A threat actor that specializes in getting around multifactor authentication protection has added a new tool to its arsenal for infecting computers: Leveraging a known Windows weakness to compromise the operating system’s kernel.
The group is dubbed Scattered Spider by researchers at Crowdstrike. Others call it Roasted 0ktapus or UNC3944. Whatever the name, Crowdstrike says that in December it detected this group trying to deploy a malicious kernel driver through a vulnerability (CVE-2015-2291) in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys
)
The weakness in Windows has been used by hackers for several years in a technique researchers call “Bring Your Own Vulnerable Driver.” The tactic, Crowdstrike notes, still works because of a gap in Windows security. Windows doesn’t allow unsigned kernel-mode drivers to run by default. However, the Bring Your Own Vulnerable Driver tactic makes it easy for an attacker with administrative control to bypass Windows kernel protections.
The vulnerability was detailed in this story by Ars Technica last October.
In the December incident, the hacker attempted to load a malicious driver but was blocked by Crowdstrike’s technology. But in the past months, Crowdstrike Services has seen the same hacker trying to bypass other endpoint tools, including Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne.
There are several versions of a malicious display driver used by this hacker that are signed by different certificates and authorities, the report says, including stolen certificates originally issued to NVIDIA and Global Software LLC, as well as a self-signed test certificate. The intent is to disable the endpoint security products’ visibility and prevention capabilities so the actor can further their actions on objectives.
Windows administrators should do several things, says the report: First, locate and patch the vulnerable Intel Display Driver specified in CVE-2015-2291. Second, employ a rigorous, defense-in-depth approach that monitors endpoints, cloud workloads, identities, and networks to defend against this attack, says Crowdstrike. “The holistic deployment of security tooling paired with a high operational tempo in responding to alerts and incidents are critical to success.”
Third, consider enabling Microsoft’s Hypervisor-Protected Code Integrity (HVCI), a component of Virtualization-Based Security (VBS) designed to prevent users with elevated privilege from being able to read and write to kernel memory. The protections were implemented in order to address the security flaw of not enforcing kernel memory protection.