Recently, hackers have discovered a new method to disable your windows defender, antivirus, or any other protection tools of your system. Bring your Vulnerable Driver is a technique that Security Researchers has described in detail, along with the risk it poses to business all across the world.
Research conducted by the company indicates that BlackByte is leveraging the CVE-2019-16098 vulnerability to spread ransomware. It can be found in the drivers used by MSI Afterburner 188.8.131.5258 from Micro-Star, RTCore64.sys AND RTCore32.sys. Afterburner is a GPU overclocking tool that allows users to take additional control over the hardware of their pc.
Devious Malware Blocks the Drivers of Computer
The vulnerability allows authenticated users to read and write to arbitrary memory, resulting in privilege escalation, code execution, and data theft – and in this case, aided BlackByte in disabling over 1,000 drivers required by security products.
To defend against this new attack method, Sophos recommends that IT administrators add these specific MSI drivers to an active blocklist and ensure that they are not running on their endpoints. Furthermore, they should keep a close eye on all drivers installed on their devices and audit the endpoints regularly to look for rogue injections that do not match the hardware.
Bring Your Vulnerable Driver is a new method, but its popularity is rapidly growing. Earlier this week, the Lazarus Group, a notorious North Korean state-sponsored threat actor, was exposed.
ESET’s cyber security experts have recently observed that the gang is approaching political journalists and aerospace experts in Europe with phony employment offers from Amazon.
Fake Job description pdfs, which are essentially out-dated and vulnerable Dell drivers would be distributed by them. This method is particularly risky because the antivirus program does not detect these drivers because they are not harmful in and of themselves.