Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label BYOVD Attack. Show all posts
Windows
BYOVD Attack CyberCrime Cybersecurity CyberThreat Vulnerabilities and Exploits Vulnerability Windows

Cybercriminals Target Paragon Partition Manager Vulnerability in BYOVD Attacks

 


It has been reported that threat actors have been actively exploiting a security vulnerability within the BioNTdrv.sys driver of Paragon Partition Manager in ransomware attacks by elevating privileges and executing arbitrary code under the guise of attacks. The CERT Coordination Center (CERT/CC) has identified this zero-day vulnerability as CVE-2025-0289, one of five security flaws discovered by Microsoft during the past year. 

Other flaws have been identified, including arbitrary memory mapping, arbitrary memory write, null pointer dereferences, insecure kernel resource access, and arbitrary memory move vulnerabilities. It is especially concerning that an adversary may be able to exploit this vulnerability. It involves a Microsoft-signed driver, which allows adversaries to take advantage of the Bring Your Own Vulnerable Driver (BYOVD) technique. 

Using this method, attackers can compromise systems regardless of whether Paragon Partition Manager is installed, broadening the attack surface significantly. As BioNTdrv.sys operates at the kernel level, threat actors can exploit these vulnerabilities to execute commands with elevated privileges. This allows them to bypass security measures and defensive software, as attackers can access the system and deploy additional malicious payloads. 

Even though Microsoft researchers have identified all five security flaws, the company can not divulge what ransomware groups have been leveraging CVE-2025-0289 to execute their attacks. They are only aware that it has been weaponized in ransomware operations. A bulletin issued by Microsoft's CERT Coordination Center (CERT/CC) indicated that threat actors have been exploiting this vulnerability to conduct BYOVD-based ransomware attacks. 

According to the CVE-2025-0289 vulnerability, further malicious code within compromised environments can be executed by exploiting this vulnerability to escalate privileges to the SYSTEM level. This vulnerability can be exploited to facilitate the exploitation of BYOVD attacks, even on systems where the affected driver is not installed, and this can result in threat actors gaining elevated privileges and executing malicious code without the protection of security systems in place. 

As part of the identified security flaws affecting BioNTdrv.sys versions 1.3.0 and 1.5.1, CVE-2025-0285 is a flaw in version 7.9.1 which permits the mapping of kernel memory to arbitrary user inputs by not properly validating the length of the input. By exploiting this vulnerability, the user can escalate their privileges even further. 

There is a CVE-2025-0286 vulnerability that exists in version 7.9.1, resulting from improper validation of input controlled by users, which allows attackers to exploit this flaw to execute malicious code on the target machine. An unprivileged code execution vulnerability has been found in version 7.9.1, caused by an insufficient MasterLrp structure in the input buffer, which can result in a null pointer dereference vulnerability. 

Successful exploit allows arbitrary kernel-level code to be executed, facilitating privilege escalation and further misuse. Version 7.9.1 contains a vulnerability in the memmove function. This function fails to properly sanitize user-supplied data, allowing attackers to manipulate kernel memory and escalate privileges. 

Inversion of the CVE-2025-0289 vulnerability, an insecure kernel resource access vulnerability, has been found in version 17 of the Linux kernel due to a failure to validate the MappedSystemVa pointer before passing it to HalReturnToFirmware during the detection process. By exploiting this vulnerability, attackers can compromise the system. 

This security vulnerability has been addressed by Paragon Software by releasing the updated driver BioNTdrv.sys version 2.0.0 across all products within Paragon Software's Hard Disk Manager suite, including Partition Manager versions 17.45.0 and later versions. This update has been developed to reduce the risks associated with the previously identified security vulnerabilities. 

There is also a dedicated security patch available for 64-bit versions of Windows 10, Windows 11, and Windows Server 2016, 2019, 2022, and 2025 that will provide users with an additional layer of protection against any exploits that might occur in the future, thereby enhancing the level of security. As part of Microsoft's efforts to protect its ecosystem, it has updated its Vulnerable Driver Blocklist, which effectively disables the execution of BioNTdrv.sys versions that are compromised within Windows environments, thereby preventing exploitation. 

Users and enterprises are strongly encouraged to ensure that this protection mechanism is kept in place to prevent exploitation. In light of the ongoing threat posed by these vulnerabilities, especially as a result of ransomware attacks, all users of Paragon Partition Manager and its associated products must update their software as soon as possible to the newest version available. 

As a further precaution, all Windows users should make sure that they enable the Microsoft Vulnerable Driver Blocklist feature as soon as possible. This is because it serves as a critical defense against BYOVD (Bring Your Vulnerable Driver) attacks, where outdated or insecure drivers are leveraged to elicit privileges and compromise a computer system.
Read more »
Rootkit
Avast BYOVD Attack Cyber Attacks Rootkit

Hackers Use Avast Bug to Shut Down Security Tools




A recently discovered campaign of cyberattacks makes use of a vulnerable Avast Anti-Rootkit driver to disable system security mechanisms and gain full control over target machines. With this, hackers can successfully avoid detection by security tools and thus pose a severe threat to users and organizations.


