[Nulled] » Information security » In their latest report, Crowdstrike report how Scattered Spider tried to implement BYOVD
January 16 2023

In their latest report, Crowdstrike report how Scattered Spider tried

web3 16-01-2023, 12:59 Information security 192

In their latest report, Crowdstrike report how Scattered Spider tried to implement BYOVD using an old Intel driver to bypass Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR and SentinelOne.

During the Bring Your Own Vulnerable Driver attack, a financially motivated attacker deployed Intel Ethernet diagnostic drivers, which is known to be vulnerable to exploits and allows you to get the highest privileges in Windows.

The new tactic was discovered by Crowdstrike immediately after the release of the previous report on the activities of the Scattered Spider in early December last year.

According to the resellers, the actor has been targeting telecommunications and outsourcing companies of the firm since June 2022 to gain access to the networks of mobile operators.

By the way, BYOVD attacks to ensure their intrusions with elevated Windows privileges have long been practiced by the BlackByte ransomware gang and the North Korean Lazarus.

Resellers report that this time the Scattered Spider tried to exploit the CVE-2015-2291 - a high-severity vulnerability in the Intel Ethernet diagnostic driver that allows an attacker to execute arbitrary code with kernel privileges using specially created calls.

Despite the fact that the bug was fixed back in 2015, thanks to the installation of an older, still vulnerable version on hacked devices, attackers can successfully exploit the vulnerability regardless of which updates were applied by the victim.

The sample used by the Scattered Spider is a 64-bit kernel driver with 35 functions, signed by various certificates stolen from NVIDIA and Global Software LLC signature centers. It is necessary to disable the means of protection, laying the foundation for the subsequent stages of their work in the target networks.

At startup, the driver decrypts a hard-coded string of target security solutions and corrects target drivers with hard-coded offsets.

To prevent endpoint security products from blocking malicious activity, the driver repeats the loaded kernel modules for the security component and fixes it in memory.

Despite the fact that the detected activity of Scattered Spider is aimed at specific goals, CrowdStrike recommends that information security specialists should scan systems and apply fixes for all known vulnerabilities as part of strengthening protection against such threats.

Information

Visitors who are in the group Guests they can't download files.
Log in to the site under your login and password or if you are a new user go through the process registrations on the website.

Comments:

This publication has no comments yet. You can be the first!

Information the publication:

  • Author of the publication: web3
  • Date of publication: 16 January 2023 12:59
  • Publication category(s): Information security
  • Number of views of the publication: 192
  • Number of comments to the publication: 0

Related News

16 January 2023
Information security
Symantec researchers

Symantec researchers report details about the activities of a cybercrime group they track as Bluebottle, revealing

Read more
16 January 2023
Information security
Thousands of Citrix ADC

Thousands of Citrix ADC and Gateway servers remain vulnerable to two major vulnerabilities fixed recently.

Read more
16 January 2023
Information security
K7 Security Labs

K7 Security Labs resellers have discovered a campaign by an unknown actor, presumably based in China, who uses

Read more
16 January 2023
Information security
Group-IB uncovered Dark

Group-IB uncovered Dark Pink APT, involved in attacks on government agencies and military facilities in the

Read more
16 January 2023
Information security
Microsoft's January

Microsoft's January PatchTuesday was released with fixes for a record 98 documented software vulnerabilities.

Read more

Information

Users of 🆅🅸🆂🅸🆃🅾🆁 are not allowed to comment this publication.

Site Search

Site Menu


☑ Websites Scripts

Calendar

«    December 2024    »
MonTueWedThuFriSatSun
 1
2345678
9101112131415
16171819202122
23242526272829
3031 

Advertisement

Survey on the website

Evaluate the work of the site
 

Statistics

  • +8 Total articles 6750
  • +18 Comments 4230
  • +34 Users : 6052