Cybercriminals exploit vulnerabilities in old Intel drivers to gain access to networks in a way that allows them to bypass cybersecurity protections.
The attacks have been detailed by cybersecurity researchers at Crowdstrike, who say the campaign targeting Windows systems is the work of a cybercriminal group they track as Scattered Spider — also known as Roasted 0ktapus and UNC3944.
Scattered Spider is a financially motivated cybercrime operation that researchers say is particularly interested in the telecommunications and business outsourcing industries in order to gain access to carrier networks.
Attackers are believed to initially gain access to networks using SMS phishing attacks to steal usernames and passwords. In some cases, attackers have used this access to gain access to additional credentials, while the group is also believed to be engaging in SIM-swapping attacks.
In the same way: Cybersecurity: These are the new things to worry about in 2023
Once inside the network, Scattered Spider uses a technique Crowdstrike describes as “Bring Your Own Vulnerable Driver” (BYOVD), which exploits Windows security flaws.
Although Microsoft tries to limit the ability of malware to gain access to systems by preventing unsigned kernel-mode drivers from running by default, attackers can bypass this by using BYOVD, which allows the installation of a legitimately signed but malicious driver to carry out attacks.
Legitimately signed certificates can be stolen, or attackers find workarounds that allow them to sign their own certificates. But regardless of how they are obtained, they can secretly run and install their own drivers on systems to disable security products and hide their activities.
One of the ways they do this as stealthily as possible is by not using malware, but by installing a series of legitimate remote access tools to ensure the resilience of the compromised system.
According to Crowdstrike’s analysis, attackers are delivering malicious kernel drivers by exploiting a vulnerability in the Intel Ethernet Diagnostic Driver for Windows (tracked as CVE-2015-2291).
Also: Cybersecurity, cloud and coding: why these three skills will be in demand in 2023
As the ID number indicates, the vulnerability is old, but cybercriminals can still use it on systems without a security update that closes the vulnerability.
“Prioritizing the patching of vulnerable drivers can help mitigate this and similar attack vectors involving the misuse of signed drivers,” the researchers warn.
Tools that attackers have tried to bypass include Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR and SentinelOne, as well as Crowdstrike’s own Falcon security product. Crowdstrike researchers say Falcon detected and prevented malicious activity when attackers tried to install and run their own code.
Microsoft previously warned that “adversaries are increasingly using legitimate ecosystem drivers and their own security vulnerabilities to launch malware,” and while the company is taking steps to prevent abuse, the attack technique still works.
The Scattered Spider campaign appears to be targeting a specific set of industries, but Crowdstrike advises IT and cybersecurity teams across all industries to protect their networks against attacks, such as by making sure the old security patch is applied.
Microsoft also provides advice on recommended driver blocking rules to help improve services. But the company warns that blocking drivers can cause device or software malfunctions and, in rare cases, cause a blue screen. The Blocklist for Vulnerable Drivers is not guaranteed to block every driver found to be vulnerable.
