Threat actor trying to exploit old Windows weakness

Share post:

A threat actor that specializes in getting around multifactor authentication protection has added a new tool to its arsenal for infecting computers: Leveraging a known Windows weakness to compromise the operating system’s kernel.

The group is dubbed Scattered Spider by researchers at Crowdstrike. Others call it Roasted 0ktapus or UNC3944. Whatever the name, Crowdstrike says that in December it detected this group trying to deploy a malicious kernel driver through a vulnerability (CVE-2015-2291) in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys)

The weakness in Windows has been used by hackers for several years in a technique researchers call “Bring Your Own Vulnerable Driver.” The tactic, Crowdstrike notes, still works because of a gap in Windows security. Windows doesn’t allow unsigned kernel-mode drivers to run by default. However, the Bring Your Own Vulnerable Driver tactic makes it easy for an attacker with administrative control to bypass Windows kernel protections.

The vulnerability was detailed in this story by Ars Technica last October.

In the December incident, the hacker attempted to load a malicious driver but was blocked by Crowdstrike’s technology. But in the past months, Crowdstrike Services has seen the same hacker trying to bypass other endpoint tools, including Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne.

There are several versions of a malicious display driver used by this hacker that are signed by different certificates and authorities, the report says, including stolen certificates originally issued to NVIDIA and Global Software LLC, as well as a self-signed test certificate. The intent is to disable the endpoint security products’ visibility and prevention capabilities so the actor can further their actions on objectives.

Windows administrators should do several things, says the report: First, locate and patch the vulnerable Intel Display Driver specified in CVE-2015-2291. Second, employ a rigorous, defense-in-depth approach that monitors endpoints, cloud workloads, identities, and networks to defend against this attack, says Crowdstrike. “The holistic deployment of security tooling paired with a high operational tempo in responding to alerts and incidents are critical to success.”

Third, consider enabling Microsoft’s Hypervisor-Protected Code Integrity (HVCI), a component of Virtualization-Based Security (VBS) designed to prevent users with elevated privilege from being able to read and write to kernel memory. The protections were implemented in order to address the security flaw of not enforcing kernel memory protection.

The post Threat actor trying to exploit old Windows weakness first appeared on IT World Canada.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

Cyber Security Today, June 12, 2024 – More Snowflake storage victims found, Microsoft issues new Windows patches,

More Snowflake storage victims found, Microsoft issues new Windows patches, and more. Welcome to Cyber Security Today. It's Wednesday,...

Former OpenAI employee alleges plan for AGI bidding war

In a recent interview, former OpenAI safety researcher Leopold Aschenbrenner made startling claims about his ex-employer's strategy regarding...

Malicious code in millions of installs traced to Microsoft Visual Studio

A group of Israeli researchers found thousands of potentially harmful extensions on the Visual Studio Code (VSCode) Marketplace,...

Cyber Security Today, June 10, 2024 – Microsoft backs down on Recall

Microsoft backs down on Recall. Welcome to Cyber Security Today. It's Monday, June 10th, 2024. I'm Howard Solomon, contributing...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways