Tuesday, October 15, 2024
HomeCyber Security NewsBlackbyte Ransomware Bypass EDR Security Using Drive Vulnerability

Blackbyte Ransomware Bypass EDR Security Using Drive Vulnerability

Published on

Malware protection

The group behind a major ransomware attack, BlackByte ransomware gang has turned to a deadly new method of attack, “Bring Your Own Vulnerable Driver” (BYOVD). 

The reason behind this is that it allows security products to be bypassed by attacks, thus allowing them to breach the system. Over 1,000 drivers used in antivirus software have been exploited because of a vulnerability found in their software.

The vulnerability named CVE-2019-16098 may allow application privileges to be escalated and arbitrary code to be executed by attackers.

- Advertisement - SIEM as a Service

The cybersecurity experts at Sophos affirmed that the attackers were exposing I/O control codes directly to user-mode processes through the driver the attackers were using.

Hackers can do this without the use of exploits or shellcodes, since kernel memory can be read, written, and executed directly.

Technical Analysis

In order to exploit the security issue, BlackByte effectively disables the drivers that prevent several EDR and antivirus products from functioning properly due to the exploited security vulnerability.

In terms of the BlackByte attack, where the protection system is disabled. While the attack flow is clearly explained the image below:-

BlackByte initially identifies the kernel version in order to select the offsets that are applicable to the kernel ID in the first stage of the attack.

In the next step, the RTCore64.sys file will be placed in the file directory “AppData/Roaming”. After that an unambiguous display name is randomly selected and then a hardcoded name is used to create the service.

Using CVE-2019-16098, the attackers then remove the address of the callback function for the event handler, as well as another parameter called NotifyRoutine, by zeroing it out. 

Hackers are only able to zero out addresses that are associated with AV/EDR drivers for products which support this function. In most cases, the systems are a combination of multiple protective measures.

Drivers for security products often use routines like these in order to collect information on the activity of the system, which is then passed to the security products.

Attackers might aim to remove these callbacks from the memory of the kernel in order to achieve their objectives.

An attacker has the following options when it comes to bypassing this security feature:-

Take advantage of legitimate code signing certificates by stealing them or acquiring them anonymously.

Reading, writing, or executing code in kernel memory by abusing existing signed drivers.

By adding the particular MSI driver to an active blocklist that can be added to the system configuration, administrators will be able to protect themselves against BlackByte’s new security bypassing trick.

Moreover, to identify any rogue driver injections that do not have a hardware match, it is imperative that administrators monitor the installation events of all drivers and scrutinize them on a regular basis.

Also Read: Download Secure Web Filtering – Free E-book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Splunk Enterprise Vulnerabilities let Attackers Execute Remote Code

Splunk has disclosed multiple vulnerabilities affecting its Enterprise product, which could allow attackers to...

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Splunk Enterprise Vulnerabilities let Attackers Execute Remote Code

Splunk has disclosed multiple vulnerabilities affecting its Enterprise product, which could allow attackers to...