A new cyberattack technique called Bring Your Own Vulnerable Driver (BYOVD) is being used by threat actors to disable endpoint detection and response (EDR) software. The technique involves exploiting an outdated and vulnerable Microsoft-signed driver to gain higher privileges and disable security measures, after which the attackers can deploy either a backdoor or ransomware on the targeted system. The tool used to execute the BYOVD attack is called AuKill, which exploits an outdated version of the driver used by Microsoft utility, Process Explorer version 16.32.
According to a report by Sophos researcher Andreas Klopsch, six different versions of the malware, including Medusa Locker and LockBit, have been identified since the beginning of 2023, all of which have been distributed using the BYOVD attack technique. The earliest known sample of AuKill dates back to November 2022. Threat actors use vulnerable but legitimate drivers to bypass Driver Signature Enforcement, a crucial Windows security measure that requires signed kernel-mode drivers.
In addition to the BYOVD attack, other cyber threats are also on the rise. Trigona ransomware is being spread via poorly maintained MS-SQL servers, similar to CryLock malware. Play ransomware (also called PlayCrypt) uses specialized data gathering software to detect all network users and devices and steal data from VSS. The Balloonfly group uses Grixba, a .NET-based information stealer that scans for security programs, backup software, and remote administration tools, and transmits data in the form of compressed CSV files. They also utilize a .NET-based VSS Copying Tool that lists and copies files and folders in a VSS snapshot before encrypting them. Ransomware actors use proprietary tools, such as Exmatter, Exbyte, and PowerShell-based scripts, to avoid detection, and financially-motivated groups are adopting the Go programming language for cross-platform malware development.
To protect your organization from these and other cyber threats, it is essential to implement a comprehensive cybersecurity strategy. Some of the best practices include keeping software and drivers up-to-date, being wary of phishing emails and verifying the legitimacy of attachments or links before clicking, using reputable antivirus software with up-to-date signature files, implementing a robust backup strategy, considering a network security solution that can monitor and detect suspicious activity, and training employees on cybersecurity best practices and regularly testing their knowledge to prevent social engineering attacks.
If you're concerned about the security of your organization's network and data, consider reaching out to our cybersecurity consultancy services for a comprehensive assessment and protection plan. Our team of experts can help identify potential vulnerabilities, implement the latest security measures, and provide ongoing monitoring and support to help you stay ahead of emerging threats. With our help, you can rest assured that your organization's valuable data and assets are secure from cyber threats. Contact us today to learn more about our cybersecurity services and how we can help protect your business.