Scattered Spider Attempts BYOVD Attack

Diving into details

• This vulnerability allows an attacker to execute arbitrary code with kernel privileges using specially crafted calls.
• While it was fixed in 2015, the threat actor may still be able to exploit it by planting an older, vulnerable version on compromised devices.
• The driver used by Scattered Spider is a small 64-bit kernel driver with 35 functions and is signed by different certificates stolen from NVIDIA and Global Software LLC, among others, so Windows doesn't block it.

Why this matters

• The threat actors use these drivers to disable EDR, which limits the defenders' visibility and prevention capabilities and prepares the targeted networks for subsequent attacks.
• Upon startup, the driver decrypts a hard-coded string of targeted security products and patches the target drivers at hard-coded offsets.
• The injected malware routine ensures that the security software drivers appear to be functioning normally, but in reality, they no longer protect the computer.

Other BYOVD attacks

• In October 2022, the BlackByte ransomware group was found exploiting the CVE-2019-16098 vulnerability in Micro-Star’s MSI AfterBurner 4.6.2.15658 to disable more than 1,000 drivers. 
• Earlier the same month, the North-Korean state-sponsored Lazarus APT group launched organized spear-phishing campaigns against Belgium and the Netherlands. 
• The campaign leveraged the BYOVD technique to exploit the CVE-2021-21551 in Dell dbutil hardware driver. 

The bottom line