Cyber criminals are exploiting an old vulnerability in Intel drivers in an attempt to gain access to networks in a way that allows them to bypass cybersecurity protections.
The attacks have been detailed by cybersecurity researchers at Crowdstrike, who suggest the campaign targeting Windows systems is the work of a cyber-criminal group they track as Scattered Spider — also known as Roasted 0ktapus and UNC3944.
Scattered Spider is a financially motivated cybercrime operation, which researchers say takes particular interest in telecoms and the business outsourcing sectors, with the objective of gaining access to mobile carrier networks.
It’s thought that the attackers initially gain access to networks by using SMS phishing attacks to steal usernames and passwords. In some cases, the attackers have used this access to gain access to additional credentials, while the group is also thought to engage in SIM-swapping attacks.
Once inside a network, Scattered Spider uses a technique that Crowdstrike describes as ‘Bring Your Own Vulnerable Driver’ (BYOVD), which targets loopholes in Windows security.
While Microsoft attempts to limit the capabilities of malware gaining access to systems by preventing unsigned kernel-mode drivers to be run by default, attackers can get around this with BYOVD, which enables them to install a legitimately signed but malicious driver to carry out attacks.
The legitimately signed certificates can be stolen, or attackers find workarounds that allow them to self-sign their own certificates. But no matter how they’re obtained, they can then secretly run and install their own drivers on systems to disable security products and hide their activity.
One of the ways they do this operation as stealthily as possible is by not using malware, but instead installing a range of legitimate remote access tools to ensure persistence on the compromised system.
According to analysis by Crowdstrike, the attackers are delivering malicious kernel drivers through a vulnerability in the Intel Ethernet diagnostics driver for Windows (tracked as CVE-2015-2291).
As the ID number suggests, the vulnerability is old, but cyber criminals are still able to exploit it on systems when the security update that closes the vulnerability hasn’t been applied.
“Prioritizing the patching of vulnerable drivers can help mitigate this and similar attack vectors involving signed driver abuse,” warn researchers.
Tools that the attackers have attempted to bypass include Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne, as well as Crowdstrike’s own Falcon security product. Crowdstrike researchers say that Falcon detected and prevented the malicious activity when attackers tried to install and run their own code.
Microsoft has previously warned that, “Increasingly, adversaries are leveraging legitimate drivers in the ecosystem and their security vulnerabilities to run malware” and, while the company is taking action to prevent abuse, the attack technique is still working.
The Scattered Spider campaign appears to target a specific set of industries, but Crowdstrike recommends that IT and cybersecurity teams in all industries ensure their networks are protected against attack, for example, by ensuring that the old security patch has been applied.
Microsoft also provides advice on recommended rules for blocking drivers to help harden services. But the company warns that blocking drivers can cause devices or software to malfunction, and — in rare cases — lead to blue screen. The vulnerable driver blocklist is not guaranteed to block every driver found to have vulnerabilities.
MORE ON CYBERSECURITY