In yet one more case of carry your individual weak driver (BYOVD) assault, the operators of the BlackByte ransomware are leveraging a flaw in a authentic Home windows driver to bypass safety options.
“The evasion approach helps disabling a whopping checklist of over 1,000 drivers on which safety merchandise rely to supply safety,” Sophos risk researcher Andreas Klopsch stated in a brand new technical write-up.
BYOVD is an assault approach that entails risk actors abusing vulnerabilities in authentic, signed drivers to realize profitable kernel-mode exploitation and seize management of compromised machines.
Weaknesses in signed drivers have been more and more co-opted by nation-state risk teams lately, together with Slingshot, InvisiMole, APT28, and most not too long ago, the Lazarus Group.
BlackByte, believed to be an offshoot of the now-discontinued Conti group, is a part of the massive sport cybercrime crews, which zeroes in on massive, high-profile targets as a part of its ransomware-as-a-service (RaaS) scheme.
In response to the cybersecurity agency, current assaults mounted by the group have taken benefit of a privilege escalation and code execution flaw (CVE-2019-16098, CVSS rating: 7.8) affecting the Micro-Star MSI Afterburner RTCore64.sys driver to disable safety merchandise.
What’s extra, an evaluation of the ransomware pattern has uncovered a number of similarities between the EDR bypass implementation and that of a C-based open supply device referred to as EDRSandblast, which is designed to abuse weak signed drivers to evade detection.
BlackByte is the newest ransomware household to embrace the BYOVD technique to realize its targets, after RobbinHood and AvosLocker, each of which have weaponized bugs in gdrv.sys (CVE-2018-19320) and asWarPot.sys to terminate processes related to endpoint safety software program.
To guard in opposition to BYOVD assaults, it is advisable to maintain observe of the drivers put in on the techniques and guarantee they’re up-to-date, or decide to blocklist drivers identified to be exploitable.
