A financially motivated malicious actor, tracked as Scattered Spider, has been observed deploying Intel Ethernet diagnostic drivers in a BYOVD (Bring Your Own Vulnerable Driver) attack to evade detection by EDR (Endpoint Detection and Response).

The BYOVD technique involves hackers using a kernel-mode driver known to be vulnerable to exploits as part of their attacks to gain higher privileges in Windows.

Since device drivers have access to the operating system kernel, exploiting a flaw in them allows hackers to execute code with the highest privileges in Windows.

Crowdstrike saw this new tactic right after the publication of the cyberintelligence firm’s report previous story on Scattered Spider at the beginning of last month.

According to the latest Crowdstrike reporthackers attempted to use the BYOVD method to bypass Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne.

Deactivation of security products

CrowdStrike Reports Threat Actor Scattered Spider Was Seen Trying To Exploit CVE-2015-2291a very serious vulnerability in the Intel Ethernet diagnostic driver that allows an attacker to execute arbitrary code with kernel privileges using specially crafted calls.

Although this vulnerability was patched in 2015, by installing an older and still vulnerable version on hacked devices, threat actors can exploit the flaw regardless of what updates the victim has applied to the system.

The driver used by Scattered Spider is a small 64-bit kernel driver with 35 functions, signed by various certificates stolen from signing authorities like NVIDIA and Global Software LLC, so Windows does not block it.

Threat actors use these drivers to disable endpoint security products and limit defenders’ visibility and prevention capabilities, setting the stage for later phases of their operation on targeted networks.

On startup, the driver decrypts a hard-coded string of targeted security products and fixes the target drivers to hard-coded offsets.

The injected malware routine ensures that the security software drivers still appear to work normally even though they are no longer protecting the computer.

Crowdstrike says “Scattered Spider” has a very narrow and specific targeting scope, but warns that no organization can afford to ignore the possibility of BYOVD attacks.

Recently, we have reported on other high-profile threat actors, such as the BlackByte ransomware gang and the The North Korean hacking group Lazarus using BYOVD attacks to power their intrusions with elevated Windows privileges.

A long-standing Windows problem

Microsoft attempted to address this known security issue in Windows by introducing a block list in 2021.

However, the problem has not been resolved decisively, as Windows does not block these drivers by default unless you are running Windows 11 2022 and later, released in September 2022.

Worse still, as ArsTechnica reported in October, Microsoft only updated the driver blocklist on every major version of Windows, leaving devices vulnerable to these types of attacks. Microsoft has since released updates which fix this maintenance pipeline to properly update the driver blocklist.

Microsoft recommends that Windows users enable the driver blocklist to protect against these BYOVD attacks. That support article provides information about enabling the blocklist using the Windows Memory Integrity feature or Windows Defender Application Control (WDAC).

Unfortunately, enabling Memory Integrity on devices that may not have newer drivers can be tricky.