Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cybercrime Group Exploiting Old Windows Driver Vulnerability to Bypass Security Products

A cybercrime group tracked as Scattered Spider has been observed exploiting an old vulnerability in an Intel Ethernet diagnostics driver for Windows in recent attacks on telecom and BPO firms.

A cybercrime group tracked as Scattered Spider has been observed exploiting an old vulnerability in an Intel Ethernet diagnostics driver for Windows in recent attacks on telecom and BPO firms.

Also tracked as Roasted 0ktapus and UNC3944, the threat actor has been targeting telecom and business process outsourcing (BPO) firms since June 2022, to gain access to mobile carrier networks.

Relentless in attacks, the threat actor was seen using phishing and social engineering to obtain victims’ credentials and one-time passwords (OTPs), and deploying virtual private network (VPN) and remote monitoring and management (RMM) tools post compromise, CrowdStrike said in December 2022.

Now, the cybersecurity firm reports that, over the past several weeks, Scattered Spider has attempted to deploy a malicious kernel driver by exploiting CVE-2015-2291, an Intel Ethernet diagnostics driver for Windows flaw leading to arbitrary code execution with kernel privileges.

“This vulnerability has been used by adversaries for several years to deploy malicious drivers into the Windows kernel. This technique is known as ‘Bring Your Own Vulnerable Driver’ (BYOVD) and is a tactic that has persisted due to a gap in Windows security,” CrowdStrike notes.

Since Windows Vista, Microsoft has blocked unsigned kernel-mode drivers from running, but BYOVD allows attackers to bypass the protection and install a legitimately signed but malicious driver. Publicly available tools can be used to map unsigned drivers into memory.

Microsoft announced that drivers with known security vulnerabilities would be blocked in Windows 10, which also blocks kernel drivers that are not signed by Microsoft itself. However, reports have shown that threat actors remain successful in bypassing Redmond’s protections.

Scattered Spider, CrowdStrike explains, was observed attempting to load a malicious driver to bypass the security protections offered by several security firms, including Microsoft, Palo Alto Networks, SentinelOne, and CrowdStrike.

The identified iterations of the malicious driver are signed with stolen certificates and a self-signed test certificate (this sample is loaded using BYOVD techniques).

To prevent the endpoint security products from blocking the malicious activity, the driver iterates through the loaded kernel modules for the security software’s component and patches it in memory.

Organizations are advised to scan their systems for the targeted Intel driver and make sure that it has been patched against CVE-2015-2291. They should patch systems in a timely manner against all known vulnerabilities and should use an endpoint security solution on all of them.

“While the outlined activity appears to target specific industries, organizations of all types should apply the lessons learned to harden defenses against such threats,” CrowdStrike concludes.

Related: New ETW Attacks Can Allow Hackers to ‘Blind’ Security Products

Related: BlackByte Ransomware Abuses Legitimate Driver to Disable Security Protections

Related: North Korean Hackers Exploit Dell Driver Vulnerability to Disable Windows Security

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.