A cybercrime group tracked as Scattered Spider has been observed exploiting an old vulnerability in an Intel Ethernet diagnostics driver for Windows in recent attacks on telecom and BPO firms.
Also tracked as Roasted 0ktapus and UNC3944, the threat actor has been targeting telecom and business process outsourcing (BPO) firms since June 2022, to gain access to mobile carrier networks.
Relentless in attacks, the threat actor was seen using phishing and social engineering to obtain victims’ credentials and one-time passwords (OTPs), and deploying virtual private network (VPN) and remote monitoring and management (RMM) tools post compromise, CrowdStrike said in December 2022.
Now, the cybersecurity firm reports that, over the past several weeks, Scattered Spider has attempted to deploy a malicious kernel driver by exploiting CVE-2015-2291, an Intel Ethernet diagnostics driver for Windows flaw leading to arbitrary code execution with kernel privileges.
“This vulnerability has been used by adversaries for several years to deploy malicious drivers into the Windows kernel. This technique is known as ‘Bring Your Own Vulnerable Driver’ (BYOVD) and is a tactic that has persisted due to a gap in Windows security,” CrowdStrike notes.
Since Windows Vista, Microsoft has blocked unsigned kernel-mode drivers from running, but BYOVD allows attackers to bypass the protection and install a legitimately signed but malicious driver. Publicly available tools can be used to map unsigned drivers into memory.
Microsoft announced that drivers with known security vulnerabilities would be blocked in Windows 10, which also blocks kernel drivers that are not signed by Microsoft itself. However, reports have shown that threat actors remain successful in bypassing Redmond’s protections.
Scattered Spider, CrowdStrike explains, was observed attempting to load a malicious driver to bypass the security protections offered by several security firms, including Microsoft, Palo Alto Networks, SentinelOne, and CrowdStrike.
The identified iterations of the malicious driver are signed with stolen certificates and a self-signed test certificate (this sample is loaded using BYOVD techniques).
To prevent the endpoint security products from blocking the malicious activity, the driver iterates through the loaded kernel modules for the security software’s component and patches it in memory.
Organizations are advised to scan their systems for the targeted Intel driver and make sure that it has been patched against CVE-2015-2291. They should patch systems in a timely manner against all known vulnerabilities and should use an endpoint security solution on all of them.
“While the outlined activity appears to target specific industries, organizations of all types should apply the lessons learned to harden defenses against such threats,” CrowdStrike concludes.
Related: New ETW Attacks Can Allow Hackers to ‘Blind’ Security Products
Related: BlackByte Ransomware Abuses Legitimate Driver to Disable Security Protections
Related: North Korean Hackers Exploit Dell Driver Vulnerability to Disable Windows Security
