So we are always telling everyone one of the things you must do is to patch and update our computers, so what happens… Someone figured out how to take advantage of this. Of course this has an acronym: BYOVD- “Bring Your Own Vulnerable Driver”. Arstechnica story You may know one of the axioms – everything that we use to defend ourselves can be used against us – this issue is a perfect example of the axiom.
What does that actually mean? BYOVD – means that the hacker will use the mechanism of updates to install an old vulnerable driver. For example:
“For the first time in the wild, the attackers were able to leverage CVE-2021-21551 for turning off the monitoring of all security solutions,” Kálnai wrote, referring to the designation used to track the vulnerability in the Dell driver. “It was not just done in kernel space, but also in a robust way, using a series of little- or undocumented Windows internals. Undoubtedly this required deep research, development, and testing skills.” said ESET researcher Peter Kálnai.
Since this issue has been around a while why didn’t Microsoft fix this issue? They tried it just did not work yet. The memory integrity and Hypervisor protected code integrity was supposed to fix this, but it did not after some tests by the ESET researcher.
If you want to know some more gritty details here is a link to virusbulleting.com with a conference abstract and you can download the pdf paper the two malware analysts at ESET created.
LAZARUS & BYOVD: EVIL TO THE WINDOWS CORE
The paragraph which summarizes the research gives a good overview:
“The administrator-to-kernel transition is not a security boundary, as is defined in the Microsoft Security Serving Criteria for Windows. Nevertheless, it is an advantage to have the ability to modify the kernel memory, especially if the attacker can achieve that from the user space. The Bring Your Own Vulnerable Driver (BYOVD) technique is a viable option for doing so: the attackers carry and load a specific kernel driver with a valid signature, thus overcoming the driver signature enforcement policy (DSE). Moreover, this driver contains a vulnerability that gives the attacker an arbitrary kernel write primitive. In such case, the Windows API interface ceases to be a restriction and an adversary can tamper with the most privileged areas of the operating system.”
Us security folks like to find the proverbial “sky is falling” issue. this one is pretty good on that path, but if one had a good security plan in place this issue would only be dangerous in a few situations. Especially if a whitelisting software is used (only the following software can run on the system).
Of course ESET wants to be the first to find malware so they can say their software defends on that area. You can test this Vulnerable Driver method by using
According to hackernewshackernews:
“To protect against BYOVD attacks, it’s recommended to keep track of the drivers installed on the systems and ensure they are up-to-date, or opt to blocklist drivers known to be exploitable.”
There will always be new attacks using our own technologies against us.
As mentioned in my post from September 6 – Attack versus Defense – What is status?
So what is the real answer to new/old effective attacks? The reality is one has to have a security mentality – even if it is only a few hours in a week. Create a security culture and a security policy which tells employees this is important.
Then set up Security Awareness programs to test your employees the malware wont get on the system if employees do not click on dangerous emails.
Buy my book to create a security policy: Too Late You’re Hacked.
Another update October 20:
At Wincert:
“Although Microsoft claimed it has solved the problem with the driver blocklist being regularly updated, security researchers discovered that the company hasn’t updated the list in about three years. This means that all vulnerable drivers that were discovered in the past 2-3 years could be used by attackers to get access to OS.
Since this is a one-time update process it’s still not clear if Microsoft will push automatic updates for the driver blocklist through Windows Updates.”