Categories: Cyber Security News

Blackbyte Ransomware Bypass EDR Security Using Drive Vulnerability

The group behind a major ransomware attack, BlackByte ransomware gang has turned to a deadly new method of attack, “Bring Your Own Vulnerable Driver” (BYOVD). 

The reason behind this is that it allows security products to be bypassed by attacks, thus allowing them to breach the system. Over 1,000 drivers used in antivirus software have been exploited because of a vulnerability found in their software.

The vulnerability named CVE-2019-16098 may allow application privileges to be escalated and arbitrary code to be executed by attackers.

The cybersecurity experts at Sophos affirmed that the attackers were exposing I/O control codes directly to user-mode processes through the driver the attackers were using.

Hackers can do this without the use of exploits or shellcodes, since kernel memory can be read, written, and executed directly.

Technical Analysis

In order to exploit the security issue, BlackByte effectively disables the drivers that prevent several EDR and antivirus products from functioning properly due to the exploited security vulnerability.

In terms of the BlackByte attack, where the protection system is disabled. While the attack flow is clearly explained the image below:-

BlackByte initially identifies the kernel version in order to select the offsets that are applicable to the kernel ID in the first stage of the attack.

In the next step, the RTCore64.sys file will be placed in the file directory “AppData/Roaming”. After that an unambiguous display name is randomly selected and then a hardcoded name is used to create the service.

Using CVE-2019-16098, the attackers then remove the address of the callback function for the event handler, as well as another parameter called NotifyRoutine, by zeroing it out. 

Hackers are only able to zero out addresses that are associated with AV/EDR drivers for products which support this function. In most cases, the systems are a combination of multiple protective measures.

Drivers for security products often use routines like these in order to collect information on the activity of the system, which is then passed to the security products.

Attackers might aim to remove these callbacks from the memory of the kernel in order to achieve their objectives.

An attacker has the following options when it comes to bypassing this security feature:-

Take advantage of legitimate code signing certificates by stealing them or acquiring them anonymously.

Reading, writing, or executing code in kernel memory by abusing existing signed drivers.

By adding the particular MSI driver to an active blocklist that can be added to the system configuration, administrators will be able to protect themselves against BlackByte’s new security bypassing trick.

Moreover, to identify any rogue driver injections that do not have a hardware match, it is imperative that administrators monitor the installation events of all drivers and scrutinize them on a regular basis.

Also Read: Download Secure Web Filtering – Free E-book

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Foxit PDF Reader/Editor Vulnerability Allows Remote Code Execution

Foxit Software has issued critical security updates for its widely used PDF solutions, Foxit PDF…

2 minutes ago

Windows 11 Privilege Escalation Vulnerability Lets Attackers Execute Code to Gain Access

Microsoft has swiftly addressed a critical security vulnerability affecting Windows 11 (version 23H2), which could…

35 minutes ago

NetWalker Ransomware Operator Sentenced to 20 Years in Prison

A Romanian man has been sentenced to 20 years in prison for his involvement in…

1 hour ago

CISA Warns of BeyondTrust Privileged Remote Access Exploited in Wild

 The Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm over a critical vulnerability…

2 hours ago

CISA Releases Eight New ICS Advisories to Defend Cyber Attacks

 The Cybersecurity and Infrastructure Security Agency (CISA) has issued eight detailed advisories on vulnerabilities affecting…

2 hours ago

NotLockBit – Previously Unknown Ransomware Attack Windows & macOS

A new and advanced ransomware family, dubbed NotLockBit, has emerged as a significant threat in…

3 hours ago