BYOVD, short for Bring Your Own Vulnerable Driver, is an adversarial technique where attackers implant a legitimate driver (which is vulnerable) into a targeted system. They then exploit the vulnerable driver to perform malicious actions.
What are Drivers?
Drivers are software that acts as an intermediary between the operating system and a Device. A driver translates the operating system's instructions into actions that the device can understand and carry out. Without a driver, a computer would not be able to use the various connected devices.
Drivers are also developed to provide support for software applications or functions within the operating system that are not natively present in the operating system. An example is a File System driver, which can allow access to different types of filesystems(ExFat, Ext4), which the OS does not natively support. Just like any software, a driver can have vulnerabilities. Attackers exploit these vulnerabilities to gain kernel privileges during an attack known as a Bring Your Own Vulnerable Driver (BYOVD) attack.
The attack
Because the drivers are legitimately signed, hence trusted by security software, they are neither flagged nor blocked. Moreover, the drivers involved in BYOVD attacks are usually kernel-mode drivers. Successful exploitation allows attackers to achieve kernel-level privilege escalation, which grants them the highest level of access and control over system resources on a target. Drivers are typically Ring-0, hence it impacts system wide (though there are Ring-3 drivers, those are not used for these type of attacks. Attackers leverage this escalated privilege by disabling endpoint security software or evading their detection. Once endpoint security defenses are compromised, attackers are free to engage in malicious activities without any obstruction. This technique is gaining traction and poses new challenges to endpoint security.
Initially, the BYOVD technique was used by top-tier APT groups such as Turla and the Equation Group. However, as the cost of attacks decreased, other threat actors have also begun leveraging it to achieve their objectives. If we search for BYOVD on BleepingComputer, we can find evidence of different threat groups using this technique in real-world attacks.
BYOVD Attack Tools & Resources
Attackers may develop their own tools or incorporate open-source tools, which has helped lower the cost of BYOVD attacks. Some custom tools are modified based on open-source projects. For example, during the first half of 2023, the UNC2970 APT group and LockBit ransomware group used their custom BYOVD tools called LIGHTSHOW and AuKill, respectively. AuKill shares similarities with the open-source tool Backstab. The figure below highlights some of the similar functions between Backstab and AuKill.
Indeed, LockBit integrated the Backstab tool in a ransomware attack in November 2022. Another BYOVD tool used by ransomware groups is called "Terminator". This program is promoted by a threat actor with the moniker "spyboy" and has been for sale on a Russian hacking forum since May 2023.
Spyboy claims that this tool can terminate twenty-three AVs/EDRs/XDRs, including products by Windows, Sophos, VMware, SentinelOne, and ESET. The Terminator tool has been observed in attacks by the BlackCat ransomware gang.
The cost of BYOVD attacks has also decreased due to the availability of vulnerable driver libraries. For example, the Living Off The Land Drivers (LOLDrivers) project records over 700 legitimate drivers that attackers can exploit. Additionally, undocumented, or attacker-exclusive drivers can also be used for malicious activities. This means that attackers have ample weapons for launching BYOVD attacks.
Pioneers of BYOVD technique
The first attack was carried out by the BlackByte ransomware gang and recently detailed by researchers at cybersecurity firm Sophos.
Researchers from Sophos warn that BlackByte ransomware operators are using a bring your own vulnerable driver (BYOVD) attack to bypass security products.
Sophos experts analyzed a sample of the most recent variant of the ransomware, which is written in Go, and discovered that the threat actors are exploiting a vulnerability in a legitimate Windows driver to bypass security solutions.
“We found a sophisticated technique to bypass security products by abusing a known vulnerability in the legitimate vulnerable driver RTCore64.sys,” reads the post published by Sophos. “The evasion technique supports disabling a whopping list of over 1,000 drivers on which security products rely to provide protection. Sophos products provide mitigations against the tactics discussed in this article.”
“Bring Your Own Driver” is the name given to this technique — exploiting a targeted system by abusing a legitimate signed driver with an exploitable vulnerability.”
