Cybercriminals are still exploiting an old vulnerability in Intel drivers to gain access to networks in a way that allows them to bypass cyber security protections. Cyber security researchers have detailed the attacks and suggest the campaign targeting Windows systems is the work of a cyber-criminal group they track as Scattered Spider, also known as Roasted 0ktapus and UNC3944. Scattered Spider is a financially motivated cybercrime operation, which researchers say takes particular interest in telecoms and the business outsourcing sectors to gain access to mobile carrier networks.[1]
It is the opinion that the attackers initially gain access to networks by using SMS phishing attacks to steal usernames and passwords. In some cases, the attackers have used this access to gain access to additional credentials, while the group is also thought to engage in SIM-swapping attacks. Once inside a network, Scattered Spider uses a technique described as 'Bring Your Own Vulnerable Driver' (BYOD), which targets loopholes in Windows security.
While Microsoft attempts to limit the capabilities of malware gaining access to systems by preventing unsigned kernel-mode drivers from being run by default, attackers can get around this with BYOVD, which enables them to install a legitimately signed but malicious driver to carry out attacks. The legitimately signed certificates can be stolen, or attackers find workarounds that allow them to self-sign their certificates. But no matter how they are obtained, they can secretly run and install their drivers on systems to disable security products and hide their activity.
One of the ways they do this operation as stealthily as possible is by not using malware but instead installing a range of legitimate remote access tools to ensure persistence on the compromised system. According to analysts, the attackers deliver malicious kernel drivers through a vulnerability in the Intel Ethernet diagnostics for Windows (tracked as CVE-2015-2291).
As the ID number suggests, the vulnerability is old, but cybercriminals can still exploit it on systems when the security update that closes the vulnerability hasn't been applied. "Prioritizing the patching of vulnerable drivers can help mitigate this and similar attack vectors involving signed driver abuse," warn researchers.
Tools that the attackers have attempted to bypass include Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, SentinelOne, and Falcon security products. Researchers say that Falcon detected and prevented malicious activity when attackers tried to install and run their own code.
Microsoft has previously warned that, "Increasingly, adversaries are leveraging legitimate drivers in the ecosystem and their security vulnerabilities to run malware" and, while the company is taking action to prevent abuse, the attack technique is still working.
The Scattered Spider campaign appears to target a specific set of industries. Still, researchers recommend that IT and cybersecurity teams in all sectors ensure their networks are protected against attack, for example, by ensuring that the old security patch has been applied. Microsoft also provides advice on recommended rules for blocking drivers to help harden services. But the company warns that blocking drivers can cause devices or software to malfunction and, in rare cases, can lead to a blue screen. The vulnerable driver blocklist is not guaranteed to block every driver found to have vulnerabilities.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.zdnet.com/article/hackers-are-using-this-old-trick-to-dodge-security-protections/
Comments