Friday, June 14, 2024

Blackbyte Ransomware Bypass EDR Security Using Drive Vulnerability

The group behind a major ransomware attack, BlackByte ransomware gang has turned to a deadly new method of attack, “Bring Your Own Vulnerable Driver” (BYOVD). 

The reason behind this is that it allows security products to be bypassed by attacks, thus allowing them to breach the system. Over 1,000 drivers used in antivirus software have been exploited because of a vulnerability found in their software.

The vulnerability named CVE-2019-16098 may allow application privileges to be escalated and arbitrary code to be executed by attackers.

The cybersecurity experts at Sophos affirmed that the attackers were exposing I/O control codes directly to user-mode processes through the driver the attackers were using.

Hackers can do this without the use of exploits or shellcodes, since kernel memory can be read, written, and executed directly.

Technical Analysis

In order to exploit the security issue, BlackByte effectively disables the drivers that prevent several EDR and antivirus products from functioning properly due to the exploited security vulnerability.

In terms of the BlackByte attack, where the protection system is disabled. While the attack flow is clearly explained the image below:-

BlackByte initially identifies the kernel version in order to select the offsets that are applicable to the kernel ID in the first stage of the attack.

In the next step, the RTCore64.sys file will be placed in the file directory “AppData/Roaming”. After that an unambiguous display name is randomly selected and then a hardcoded name is used to create the service.

Using CVE-2019-16098, the attackers then remove the address of the callback function for the event handler, as well as another parameter called NotifyRoutine, by zeroing it out. 

Hackers are only able to zero out addresses that are associated with AV/EDR drivers for products which support this function. In most cases, the systems are a combination of multiple protective measures.

Drivers for security products often use routines like these in order to collect information on the activity of the system, which is then passed to the security products.

Attackers might aim to remove these callbacks from the memory of the kernel in order to achieve their objectives.

An attacker has the following options when it comes to bypassing this security feature:-

Take advantage of legitimate code signing certificates by stealing them or acquiring them anonymously.

Reading, writing, or executing code in kernel memory by abusing existing signed drivers.

By adding the particular MSI driver to an active blocklist that can be added to the system configuration, administrators will be able to protect themselves against BlackByte’s new security bypassing trick.

Moreover, to identify any rogue driver injections that do not have a hardware match, it is imperative that administrators monitor the installation events of all drivers and scrutinize them on a regular basis.

Also Read: Download Secure Web Filtering – Free E-book


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles