In their latest report, Crowdstrike report how Scattered Spider tried to implement BYOVD using an old Intel driver to bypass Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR and SentinelOne.
During the Bring Your Own Vulnerable Driver attack, a financially motivated attacker deployed Intel Ethernet diagnostic drivers, which is known to be vulnerable to exploits and allows you to get the highest privileges in Windows.
The new tactic was discovered by Crowdstrike immediately after the release of the previous report on the activities of the Scattered Spider in early December last year.
According to the resellers, the actor has been targeting telecommunications and outsourcing companies of the firm since June 2022 to gain access to the networks of mobile operators.
By the way, BYOVD attacks to ensure their intrusions with elevated Windows privileges have long been practiced by the BlackByte ransomware gang and the North Korean Lazarus.
Resellers report that this time the Scattered Spider tried to exploit the CVE-2015-2291 - a high-severity vulnerability in the Intel Ethernet diagnostic driver that allows an attacker to execute arbitrary code with kernel privileges using specially created calls.
Despite the fact that the bug was fixed back in 2015, thanks to the installation of an older, still vulnerable version on hacked devices, attackers can successfully exploit the vulnerability regardless of which updates were applied by the victim.
The sample used by the Scattered Spider is a 64-bit kernel driver with 35 functions, signed by various certificates stolen from NVIDIA and Global Software LLC signature centers. It is necessary to disable the means of protection, laying the foundation for the subsequent stages of their work in the target networks.
At startup, the driver decrypts a hard-coded string of target security solutions and corrects target drivers with hard-coded offsets.
To prevent endpoint security products from blocking malicious activity, the driver repeats the loaded kernel modules for the security component and fixes it in memory.
Despite the fact that the detected activity of Scattered Spider is aimed at specific goals, CrowdStrike recommends that information security specialists should scan systems and apply fixes for all known vulnerabilities as part of strengthening protection against such threats.