Exploiting a Vulnerable Driver

It is leveraging the so-called "bring-your-own-vulnerable-driver" (BYOVD) technique, where an old version of Avast's Anti-Rootkit driver is used. This kernel-mode driver allows hackers to gain access to essential parts of the system and also disable security defenses. The discovery was made by Trellix cybersecurity researchers.

The malware launching the attack, which is described as a variant of an AV Killer, drops a driver named ntfs.bin in the Windows user folder. It subsequently creates a service named aswArPot.sys using the Service Control tool (sc.exe) for registration and activation of the vulnerable driver.  


Targeting Security Processes

After installing the driver, the malware scans the system based on a hardcoded list of 142 processes associated with popular security tools. Such a list includes software from major vendors like McAfee, Sophos, Trend Micro, Microsoft Defender, and ESET. If it finds a match, the malware issues commands to the driver to terminate such security processes, thus effectively disabling system defenses.


Track of Previous Attacks

This abuse technique of the Avast driver has been seen in past attacks. In 2021, researchers found the same driver being used by Cuba ransomware to enable security tools disabling on victim systems. Trend Micro had discovered this technique while studying AvosLocker ransomware in early 2022.

Adding to the risks, SentinelLabs identified two severe vulnerabilities (CVE-2022-26522 and CVE-2022-26523) in the Avast Anti-Rootkit driver. These flaws, present since 2016, allowed attackers to escalate privileges and disable security measures. Avast addressed these vulnerabilities in 2021 through security updates, but outdated versions of the driver remain exploitable.  


What Should One Do?

To protect against such attacks, security professionals advise that blocking rules based on the digital signatures or hashes of malicious components should be in place. To this end, Microsoft also provides solutions, such as the vulnerable driver blocklist policy, which is enabled automatically on Windows 11 2022 and later devices. Organizations can further bolster protection by using Microsoft's App Control for Business to ensure systems are protected from driver-based exploits.


This campaign is a persistent threat in which the outdated drivers pose the risks, and proactive security measures are emphasized to fight advanced cyberattacks.


Read more »
Sophos report
BYOVD Attack Cyber Attacks EDR GitHub Malware Attack RansomHub Sophos Sophos report

RansomHub Deploys EDRKillShifter Malware to Disable Endpoint Detection Using BYOVD Attacks

 

Sophos security researchers have identified a new malware, dubbed EDRKillShifter, used by the RansomHub ransomware group to disable Endpoint Detection and Response (EDR) systems in attacks leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques. This method involves deploying a legitimate but vulnerable driver on a target device to gain escalated privileges, disable security measures, and take control of the system. 

The technique has gained popularity among various threat actors, including both financially motivated ransomware groups and state-sponsored hackers. The EDRKillShifter malware was discovered during an investigation of a ransomware incident in May 2024. The attackers tried to use this tool to disable Sophos protection on a targeted computer but were unsuccessful due to the endpoint agent’s CryptoGuard feature, which prevented the ransomware executable from running. Sophos’ investigation revealed two different malware samples, both exploiting vulnerable drivers with proof-of-concept code available on GitHub. These drivers include RentDrv2 and ThreatFireMonitor, the latter being part of an obsolete system-monitoring package. 

The malware’s loader execution process follows a three-step procedure. Initially, the attacker launches the EDRKillShifter binary with a password string to decrypt and execute an embedded resource named BIN in memory. This code then unpacks and executes the final payload, which installs and exploits a vulnerable driver to elevate privileges and disable active EDR processes. Once the driver is loaded, the malware creates a service and enters an endless loop that continuously monitors and terminates processes matching names on a hardcoded target list. Interestingly, the EDRKillShifter variants discovered were compiled on computers with Russian localization, and they exploit legitimate but vulnerable drivers, using modified proof-of-concept exploits found on GitHub. 

Sophos suspects that the attackers adapted portions of these proofs-of-concept and ported the code to the Go programming language. To mitigate such threats, Sophos advises enabling tamper protection in endpoint security products, separating user and admin privileges to prevent the loading of vulnerable drivers, and keeping systems updated. Notably, Microsoft continually de-certifies signed drivers known to have been misused in previous attacks. Last year, Sophos identified another EDR-disabling malware, AuKill, which similarly exploited a vulnerable Process Explorer driver in Medusa Locker and LockBit ransomware attacks.
Read more »
Vulnerabilities and Exploits
Antivirus System BYOVD Attack Ransomware Ransomware Gang Vulnerabilities and Exploits

Kasseika Ransomware Employs AntiVirus Driver to Disarm Other Antiviruses

 

Kasseika, a ransomware gang, has become the latest to leverage the Bring Your Own Vulnerable Driver (BYOVD) assault to disable security-related processes on compromised Windows hosts, following groups such as Akira, AvosLocker, BlackByte, and RobbinHood. 

Trend Micro claimed in a research that the technique enables "threat actors to terminate antivirus processes and services in order to deploy ransomware." 

Kasseika, identified by the cybersecurity firm in mid-December 2023, shares similarities with the now-defunct BlackMatter, which formed following DarkSide's disintegration. 

Given that the source code of BlackMatter was never made public after its demise in November 2021, there is evidence to imply that the ransomware strain may have been created by an experienced threat actor who purchased or secured access to the code. 

Modus operandi 

Kasseika attack chains begin with phishing emails to gain access, then drop remote administration tools (RATs) to escalate privileges and propagate across the target network. 

The threat actors have been spotted employing Microsoft's Sysinternals PsExec command-line tool to run a malicious batch script. The script searches for a process called "Martini.exe" and ends it if it is located, thereby guaranteeing the process is only running on one machine. 

The executable's primary task is to disable 991 security tools by downloading and executing the "Martini.sys" driver from a remote server. It is important to note that "viragt64.sys," an authentic signed driver, has been placed on Microsoft's vulnerable driver blocklist and is known as "Martini.sys.” 

The researchers noted that "if Martini.sys does not exist, the malware will terminate itself and not proceed with its intended routine," highlighting the vital role that the driver plays in defence evasion.

After that, "Martini.exe" starts the ransomware payload ("smartscreen_protected.exe"), which uses the RSA and ChaCha20 algorithms to encrypt data. However, not before it terminates all services and processes that are attempting to reach Windows Restart Manager. 

The computer's wallpaper is subsequently modified to display a note requesting a 50 bitcoin payment to a wallet address within 72 hours, or risk paying an additional $500,000 every 24 hours once the deadline elapses. A ransom note is then dumped in every directory that has been encrypted. 

Furthermore, in order to acquire a decryptor, victims are required to send a screenshot of their successful payment to a Telegram channel that is managed by attackers. The Kasseika ransomware also has additional tricks up its sleeve, such as wiping traces of activity from the system's event logs using the wevtutil.exe component.

"The command wevutil.exe efficiently clears the Application, Security, and System event logs on the Windows system," the researchers concluded. "This technique is used to operate discreetly, making it more challenging for security tools to identify and respond to malicious activities.”
Read more »
Spear Phishing Campaign
Backdoor BYOVD Attack Cyber Attacks North Korean Hackers Spear Phishing Campaign

Lazarus Hackers Employed Spear-Phishing Campaign to Target European Workers

 

ESET researchers have spotted the infamous Lazarus APT group installing a Windows rootkit that exploits a Dell hardware driver in a Bring Your Own Vulnerable Driver (BYOVD) attack. 

In a spear-phishing campaign that began in the autumn of 2021 and ran until March 2022, the hackers targeted an employee of an aerospace company in the Netherlands and a political journalist in Belgium. 

Exploiting Dell driver for BYOVD assaults 

According to ESET, the malicious campaign was mostly geared toward attacking European contractors with fake job offers. The hackers exploited LinkedIn and WhatsApp by posing as recruiters to deliver malicious components disguised as job descriptions or application forms. 

Upon clicking on these documents, a remote template was downloaded from a hardcoded address, followed by infections involving malware loaders, droppers, custom backdoors, and more. 

The most notable tool delivered in this campaign was a new FudModule rootkit that employs a BYOVD (Bring Your Own Vulnerable Driver) methodology to exploit a security bug in a Dell hardware driver.

The hackers were exploiting the vulnerability tracked CVE-2021-21551 in a Dell hardware driver (“dbutil_2_3.sys”), which corresponds to a set of five flaws that remained susceptible for 12 years before the computer vendor finally published security patches for it. 

The APT group employed Bring Your Own Vulnerable Driver (BYOVD) technique to install authentic, signed drivers in Windows that also contain known vulnerabilities. As the kernel drivers are signed, Windows allowed the driver to be installed in the operating system. However, the hackers can now exploit the driver’s flaws to launch commands with kernel-level privileges. 

Last year in December, Rapid 7 researchers issued a warning regarding this specific driver being a perfect match for BYOVD assaults due to Dell’s inadequate fixes, allowing kernel code execution even on recent, signed versions. It appears that Lazarus was familiar with this potential for exploitation and abused the Dell driver well before threat analysts issued their public warnings. 

“The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing, etc., basically blinding security solutions in a very generic and robust way,” researchers explained. 

The APT group also delivered its trademark custom HTTP(S) backdoor ‘BLINDINGCAN,’ first unearthed by U.S. intelligence in August 2020 and linked to Lazarus by Kaspersky in October last year. Other tools deployed in the spear-phishing campaign are the FudModule Rootkit, an HTTP(S) uploader employed for secure data theft, and multiple trojanized open-source apps like wolfSSL and FingerText.
Read more »
Subscribe to: Posts (Atom)