The issue is a privilege escalation and code execution vulnerability, tracked as CVE-2019-16098 (CVSS score 7.8), that affects the Micro-Star MSI Afterburner RTCore64.sys driver.
The RTCore64.sys and RTCore32.sys drivers are widely used by Micro-Star’s MSI AfterBurner 4.6.2.15658 utility which allows to extend control over graphic cards on the system.
An authenticated user can exploit the flaw to read and write to arbitrary memory, I/O ports, and MSRs, potentially leading to privilege escalation and code execution under high privileges, and information disclosure. The experts explained that signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malware.
Timeline - BYOVD Attacks in H1 2023
Here are some notable vulnerable driver attacks reported in the first half of 2023. This list shows that BYOVD is widely used among threat actors, including APT and ransomware groups.
January:
The threat actor Scattered Spider (UNC3944) exploits the iqvw64.sys driver with the vulnerability CVE-2015-2291. iqvw64.sys is an old Intel Ethernet diagnostics driver patched in 2015. (Reported by CrowdStrike)
February:
Attackers use malvertising to distribute malware and exploit a renamed version (Иисус.sys) of the PROCEXP152.sys driver. PROCEXP152.sys is a part of Process Explorer, the process management tool in Windows OS. (Reported by SentinelOne) A threat actor distributes the Sliver toolkit using the Sunlogin remote desktop application and exploits the mhyprot2.sys driver. mhyprot2.sys is an anti-cheat driver for the popular video game Genshin Impact. (Reported by AhnLab)
March:
The UNC2970 APT group used the LIGHTSHOW tool to exploit ene.sys. ene.sys is a vulnerable driver provided by ENE Technology Inc and signed with a certificate issued by Ptolemy Tech Co. (Reported by Mandiant)
April:
Ransomware groups used the AuKill tool to exploit the vulnerable driver of Windows Process Explorer version 16.32. The renamed PROCEXP.SYS was dropped alongside the original PROCEXP152.SYS. (Reported by Sophos)
May:
Earth Longzhi, a subgroup of APT41 or Winnti, used the SPHijacker tool to exploit a renamed version (mmmm.sys) of the vulnerable zamguard64.sys driver. zamguard64.sys is used by the security software Zemana Anti-Malware. (Reported by TrendMicro)
June:
The BlackCat ransomware group used the spyboy Terminator tool to exploit the zamguard64.sys/zam64.sys driver. (Reported by CrowdStrike here and here)
Protecting against BYOVD Attacks
Due to the lower cost and, thus, the greater accessibility of BYOVD attacks, endpoint security products that lack purpose-built protection against BYOVD techniques are highly susceptible to compromise. While vulnerable driver libraries like LOLDrivers can be abused by attackers, they also benefit defenders. For example, Microsoft’s vulnerable driver blocklist and Elastic's VulnDriver YARA rules are available to facilitate security audit work.
Microsoft's vulnerable driver blocklist is a list of known vulnerable drivers that defenders can use to identify and create rules to block dangerous drivers on endpoints.
Elastic's VulnDriver YARA rules are rules written in the YARA language. These rules target driver vulnerabilities and help defenders detect and mitigate potential BYOVD attacks.
By utilizing these resources, defenders can enhance the protection against BYOVD threats by quickly identifying and addressing driver vulnerabilities. This proactive approach helps minimize the risk of compromise and strengthen the overall security posture of the endpoint security products.
References:
[1] What is BYOVD? – BYOVD Attacks in 2023. (2023). Retrieved from https://www.sangfor.com/farsight-labs-threat-intelligence/cybersecurity/what-is-byovd-attacks-2023
[2] CyberNews. Retrieved from https://cybernews.com/security/bring-your-own-vulnerable-driver-attack/
[3] Exploit Party: Bring Your Own Vulnerable Driver Attacks - FourCore. (2023). Retrieved 29 August 2023, from https://fourcore.io/blogs/bring-your-own-vulnerable-driver-attack