Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cybercrime Group Exploiting Old Windows Driver Vulnerability to Bypass Security Products

A cybercrime group tracked as Scattered Spider has been observed exploiting an old vulnerability in an Intel Ethernet diagnostics driver for Windows in recent attacks on telecom and BPO firms.

A cybercrime group tracked as Scattered Spider has been observed exploiting an old vulnerability in an Intel Ethernet diagnostics driver for Windows in recent attacks on telecom and BPO firms.

Also tracked as Roasted 0ktapus and UNC3944, the threat actor has been targeting telecom and business process outsourcing (BPO) firms since June 2022, to gain access to mobile carrier networks.

Relentless in attacks, the threat actor was seen using phishing and social engineering to obtain victims’ credentials and one-time passwords (OTPs), and deploying virtual private network (VPN) and remote monitoring and management (RMM) tools post compromise, CrowdStrike said in December 2022.

Now, the cybersecurity firm reports that, over the past several weeks, Scattered Spider has attempted to deploy a malicious kernel driver by exploiting CVE-2015-2291, an Intel Ethernet diagnostics driver for Windows flaw leading to arbitrary code execution with kernel privileges.

“This vulnerability has been used by adversaries for several years to deploy malicious drivers into the Windows kernel. This technique is known as ‘Bring Your Own Vulnerable Driver’ (BYOVD) and is a tactic that has persisted due to a gap in Windows security,” CrowdStrike notes.

Since Windows Vista, Microsoft has blocked unsigned kernel-mode drivers from running, but BYOVD allows attackers to bypass the protection and install a legitimately signed but malicious driver. Publicly available tools can be used to map unsigned drivers into memory.

Microsoft announced that drivers with known security vulnerabilities would be blocked in Windows 10, which also blocks kernel drivers that are not signed by Microsoft itself. However, reports have shown that threat actors remain successful in bypassing Redmond’s protections.

Scattered Spider, CrowdStrike explains, was observed attempting to load a malicious driver to bypass the security protections offered by several security firms, including Microsoft, Palo Alto Networks, SentinelOne, and CrowdStrike.

Advertisement. Scroll to continue reading.

The identified iterations of the malicious driver are signed with stolen certificates and a self-signed test certificate (this sample is loaded using BYOVD techniques).

To prevent the endpoint security products from blocking the malicious activity, the driver iterates through the loaded kernel modules for the security software’s component and patches it in memory.

Organizations are advised to scan their systems for the targeted Intel driver and make sure that it has been patched against CVE-2015-2291. They should patch systems in a timely manner against all known vulnerabilities and should use an endpoint security solution on all of them.

“While the outlined activity appears to target specific industries, organizations of all types should apply the lessons learned to harden defenses against such threats,” CrowdStrike concludes.

Related: New ETW Attacks Can Allow Hackers to ‘Blind’ Security Products

Related: BlackByte Ransomware Abuses Legitimate Driver to Disable Security Protections

Related: North Korean Hackers Exploit Dell Driver Vulnerability to Disable Windows Security

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights