Home>Blog>The Hacker News Headlines>BlackByte Ransomware Abuses Vulnerable Windows Driver to Disable Security Solutions
The Hacker News Headlines

BlackByte Ransomware Abuses Vulnerable Windows Driver to Disable Security Solutions

BlackByte Ransomware

In yet another case of bring your own vulnerable driver (BYOVD)
attack, the operators of the BlackByte ransomware are leveraging a
flaw in a legitimate Windows driver to bypass security
solutions.

“The evasion technique supports disabling a whopping list of
over 1,000 drivers on which security products rely to provide
protection,” Sophos threat researcher Andreas Klopsch said[1]
in a new technical write-up.

BYOVD is an attack technique[2]
that involves threat actors abusing vulnerabilities in legitimate,
signed drivers to achieve successful kernel-mode exploitation and
seize control of compromised machines.

CyberSecurity

Weaknesses in signed drivers have been increasingly co-opted by
nation-state threat groups in recent years, including Slingshot[3], InvisiMole[4], APT28[5], and most recently, the
Lazarus Group[6].

Windows Driver

BlackByte, believed to be an offshoot of the now-discontinued Conti group[7], is part of the big game
cybercrime crews, which zeroes in on large, high-profile targets as
part of its ransomware-as-a-service (RaaS) scheme.

According to the cybersecurity firm, recent attacks mounted by
the group have taken advantage of a privilege escalation and code
execution flaw (CVE-2019-16098[8], CVSS score: 7.8)
affecting the Micro-Star MSI Afterburner RTCore64.sys driver to
disable security products.

CyberSecurity

What’s more, an analysis of the ransomware sample[9]
has uncovered multiple similarities between the EDR[10] bypass implementation
and that of a C-based open source tool called EDRSandblast[11], which is designed to
abuse vulnerable signed drivers to evade detection.

BlackByte is the latest ransomware family to embrace the BYOVD
method to achieve its goals, after RobbinHood[12] and AvosLocker[13], both of which have
weaponized bugs in gdrv.sys (CVE-2018-19320[14]) and asWarPot.sys to
terminate processes associated with endpoint protection
software.

To protect against BYOVD attacks, it’s recommended to keep track
of the drivers installed on the systems and ensure they are
up-to-date, or opt to blocklist drivers known to be
exploitable.

References

  1. ^
    said
    (news.sophos.com)
  2. ^
    attack
    technique     (www.eset.com)
  3. ^
    Slingshot
    (thehackernews.com)
  4. ^
    InvisiMole
    (thehackernews.com)
  5. ^
    APT28
    (thehackernews.com)
  6. ^
    Lazarus
    Group     (thehackernews.com)
  7. ^
    now-discontinued Conti group
    (thehackernews.com)
  8. ^
    CVE-2019-16098
    (nvd.nist.gov)
  9. ^
    ransomware sample
    (www.virustotal.com)
  10. ^
    EDR
    (en.wikipedia.org)
  11. ^
    EDRSandblast
    (github.com)
  12. ^
    RobbinHood
    (www.welivesecurity.com)
  13. ^
    AvosLocker
    (thehackernews.com)
  14. ^
    CVE-2018-19320
    (nvd.nist.gov)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.