Cybersecurity firm CrowdStrike has observed that a cybercrime group tracked as Scattered Spider has been exploiting an old vulnerability in an Intel Ethernet diagnostics driver for Windows leading to arbitrary code execution with kernel privileges.
According to CrowdStrike, over the past several weeks, the threat actor was attempting to deploy a malicious kernel driver using a method called “Bring Your Own Vulnerable Driver” (BYOVD), which is a well-known and pervasive deficiency in Windows security that enables adversaries to bypass Windows kernel protections and execute code with the highest privileges in Windows.
Execute Malicious Code
In the latest BYOVD attack, which was noticed and stopped by CrowdStrike’s Falcon security system, Scattered Spider attempted to exploit a malicious kernel driver through a high-severity vulnerability (CVE-2015-2291) in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys), which allows an attacker to execute arbitrary code with kernel privileges using specially crafted calls.
This new tactic was spotted by CrowdStrike immediately after it had reported on a campaign by Scattered Spider (aka Roasted 0ktapus, UNC3944) in December 2022, where this cybercrime group has been targeting organizations within the telecom and business process outsourcing (BPO) sectors since June 2022 with an end objective of gaining access to mobile carrier networks.
?? Arachnophobia is an extreme or irrational fear of spiders.
Learn how CrowdStrike detected SCATTERED SPIDER's attempt to deploy a malicious driver through a vulnerability (CVE-2015-2291) in the Intel Ethernet diagnostics driver. https://t.co/3wy3Y26akW
— CrowdStrike (@CrowdStrike) January 12, 2023
Back then, the threat actor was seen using social engineering where the adversary leveraged phone calls, SMS, and/or Telegram messages to impersonate IT staff to gain victims’ credentials and one-time passwords (OTPs), and utilize virtual private network (VPN) and remote monitoring and management (RMM) tools after the exploit.
“In an attempt to limit the amount of capabilities that malware can gain access to on a Windows system, starting with 64-bit Windows Vista, Windows does not allow unsigned kernel-mode drivers to run by default. BYOVD “makes it easy for an attacker with administrative control to bypass Windows kernel protections,” allowing an adversary to install a legitimately signed but malicious driver to execute an attack,” CrowdStrike said in a blog post.
A long-standing Windows problem
According to researchers, the BYOVD technique has been frequently used against Windows over the past decade. In 2021, Microsoft tried to fix this issue on Windows by introducing blocklists of vulnerable drivers used by Windows security features by default on Windows 10 devices with Hypervisor-Protected Code Integrity (HVCI) enabled.
However, it has been observed by various researchers and cybersecurity companies that threat actors have continued to successfully use the BYOVD attack to bypass Redmond’s protections.
The threat actor tried to use the BYOVD method to bypass the end-point security tools offered by several security firms, including Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne.
CrowdStrike said Scattered Spider tried “to use the privileged driver space provided by the vulnerable Intel driver to overwrite specific routines in the CrowdStrike Falcon sensor driver … this was prevented by the Falcon sensor and immediately escalated to the customer with human analysis.”
The company said that it has identified various versions of a malicious driver that are signed by different certificates and authorities — including stolen certificates originally issued to NVIDIA and Global Software LLC, as well as a self-signed test certificate.
“The intent of the adversary is to disable the endpoint security products visibility and prevention capabilities so the actor can further their actions on objectives,” CrowdStrike added.
Since the latest BYOVD activity appears to target specific industries, CrowdStrike recommends that organizations should employ a rigorous, defense-in-depth approach that monitors endpoints, cloud workloads, identities, and networks to defend against vulnerable drivers as well as attacks comprising other exploits.
