools, such as KDMapper, allow adversaries to easily take advantage of BYOVD to map non-signed drivers into memory,” CrowdStrike said. The BYOD technique has been frequently used against Windows over the past decade, and cybercriminals continues to use it because the operating system has not been correctly updating its vulnerable-driver blocklist, according to researchers.In 2021, Microsoft stated that drivers with confirmed security vulnerabilities would be blocked by default on Windows 10 devices with Hypervisor-Protected Code Integrity (HVCI) enabled, via blocklists that are automatically updated via Windows Update.Vulnerable drivers still an issue for WindowsVarious researchers and cybersecurity companies including Sophos, however, have observed that successful BYOD attacks against Windows have continued, and blocklists of vulnerable drivers used by Windows security features have not appeared to be updating regularly.After BYOVD exploits were reported in late 2022, Microsoft issued various statements indicating that it was working on the problem, for example telling Ars Technica, “The vulnerable driver list is regularly updated, however we received feedback there has been a gap in synchronization across OS versions. We have corrected this and it will be serviced in upcoming and future Windows Updates. The documentation page will be updated as new updates are released.”But BYOVD attacks persist. CrowdStrike said Scattered Spider tried “to use the privileged driver space provided by the vulnerable Intel driver to overwrite specific routines in the CrowdStrike Falcon sensor driver … this was prevented by the Falcon sensor and immediately escalated to the customer with human analysis.”In the past months, Scattered Spider was observed attempting to bypass other endpoint tools including Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR and SentinelOne, CrowdStrike noted. The company said that it has identified various versions of a malicious driver that are signed by different certificates and authorities, including stolen certificates originally issued to Nvidia and Global Software LLC, and a self-signed test certificate.“The intent of the adversary is to disable the endpoint security products visibility and prevention capabilities so the actor can further their actions on objectives,” CrowdStrike said. Social engineering provides initial accessIn most of the investigations conducted by CrowdStrike since June 2022, the initial access to systems was achieved by Scattered Spider through social engineering, where the adversary leveraged phone calls, SMS and/or Telegram messages to impersonate IT staff. In a December report detailing these access methods, the company said that in the attacks, the adversary instructed victims to either navigate to a credential-harvesting website containing the company logo and enter their credentials, or download a remote monitoring management tool that would allow the adversary to remotely connect and control their system. If multifactor authentication (MFA) was enabled, the adversary would either engage the victim directly by convincing them to share their one-time password, or indirectly by continuously prompting the victim user until they accepted the MFA push challenge, CrowdStrike said. “Having obtained access, the adversary avoids using unique malware, instead favoring a wide range of legitimate remote management tools to maintain persistent access,” CrowdStrike said.Scattered Spider — also known as Roasted 0ktapus, and UNC3944 — has been busy. In its December report, CrowdStrike attributed (with low confidence) an intrusion campaign targeting telecommunications and business process outsourcing (BPO) companies to Scattered Spider. Though CrowdStrike this week said that the latest BYOVD activity also appears to target specific industries, organizations in all sectors should apply best security practices to defend again vulnerable drivers as well as attacks comprising other exploits. “As the adversary is largely leveraging valid accounts as the initial access vector, additional scrutiny of legitimate login activity and two-factor authentication approvals from unexpected assets, accounts or locations are highly recommended,” CrowdStrike said.The company also recommends that organizations employ a rigorous, defense-in-depth approach that monitors endpoints, cloud workloads, and identities and networks, to defend against advanced, persistent adversaries.CrowdStrike also offers best practices recommendations to its own customers, suggesting Falcon platform configurations that can prevent and quarantine the BYOVD activity described in its report. Related content how-to Download the SASE and SSE enterprise buyer’s guide From the editors of our sister publication Network World, this enterprise buyer’s guide helps network and security IT staff understand what SASE (Secure Access Service Edge) and SSE (Secure Service Edge) can do for their organizations and how t By Neal Weinberg May 13, 2024 1 min Remote Access Security Network Security Enterprise Buyer’s Guides news IntelBroker steals classified data from the Europol website The agency said core operations remain unaffected even as IntelBroker claimed to possess classified, law enforcement data. By Shweta Sharma May 13, 2024 3 mins Data Breach Hacker Groups feature Ridding your network of NTLM The path to eradicating this ancient protocol and security sinkhole won’t be easy, but the time has come for its complete eradication. By David Strom May 13, 2024 8 mins Authentication Windows Security Network Security news CISA inks 68 tech vendors to secure-by-design pledge — but will it matter? CISA’s pledge drew some big names, but the impact on software security could be limited. Meanwhile the org has extended its comment period on the CIRCIA cyberattack reporting law. By Jon Gold May 10, 2024 4 mins Regulation Technology Industry Security Practices PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe