Old Intel driver vulnerability exploited to evade security systems

The Scattered Spider threat operation has been engaging in a Bring Your Own Vulnerable Driver attack exploiting an old high-severity Intel Ethernet diagnostics driver flaw to bypass endpoint detection and response systems, according to BleepingComputer. Microsoft Defender for Endpoint, SentinelOne, and Palo Alto Networks Cortex XDR have been evaded by the BYOVD attack, which involves a driver signed with different certificates stolen from Global Software and NVIDIA, a CrowdStrike report revealed. Attackers exploit the flaw, tracked as CVE-2015-2291, to enable the driver to decrypt a hard-coded string of targeted security products, while ensuring that security software drivers continue to appear functional even though they have already been disabled. Similar BYOVD attacks have been launched by North Korean hacking operation Lazarus and the BlackByte ransomware group. Such a security issue was attempted to be addressed by Microsoft through a blocklist introduced in 2021 but malicious drivers could only be blocked by default in Windows 11 2022 and later versions.