430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

BlackByte Ransomware abuses vulnerable driver to bypass security solutions

The BlackByte ransomware operators are leveraging a flaw in a legitimate Windows driver to bypass security solutions. Researchers from Sophos warn that BlackByte ransomware operators are using a bring your own vulnerable driver (BYOVD) attack to bypass security products. In BYOVD attacks, threat actors abuse vulnerabilities in legitimate, signed drivers, on which security products rely, […]

BlackByte Ransomware abuse driver

The BlackByte ransomware operators are leveraging a flaw in a legitimate Windows driver to bypass security solutions.

Researchers from Sophos warn that BlackByte ransomware operators are using a bring your own vulnerable driver (BYOVD) attack to bypass security products.

In BYOVD attacks, threat actors abuse vulnerabilities in legitimate, signed drivers, on which security products rely, to achieve successful kernel-mode exploitation.

Other ransomware gangs in the past abused the BYOVD technique to disable security solutions, for example RobbinHood and AvosLocker operators exploited vulnerabilities (i.e. CVE-2018-19320) in the gdrv.sys and asWarPot.sys.

While investigating the most recent variant of the ransomware, which is written in Go, the experts discovered that the threat actors are exploiting a vulnerability in a legitimate Windows driver to bypass security solutions.

“We found a sophisticated technique to bypass security products by abusing a known vulnerability in the legitimate vulnerable driver RTCore64.sys.” reads the post published by Sophos. “The evasion technique supports disabling a whopping list of over 1,000 drivers on which security products rely to provide protection. Sophos products provide mitigations against the tactics discussed in this article.”

“Bring Your Own Driver” is the name given to this technique [1, 2, 3, 4, 5, 6] — exploiting a targeted system by abusing a legitimate signed driver with an exploitable vulnerability.”

The researchers discovered that the BlackByte ransomware operators are exploiting a privilege escalation and code execution vulnerability (CVE-2019-16098, CVSS score 7.8) affecting the Micro-Star MSI Afterburner RTCore64.sys driver.

The RTCore64.sys and RTCore32.sys drivers are widely used by Micro-Star’s MSI AfterBurner 4.6.2.15658 utility which gives extended control over graphic cards on the system. The CVE-2019-16098 exploitation allows an authenticated user to read and write to arbitrary memory, potentially leading to privilege escalation, code execution under high privileges, or information disclosure.

Sophos researchers pointed out that Kernel Notify Routines are used by loaded drivers to be notified by the kernel of system activity, Drivers related to security products often rely on these routines to collect information about system activity. 

BlackByte Ransomware abuse driver

The experts noticed that the ransomware sample they analyzed has multiple similarities with the EDR bypass implementation used by the EDRSandblast open-source tool which allows abusing vulnerable signed drivers to evade detection.

Siphos experts also identified the kernel routines to deactivate the ETW (Event Tracing for Windows) Microsoft-Windows-Threat-Intelligence provider which is used to log the use of API calls associated with malicious activities such as NtReadVirtualMemory to inject into another process’s memory. Disabling ETW, every security feature that relies on them is blind.

“Once the anti-analysis checks finish, BlackByte attempts to retrieve a file handle of the Master Boot Record, as seen in Figure 3. If failed, the ransomware tries to at least bypass User Access Control and restart itself with higher privileges via CMLUA or CMSTPLUA UAC Bypass.” continues the report.

Experts provide the following recommendations to defend against such type of attacks:

  • Threat actors usually exploits well known vulnerabilities in the used driver, for this reason by keeping track of the latest security issues it is possible blocklist drivers known to be exploitable.
  • Always keep track of the drivers installed on your systems and keep them up to date.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BlackByte ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]