In yet another case of bring your own susceptible chauffeur (BYOVD) attack, the operators of the BlackByte ransomware are leveraging a defect in a genuine Windows chauffeur to bypass security services.
” The evasion method supports disabling a massive list of over 1,000 chauffeurs on which security items rely to offer defense,” Sophos danger scientist Andreas Klopsch stated in a brand-new technical article.
BYOVD is an attack method that includes danger stars abusing vulnerabilities in genuine, signed chauffeurs to attain effective kernel-mode exploitation and take control of jeopardized makers.
Weak points in signed chauffeurs have actually been progressively co-opted by nation-state danger groups recently, consisting of Slingshot, InvisiMole, APT28, and most just recently, the Lazarus Group.
BlackByte, thought to be a spin-off of the now-discontinued Conti group, belongs to the huge video game cybercrime teams, which zeroes in on big, prominent targets as part of its ransomware-as-a-service (RaaS) plan.
According to the cybersecurity company, current attacks installed by the group have actually benefited from an opportunity escalation and code execution defect (CVE-2019-16098, CVSS rating: 7.8) impacting the Micro-Star MSI Afterburner RTCore64.sys chauffeur to disable security items.
Read the full article here