Search This Blog

Powered by Blogger.

Blog Archive

Labels

To Get Around Security, Hackers Use This Old Trick

Cyber criminals continue to exploit unpatched systems to compromise networks despite CVE-2015-2291 having been exposed for several years.

 


An old vulnerability in Intel drivers is being exploited by cybercriminals in an attempt to gain access to networks. This is in the form of a security flaw that enables them to get around cybersecurity measures and bypass security systems.  

According to cybersecurity researchers at CrowdStrike, one of the groups tracking the attack is Scattered Spider, also known as Roasted 0ktapus and UNC3944. This group is responsible for the attack on Windows PCs. The campaign has been identified as the work of a cybercriminal group. 

As a financially motivated cybercrime operation, Scattered Spider is described by researchers as especially interested in targeting business outsourcing companies and telecom companies. Obtaining access to the mobile carrier network is the project's main objective.  

Attackers may have initially used phishing attacks using SMS messages to gain access to networks by stealing usernames and passwords. This is to get into them. Several instances have been recorded where attackers have hacked into devices and exploited this access to gain access to other credentials. The group appears to be engaged in SIM-swapping attacks as well.   

As soon as Scattered Spider has gained access to a network, it makes use of a technique called "Bring Your Own Vulnerable Driver" (BYOD), which is designed to exploit security loopholes within the Windows platform.  Microsoft tries to limit the ability of malware to gain access to systems by preventing unsigned kernel-mode drivers from being run by default, but hackers can get around this by installing a legitimately signed but malicious driver, enabling them to carry out attacks despite this. The BYOVD system allows attackers to use unsigned kernel-mode drivers to carry out attacks.   

An attacker may find a way to hack legitimately signed certificates while taking advantage of workarounds to be able to self-sign their own certificates or obtain certificates through deception. Regardless of how they were obtained, the malware may then secretly run on computers, install their own drivers, and disable the security products on them. This is so that their activity can easily be hidden.  

They do not use any malware for this purpose to operate as discreetly as possible. They instead install a large number of legitimate remote access tools that will ensure persistence on the compromised system after they have been compromised. 

There is a vulnerability in the Intel Ethernet diagnostics driver for Windows, which has been identified by CrowdStrike as one of how attackers can deliver malicious kernel drivers.

This vulnerability has been known for a long time, as the ID number suggests. If the security update that closes the vulnerability has not been applied to the system, cybercriminals will still be able to exploit it on the system.  

To combat this and other attacks involving abused signed drivers in the future, researchers urge users to patch vulnerable drivers as a priority.  

There have been several tools that have been compromised by attackers. These include Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne, as well as CrowdStrike's own Falcon security product that attackers have attempted to bypass. Researchers at CrowdStrike claim that Falcon can detect and prevent malicious activity that is being performed by cybercriminals when trying to install and run their own code.  

It has been warned previously by Microsoft that attacks are increasingly targeting legitimate drivers in the ecosystem and infecting computers through their vulnerabilities. Despite Microsoft's efforts to prevent abuse, this attack technique is still successfully used today. 

Scattered Spider seems to be targeting a specific set of industries with this campaign. In contrast, CrowdStrike recommends that security professionals in every industry develop a strategy to ensure the security of their networks against attack, irrespective of their industry type. As an example, this can be achieved by applying the old security patch that has been installed.  

Microsoft also provides advice on how you can help harden services by blocking drivers according to the recommended rules. As with any software or hardware, removing drivers from a device may lead to the malfunctioning of the device or software, and, in some cases, a blue screen of death. A vulnerable driver blocklist cannot guarantee that all drivers found to have vulnerabilities will be identified and eliminated from the list.  
Share it:

CrowdStrike

Cyberattacks

CyberCriminal

Microsoft

Phishing Attacks

Vulnerabilities and Exploits