Cybersecurity researchers are warning about a growing wave of attacks that exploit legitimate Windows drivers to bypass security protections and gain deep control over targeted systems.
The technique, known as Bring Your Own Vulnerable Driver or BYOVD, involves attackers loading digitally signed but flawed drivers onto a compromised machine. Once active, the vulnerable driver can be exploited to gain kernel level privileges, the highest level of access in the Windows operating system.
Researchers from Picus Security said the method allows threat actors to “load a legitimate, digitally signed, but vulnerable driver onto a target system” and then exploit weaknesses in that driver to gain arbitrary kernel mode execution.
With this level of access, attackers can disable endpoint security tools, manipulate operating system processes and carry out further malicious activity without interference.
How the attack works
BYOVD attacks do not provide the initial entry point into a system. Instead, attackers use the technique after gaining administrative access through other methods such as phishing campaigns, stolen credentials, exploitation of exposed services or purchasing access from an initial access broker.
Once administrative privileges are obtained, attackers introduce a vulnerable driver file into the system. The driver, typically a .sys file, is often placed in directories that allow easy writing access such as temporary Windows folders or public user directories.
Many of these drivers are taken directly from legitimate vendor software packages, including hardware utilities, monitoring tools or gaming applications. Because the drivers are officially signed and appear legitimate, they can pass Windows trust checks.
Attackers then load the driver into the Windows kernel.
This is commonly done through the Windows Service Control Manager using commands such as sc.exe create and sc.exe start, or by calling system level APIs like NtLoadDriver.
Since the driver carries a valid digital signature, Windows allows it to run in kernel space without immediately triggering alerts.
Exploiting driver weaknesses
After the vulnerable driver is loaded, attackers exploit unsafe input and output control functions exposed by the driver. These functions can allow direct reading and writing of system memory.
By sending specially crafted requests, attackers can gain access to protected kernel memory regions. This effectively provides full control over the operating system’s most privileged layer.
With kernel read and write capabilities, attackers can disable security protections in several ways. They may remove endpoint detection and response callbacks from kernel structures, patch tamper protection routines in memory, terminate antivirus processes or manipulate system process objects to conceal malicious activity.
Even though security software may still appear installed, the endpoint may effectively be left
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: