Threat actor trying to exploit old Windows weakness

A threat actor that specializes in getting around multifactor authentication protection has added a new tool to its arsenal for infecting computers: Leveraging a known Windows weakness to compromise the operating system’s kernel.

The group is dubbed Scattered Spider by researchers at Crowdstrike. Others call it Roasted 0ktapus or UNC3944. Whatever the name, Crowdstrike says that in December it detected this group trying to deploy a malicious kernel driver through a vulnerability (CVE-2015-2291) in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys)

The weakness in Windows has been used by hackers for several years in a technique researchers call “Bring Your Own Vulnerable Driver.” The tactic, Crowdstrike notes, still works because of a gap in Windows security. Windows doesn’t allow unsigned kernel-mode drivers to run by default. However, the Bring Your Own Vulnerable Driver tactic makes it easy for an attacker with administrative control to bypass Windows kernel protections.

The vulnerability was detailed in this story by Ars Technica last October.

In the December incident, the hacker attempted to load a malicious driver but was blocked by Crowdstrike’s technology. But in the past months, Crowdstrike Services has seen the same hacker trying to bypass other endpoint tools, including Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne.

There are several versions of a malicious display driver used by this hacker that are signed by different certificates and authorities, the report says, including stolen certificates originally issued to NVIDIA and Global Software LLC, as well as a self-signed test certificate. The intent is to disable the endpoint security products’ visibility and prevention capabilities so the actor can further their actions on objectives.

Windows administrators should do several things, says the report: First, locate and patch the vulnerable Intel Display Driver specified in CVE-2015-2291. Second, employ a rigorous, defense-in-depth approach that monitors endpoints, cloud workloads, identities, and networks to defend against this attack, says Crowdstrike. “The holistic deployment of security tooling paired with a high operational tempo in responding to alerts and incidents are critical to success.”

Third, consider enabling Microsoft’s Hypervisor-Protected Code Integrity (HVCI), a component of Virtualization-Based Security (VBS) designed to prevent users with elevated privilege from being able to read and write to kernel memory. The protections were implemented in order to address the security flaw of not enforcing kernel memory protection.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.