We always talk about the constant change and versatility of cyber-attacks, so this time we will address one of the emerging tactics that has gained notoriety is the use of legitimate vulnerable drivers to infiltrate protected systems, a strategy known as Bring Your Own Vulnerable Driver (BYOVD).
This strategy is particularly dangerous because the drivers, being digitally signed, are considered trusted by the operating system, allowing attackers to bypass traditional security measures.
Definition
BYOVD (Bring Your Own Vulnerable Driver) is a technique employed by cybercriminals that consists of introducing a legitimate but vulnerable driver into a target system to exploit it for malicious purposes. These drivers, being digitally signed, are considered trusted by the operating system, allowing attackers to bypass conventional security measures. Moreover, by operating in kernel mode, these drivers grant attackers elevated privileges, facilitating actions such as disabling security software or installing rootkits.
Originally, this technique was used by high-level Advanced Persistent Threat (APT) groups such as Turla and Equation Group. However, with the decreasing costs associated with these attacks, other malicious actors have adopted the BYOVD method to achieve their goals.
The growing popularity of BYOVD is due, in part, to the availability of open source resources that document legitimate drivers that can be exploited. For example, the Living Off The Land Drivers (LOLDrivers) project has cataloged more than 700 drivers that attackers can use, reducing the barriers to carrying out BYOVD attacks.
How it works
Bring Your Own Vulnerable Driver (BYOVD) attacks allow cybercriminals to gain full control over a system by exploiting vulnerabilities in legitimate drivers. This method involves introducing a vulnerable driver into the organization’s system and exploiting its flaws to execute malicious code with elevated privileges.
The key stages of a BYOVD attack are detailed below:
- Identifying and selecting a vulnerable driver: Attackers look for legitimate drivers with known vulnerabilities. These drivers are usually digitally signed, which makes it easy to install them without arousing suspicion.
- Installation of the driver on the victim’s system: Once selected, the vulnerable driver is introduced into the organization’s system. This can be achieved through social engineering techniques, remote access or by exploiting previously obtained administrative permissions.
- Exploiting the vulnerability to elevate privileges: After installation, cybercriminals exploit weaknesses in the driver to execute code in kernel mode. This allows them to disable security solutions, modify system configurations and hide their malicious activities.
- Maintaining persistence and evading detection: With privileged access, attackers implement mechanisms to maintain their presence on the system and evade detection tools. This may include disabling security software or modifying system logs.
A notable example of this technique is the use of the AuKill tool, which leverages an outdated version of the Process Explorer driver to disable security processes before deploying ransomware to the target system. This method has been employed in multiple incidents since early 2023, highlighting the increasing adoption of BYOVD attacks by ransomware groups.
The sophistication and effectiveness of BYOVD attacks underscore the need for organizations to keep their drivers and security systems up to date, implement strict privilege management policies, and adopt solutions capable of detecting and mitigating malicious activity at the kernel level.
Some examples
BYOVD attacks have been employed in various cyber incidents, highlighting their use in ransomware attacks and by advanced persistent threat (APT) groups. Some representative cases are presented below:
Case 1: Use of legitimate but vulnerable signed drivers in ransomware attacks.
In multiple incidents, cybercriminals have exploited legitimate drivers with known vulnerabilities to disable security solutions on victims’ systems. By installing these vulnerable drivers, attackers gain elevated privileges, allowing them to deploy ransomware and encrypt critical data undetected. This technique has been observed in several ransomware campaigns, where attackers leverage signed drivers to bypass system defenses.
Case 2: Advanced Persistent Threats (APT) using BYOVD to evade security solutions.
APT groups have adopted the BYOVD technique to infiltrate high-value networks. For example, actors such as InvisiMole and LoJax have been documented to employ vulnerable drivers to gain access to the Windows kernel, allowing them to evade security solutions and maintain a prolonged presence on compromised systems. This strategy makes it easier for them to exfiltrate sensitive information and maintain sustained control of the compromised infrastructure.
Case 3: Use in malware such as RobbinHood, which disables antivirus using vulnerable drivers.
The RobbinHood ransomware has been identified using the BYOVD technique to disable antivirus solutions on targeted systems. By loading a vulnerable driver, the malware manages to disable protection mechanisms, making it easier to encrypt data without interference. This approach demonstrates how attackers adapt their methods to overcome traditional security barriers by exploiting drivers with known vulnerabilities.
Small files, big problems
This strategy represents a significant threat in the cybersecurity arena due to the difficulty in mitigating them and their potential impact on organizations and collaborators.
Difficulty in mitigating BYOVD attacks
One of the main complexities in mitigating these attacks is that the drivers used are usually digitally signed by legitimate authorities. This digital signature gives them a level of trust within the operating system, allowing cybercriminals to load vulnerable drivers without being easily detected. In addition, the wide availability of legitimate drivers with known vulnerabilities gives attackers multiple options to carry out their malicious actions.
Problems with block lists and management of digital signatures
Implementing block lists for vulnerable drivers is a common strategy; however, keeping these lists up to date is a constant challenge. Cybercriminals can modify drivers slightly or use lesser-known variants to circumvent these security measures. In addition, digital signature management is complicated when attackers use stolen or leaked certificates to sign malicious drivers, making it difficult to effectively identify and block these components.
Impact on organizations and collaborators
BYOVD attacks can have devastating consequences for organizations. By disabling security solutions such as EDR (Endpoint Detection and Response), attackers gain unrestricted access to critical systems, which can lead to theft of sensitive data, operational disruptions and reputational damage. For employees, this can result in loss of confidence in the organization’s security infrastructure and potential risks to their personal information.
Prevention and mitigation methods
There is no simple solution to this problem. In order to improve the effectiveness of protection, it is essential to implement a combination of preventive and mitigation strategies. The following are some recommended measures:
Regular Audit and Updating of Controllers
Perform periodic audits of the drivers installed in the systems to identify those that are vulnerable or outdated. It is essential to apply patches and updates provided by manufacturers to correct possible vulnerabilities. In addition, removing obsolete or unnecessary drivers reduces the attack surface available to cybercriminals.
Implementation of Vulnerable Controller Block Lists
Maintain and enforce block lists that include drivers known to be vulnerable. Operating systems such as Windows provide mechanisms to block the loading of specific drivers, preventing cybercriminals from exploiting these weaknesses. This practice is essential to prevent the execution of compromised drivers in the organizational environment.
Strengthening of Administrative Privileges
Restrict administrative privileges required for driver installation and loading. Implement access control policies that limit the ability of employees to install unauthorized software. In addition, use identity and access management (IAM) solutions to monitor and control user privileges, minimizing the risk of cybercriminals exploiting accounts with elevated permissions.
Kernel Protection Mechanisms Activation
Enable security features built into the operating system, such as Kernel Mode Code Integrity Protection and Memory Integrity. These tools help prevent the loading of unauthorized or malicious drivers, reinforcing security at the kernel level of the system.
Active Monitoring and Incident Response
Implement continuous monitoring solutions that detect suspicious activities related to controllers, such as attempts to load unauthorized controllers or modifications to existing ones. Establish rapid response procedures to isolate and remediate compromised systems, preventing the spread of threats and minimizing the impact on the organization.
Employee Education and Awareness
Train employees on security best practices, emphasizing the importance of not installing software or drivers from untrusted sources. Foster a security culture where employees are aware of possible attack vectors and know how to report unusual activities.
Conclusion
BYOVD represents a significant threat in today’s cybersecurity landscape. Cybercriminals exploit legitimate but vulnerable drivers to gain privileged access to the system kernel, thus circumventing traditional security measures. This approach has been adopted by a variety of threat groups, including ransomware actors and advanced persistent threat (APT) groups, underscoring the need for constant vigilance and proactive response by organizations.
To mitigate the risks associated with BYOVD, it is essential that organizations implement robust security strategies. This includes maintaining an up-to-date block list of vulnerable drivers, employing advanced endpoint detection and response (EDR) tools, and ensuring that all drivers and systems are updated with the latest security patches. In addition, collaboration between hardware manufacturers, software developers and cybersecurity professionals is crucial to proactively identify and address driver vulnerabilities.
In short, awareness and coordinated action are critical to protecting systems against the threats posed by BYOVD. By taking a proactive and collaborative approach, organizations can strengthen their defenses and reduce the attack surface available to cybercriminals.
