Threat actor trying to exploit old Windows weakness

Share post:

A threat actor that specializes in getting around multifactor authentication protection has added a new tool to its arsenal for infecting computers: Leveraging a known Windows weakness to compromise the operating system’s kernel.

The group is dubbed Scattered Spider by researchers at Crowdstrike. Others call it Roasted 0ktapus or UNC3944. Whatever the name, Crowdstrike says that in December it detected this group trying to deploy a malicious kernel driver through a vulnerability (CVE-2015-2291) in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys)

The weakness in Windows has been used by hackers for several years in a technique researchers call “Bring Your Own Vulnerable Driver.” The tactic, Crowdstrike notes, still works because of a gap in Windows security. Windows doesn’t allow unsigned kernel-mode drivers to run by default. However, the Bring Your Own Vulnerable Driver tactic makes it easy for an attacker with administrative control to bypass Windows kernel protections.

The vulnerability was detailed in this story by Ars Technica last October.

In the December incident, the hacker attempted to load a malicious driver but was blocked by Crowdstrike’s technology. But in the past months, Crowdstrike Services has seen the same hacker trying to bypass other endpoint tools, including Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne.

There are several versions of a malicious display driver used by this hacker that are signed by different certificates and authorities, the report says, including stolen certificates originally issued to NVIDIA and Global Software LLC, as well as a self-signed test certificate. The intent is to disable the endpoint security products’ visibility and prevention capabilities so the actor can further their actions on objectives.

Windows administrators should do several things, says the report: First, locate and patch the vulnerable Intel Display Driver specified in CVE-2015-2291. Second, employ a rigorous, defense-in-depth approach that monitors endpoints, cloud workloads, identities, and networks to defend against this attack, says Crowdstrike. “The holistic deployment of security tooling paired with a high operational tempo in responding to alerts and incidents are critical to success.”

Third, consider enabling Microsoft’s Hypervisor-Protected Code Integrity (HVCI), a component of Virtualization-Based Security (VBS) designed to prevent users with elevated privilege from being able to read and write to kernel memory. The protections were implemented in order to address the security flaw of not enforcing kernel memory protection.

The post Threat actor trying to exploit old Windows weakness first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

Hackers Plant False Memories in ChatGPT to Steal User Data

A security researcher has uncovered a vulnerability in ChatGPT that could allow hackers to store false information and...

“Octo2” Trojan Targets Bank Accounts by Posing as VPN or Chrome Apps on Android

A new malware variant called “Octo2” is spreading across Android devices by posing as popular apps like NordVPN...

Evilginx – Open source tool can bypass Multi-Factor Authentication (MFA)

Security vendor Abnormal Security is reporting a new cybersecurity tool that is gaining traction among cybercriminals. The tool,...

Kaspersky’s exit from US market frightens some customers

Kaspersky, the Russian cybersecurity firm, has unexpectedly removed its antivirus software from U.S. customers' computers, replacing it with...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways