According to Crowdstrike, EDRs (Endpoint Detection and Response) are in the crosshairs of BYOVD (Bring Your Own Vulnerable Driver) attacks. Hackers have learned to bypass security suite controls by exploiting old Intel drivers.
Scattered Spider is a cyber crime group acting with financial motivations. It attempted to exploit Intel’s Ethernet diagnostics drivers in a BYOVD attack to evade detection by Endpoint Detection and Response (EDR) security products. The BYOVD technique involves hackers using a kernel-mode driver, known to be vulnerable to exploits. As well as attacks that can scale privileges on Windows.
The flaw is CVE-2015-2291 and the device drivers have access to operating system kernels. The exploit-prone flaws therefore allow cyber criminals to execute arbitrary code with the highest privileges on Windows.
According to Crowdstrike’s latest report, hackers attempted to use the BYOVD method to circumvent: Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR and SentinelOne.
Microsoft introduced a blocklist in 2021 to address some issues. However, Windows did not block these drivers by default until the release of Windows 11 in September 2022. Microsoft recommends that Windows users may enable the driver blocklist to protect themselves from BYOVD attacks.
Finally, it is possible to enable Windows Memory Integrity or Windows Defender Application Control (WDAC) functionality. However, it is not easy to enable Memory Integrity on devices that have new drivers.