Threat actors can be some of the best recyclers on the planet. Unfortunately, it is not waste they recycle but previous tactics to compromise IT infrastructure. In recent months there has been a discernable uptick in threat actors, both financially motivated and state-sponsored groups, using the Bring Your Own Vulnerable Driver (BYOVD) tactic to compromise targets and install malware payloads once the driver is used to grant high-level access to the now vulnerable machine.
What exactly is the BYOVD tactic?
Broadly speaking the BYPVD is a variant of an attack intended to grant the attacker privileged access, such exploitation is often referred to as Privilege Escalation. MITRE explains why an attacker often needs high-level privileges to the system, noting,
“When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.”
With regards to the BYOVD, the escalation of privileges is done by the threat actor literally bringing a vulnerable driver into the target’s system. On Windows machines, this is made possible as applications, more accurately their drivers, can either run in user mode or kernel mode. User mode is the more limited of the two and kernel mode allows direct access to important operating system functions and the hardware abstraction layer. Put more simply, if an attacker uses a vulnerable driver that has kernel access they are capable of circumventing security measures, installing malware to their heart’s content, and hiding deeper within the system preventing easy detection.
However, to access this layer there is a built security measure. Windows will only allow drivers to access this layer if it passes the Driver Signature Enforcement policy that ensures only signed kernel drivers can be loaded. This is where the evil genius of a BYOVD attack comes in, the threat actor uses a legitimately signed driver but is vulnerable to exploitation. They do this by using old unpatched drivers from legitimate software companies. Once the threat actor gains access to the victim’s system they will either roll back a driver found on the system to a vulnerable one they possess or simply just install the unpatched driver.
As this driver is signed it can bypass the Driver Signature Enforcement policy allowing the attacker the privileged access to the kernel they desire for fun and profit.
Early Uses of the Tactic
The BYOVD tactic has been around for some time with it initially being seen in the wild in the 2010s. The earliest use of the tactic in the wild that could be found by the writer was in 2012 when Iranian state-sponsored groups were using the tactic to drop the Shamoon malware.
Shamoon Wiper
The malware is part of the wiper family of malware, that being malware that renders data on the machine unreadable or deletes it entirely, and has been a staple of the Iranian stat-sponsored cyber warfare toolbox for over a decade now. Shamoon rewrites the master boot record (MBR) effectively rendering a machine useless. In 2012, the malware was used to cause significant destruction to the energy companies in the middle-east, in particular Saudi Aramco, Saudi Arabia’s largest energy producer. Following the attacks fingers were quickly pointed at Iran as Saudi Arabia are geopolitical rival in the area to understate the rivalry between the two nations.
Security researchers soon found strong evidence to suggest Iran was behind the attacks. What was interesting is how a legitimately signed driver was used in the attack, namely an Eldos driver. Initially, researchers at Kaspersky Labs believed that the driver was used to facilitate the rewriting of the MBR on then Windows 7 machines. It was soon found out that rewriting the MBR could be done in user mode. Those same researchers then discovered that the driver was used by the threat actor to gain administrative privileges to the targeted machine so that the Shamoon malware could be run without hindrance. Effectively a BYOVD attack before we had a term for it.
Turla Exploits
The Turla malware is a trojan developed by Russian state-sponsored hackers to operate as a trojan and backdoors into targeted machines. In 2014, researchers discovered the malware was being deployed via the privilege escalation exploit tactics mentioned above. One such exploit was used to gain access to Windows kernel mode. In this regard, a vulnerable driver for Oracle Virtual Box was used. F-Secure researchers analyzing the abuse of the driver noted,
“Turla takes advantage of a vulnerable VirtualBox device driver (VBoxDrv.sys) in order to bypass a very important Windows security feature called Driver Signature Enforcement (DSE), which was first introduced in Windows Vista. Starting with the 64-bit version of Windows Vista, the driver code signing policy for the Windows OS requires all driver code to have a digital signature, to increase the platform’s safety and stability. This means that malware authors are required to sign their device drivers if they want to load their malicious driver code on a victim’s machine; without a valid digital signature, they must get rid of DSE for their malicious products to work.”
This should now be sounding awfully familiar and the abuse of this loophole in DSE was used to grant the threat actor kernel access to the targeted Windows Vista machines. This in turn granted incredibly privileged access allowing for the deployment of the malware. Researchers noted that by this stage exploiting the DSE loophole had become a simple five-stage process. Over the years Microsoft did develop better security controls to counter this that did make exploitation far harder causing both state-sponsored groups and financially motivated groups to focus on other ways to gain privileged access. Now though, the BYOVD tactic has made a return of late.
Modern BYOVD Attacks
In both of the above earlier examples state-sponsored, or nation-state, groups were seen exploiting vulnerable drivers to gain access to the Windows kernel. For the return of the BYOVD trend again state-sponsored groups are using the tactic but so are financially motivated threat actors.
Lazarus Abuses Dell Driver
In October 2022, reports began to emerge that everybody’s favorite North Korean threat actor, Lazarus was targeting organizations in the aerospace industry to steal data. Once researchers began digging into events surrounding the attacks it was found that a vulnerable Dell DBUtil driver was used to help facilitate the stealing of data. It was also discovered that not only was the aerospace industry a target for the attack but also a Belgian journalist.
The legitimate driver, tracked as CVE-2021-21551, when exploited leads to the escalation of privileges, making it the perfect choice for Lazarus. According to an analysis by ESET, initially, both victims received fake job offers via email with a malicious document attached. Once the document was opened the attackers deployed several malicious tools on the system, including droppers, loaders, fully featured HTTP(S) backdoors, and HTTP(S) uploaders. One such tool was the vulnerable driver mentioned above. It is believed that this is the first time this driver has been used in the wild to compromise targeted machines.
Scattered Spider Abuses Intel Ethernet Driver
In December 2022, a known financially motivated threat actor Scattered Spider was seen abusing CVE-2015-2291, an Intel Ethernet driver, for the purposes of bypassing endpoint security applications and making use of the BYOVD tactic. To bypass the DSE measure implemented by Microsoft Scattered Spider used stolen certificates originally issued to NVIDIA and Global Software LLC, as well as a self-signed test certificate.
Crowdstrike researchers noted, that even if there was a patched version of the driver on the targeted machine the attackers would roll back the driver to the vulnerable they had brought along. Noting further that,
“The malicious driver then finds the target driver using the same method and patches it, in memory, at hard-coded offsets. The patching routine operates on a list where each element represents a hook structure that contains a pointer to the target function, a pointer to the malware routine and trampoline code to invoke that routine. The installed malware routines signal success to the Falcon sensor in every case even though the routines perform no operation”
And,
“Increasingly, adversaries are leveraging legitimate drivers in the ecosystem and their security vulnerabilities to run malware…drivers with confirmed security vulnerabilities will be blocked on Windows 10 devices in the ecosystem using Microsoft Defender for Endpoint attack surface reduction (ASR) and Microsoft Windows Defender Application Control (WDAC) technologies to protect devices against exploits involving vulnerable drivers to gain access to the kernel.”
Defending Against BYOVD Attacks
Following the Scattered Sider attack and several other campaigns abusing the above-mentioned Intel driver many began hurling questions at Microsoft asking what else was done to protect users. In statements issued by Microsoft, the Redmont giant noted that it was acutely aware of the problem and risks posed by BYOVD attacks and had included more protection over and above the DSE policy. Microsoft had deployed what they called Hypervisor-Protected Code Integrity or HVCI, however, several questions have been raised as to its effectiveness by security practitioners.
Having a good security partner that can actively hunt threats and has better visibility over the entire IT infrastructure is far more reliable than relying on endpoint detection as the only security measure. Contact LMNTRIX today to see how we can help you secure the data that matters the most and prevent malicious threat actors from corrupting your Windows machines.