The Scattered Spider cyber crime group has recently been observed attempting to deploy a malicious kernel driver using a tactic called bring your own vulnerable driver (BYOVD) — a warning to security professionals that the technique, which exploits longstanding deficiencies in Windows kernel protections, is still being employed by cyber criminals, according to cyber security company CrowdStrike.
In this latest BYOVD attack, which was observed and stopped by CrowdStrike's Falcon security system, Scattered Spider attempted to deploy a malicious kernel driver via a vulnerability — CVE-2015-2291 in MITRE's Common Vulnerability and Exposures program — in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys).
The Intel Ethernet diagnostics driver vulnerability allows users to cause a denial of service or possibly execute arbitrary code with kernel privileges in Windows, according to the NIST National Vulnerability Database.
"CrowdStrike customers should ensure they have the ability to locate and patch the vulnerable Intel Display Driver specified in CVE-2015-2291. Prioritising the patching of vulnerable drivers can help mitigate this and similar attack vectors involving signed driver abuse," CrowdStrike said in a blog about the Scattered Spider exploit.
What is bring your own vulnerable driver (BYOVD)?
BYOVD attacks generally use legitimately signed, but vulnerable, drivers to perform malicious actions on systems. In a BYOVD attack, the attacker can use the vulnerabilities in the drivers to execute malicious actions with kernel-level privileges.
“Publicly available tools, such as KDMapper, allow adversaries to easily take advantage of BYOVD to map non-signed drivers into memory," CrowdStrike said.
The BYOD technique has been frequently used against Windows over the past decade, and cyber criminals continues to use it because the operating system has not been correctly updating its vulnerable driver blocklist, according to researchers.
In 2021, Microsoft stated that drivers with confirmed security vulnerabilities would be blocked by default on Windows 10 devices with Hypervisor-Protected Code Integrity (HVCI) enabled, via blocklists that are automatically updated via Windows Update.
Vulnerable drivers still an issue for Windows
Various researchers and cyber security companies including Sophos, however, have observed that successful BYOD attacks against Windows have continued, and blocklists of vulnerable drivers used by Windows security features have not appeared to be updating regularly.
After BYOVD exploits were reported in late 2022, Microsoft issued various statements indicating that it was working on the problem, for example telling Ars Technica, "The vulnerable driver list is regularly updated, however we received feedback there has been a gap in synchronisation across OS versions.
"We have corrected this and it will be serviced in upcoming and future Windows Updates. The documentation page will be updated as new updates are released."
But BYOVD attacks persist. CrowdStrike said Scattered Spider tried "to use the privileged driver space provided by the vulnerable Intel driver to overwrite specific routines in the CrowdStrike Falcon sensor driver ... this was prevented by the Falcon sensor and immediately escalated to the customer with human analysis."
In the past months, Scattered Spider was observed attempting to bypass other endpoint tools including Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR and SentinelOne, CrowdStrike noted.
The company said that it has identified various versions of a malicious driver that are signed by different certificates and authorities, including stolen certificates originally issued to Nvidia and Global Software LLC, and a self-signed test certificate.
“The intent of the adversary is to disable the endpoint security products visibility and prevention capabilities so the actor can further their actions on objectives,” CrowdStrike said.
Social engineering provides initial access
In most of the investigations conducted by CrowdStrike since June 2022, the initial access to systems was achieved by Scattered Spider through social engineering, where the adversary leveraged phone calls, SMS and/or Telegram messages to impersonate IT staff.
In a December report detailing these access methods, the company said that in the attacks, the adversary instructed victims to either navigate to a credential-harvesting website containing the company logo and enter their credentials or download a remote monitoring management tool that would allow the adversary to remotely connect and control their system.
If multi-factor authentication (MFA) was enabled, the adversary would either engage the victim directly by convincing them to share their one-time password, or indirectly by continuously prompting the victim user until they accepted the MFA push challenge, CrowdStrike said.
"Having obtained access, the adversary avoids using unique malware, instead favouring a wide range of legitimate remote management tools to maintain persistent access," CrowdStrike said.
Scattered Spider — also known as Roasted 0ktapus, and UNC3944 — has been busy. In its December report, CrowdStrike attributed (with low confidence) an intrusion campaign targeting telecommunications and business process outsourcing (BPO) companies to Scattered Spider.
Though CrowdStrike this week said that the latest BYOVD activity also appears to target specific industries, organisations in all sectors should apply best security practices to defend again vulnerable drivers as well as attacks comprising other exploits.
"As the adversary is largely leveraging valid accounts as the initial access vector, additional scrutiny of legitimate login activity and two-factor authentication approvals from unexpected assets, accounts or locations are highly recommended," CrowdStrike said.
The company also recommends that organisations employ a rigorous, defence-in-depth approach that monitors endpoints, cloud workloads, and identities and networks, to defend against advanced, persistent adversaries.
CrowdStrike also offers best practices recommendations to its own customers, suggesting Falcon platform configurations that can prevent and quarantine the BYOVD activity described in its report.