BYOVD Archives

One of the recent developments in hacking has been the Bring Your Own Vulnerable Driver (BYOVD) attack, but what is it and how do you defend against one?

By now, the Ophtek blog should have informed you about ransomware, trojans, and cryptojacking, but we’ve rarely mentioned the dangers of a BYOVD attack. In the past, BYOVD attacks were mostly carried out by only the most sophisticated threat actors, but they’re now becoming increasingly popular with even basic bedroom hackers. Therefore, today is the day we remedy this and provide you with a fully comprehensive look at BYOVD attacks and how you can stay safe.

The Role of Drivers within Your PC

Before we dig deep down into the mechanics of a BYOVD attack, it’s important that you understand what’s at the heart of their malicious activities: drivers. You’ve no doubt heard of drivers in passing, but it’s only the most die-hard PC user who would fully understand what they do. Their main role is as a file used to support software applications. They work by acting as a bridge between an operating system and a device e.g. between Windows and a graphics card.

Without drivers, your PC simply wouldn’t work. From your display through to your speakers and printer, there would be no way for your operating system to communicate with these devices. This makes drivers a crucial part of any PC, but it also means they’re ripe for cyberattacks.

Breaking Down a BYOVD Attack

We’re all aware of software vulnerabilities, and a BYOVD is a unique take on this method of hacking. In a BYOVD attack, threat actors will trick their victims into downloading outdated, vulnerable drivers onto their PC. This could be through phishing emails or pop-up adverts, with the main objective of getting these unsafe drivers downloaded onto a PC along with a nasty dose of malware. With these vulnerable drivers in place, threat actors can take control of the infected PC.

BYOVD attacks are dangerous for the following reasons:

Data Theft: With BYOVD attacks capable of bypassing your security software, they not only have easy access to all your data but can effortlessly transmit it to remote servers.
Install Further Malware: IT systems with vulnerabilities exploited are at risk of having further malware installed on them. So, for example, a threat actor could first gain access to your system before downloading further malware to facilitate DDoS attacks or support cryptojacking.
Damage Your Productivity: A BYOVD attack can quickly render your IT systems unusable due to the capabilities of drivers. By exploiting the deep access and reach drivers have, threat actors have the opportunity to disable network components, corrupt system files, and damage hardware.

You can find out more specifics of the impact of a BYOVD attack by checking out our article on the EDRKillShifter malware.

Protecting Your IT Systems from BYOVD Attacks

You may have been unfamiliar with BYOVD attacks, but you should now have a basic understanding of how they operate. The next step is to protect yourself by implementing these security practices:

Driver Whitelisting: this is a method whereby only authorized system users have the privileges to install drivers on your IT infrastructure. Even then, the use of Windows Defender Application Control should also be utilized to ensure that only pre-approved, digitally signed drivers can be installed.
Regular Updates: one of the simplest ways to protect against BYOVD attacks is by installing all updates and patches as soon as possible. Automating these updates allows you to guarantee that you have the freshest, most secure drivers on your system at all times.
Employee Education: BYOVD attacks are often distributed by phishing attacks, so it’s useful to educate, and regularly refresh, your employees on the telltale signs of a phishing attack. This could prove invaluable as your employees are your most important defense against cyberattacks.

For more ways to secure and optimize your business technology, contact your local IT professionals.

New Malware Used to Target Security Software

BYOVD, DSE, EDRKillShifter, install updates, malware, Ophtek, Russian Hackers, SophosBYOVD, DSE, EDRKillShifter, malware, Ophtek, Russia, Sophos, updatesOphtek, LLC

Sep 2024

The hacking collective RansomHub has unveiled a new strain of malware, one which is used to disable security software and leave PCs open to attack.

Discovered by security firm Sophos, RansomHub’s new malware has been dubbed EDRKillShifter. First detected during May 2024, EDRKillShifter carries out a Bring Your Own Vulnerable Driver (BYOVD) attack. The main objective of a BYOVD attack is to install a vulnerable driver on a target PC. With this driver in place, threat actors can remotely gain unauthorized access and get a foothold within the system.

The Story Behind EDRKillShifter’s Attack

EDRKillShifter typically targets Endpoint Detection and Response (EDR) security software, leaving PCs at risk of multiple malware attacks. Classed as a ‘loader’ malware, EDRKillShifter delivers a legitimate, yet vulnerable driver onto the target PC. In many cases, it’s been identified that multiple drivers, which are all vulnerable, have been introduced to PCs.

Once the vulnerable drivers have been deployed within the PC, EDRKillShifter executes a further payload within the device’s memory. This payload allows the threat actors to exploit the vulnerable drivers and, as a result, gain access to elevated privileges. This change in privileges gives the attackers the ability to disable EDR software on the machine. And the name of this software is hardcoded into EDRKillShifter’s processes, to prevent it from being restarted.

Attempts to run ransomware on compromised machines has been noted by Sophos and, digging deeper into the EDRKillShifter code, there are strong indicators that the malware originates from Russia. As regards the vulnerable drivers, these are freely available on the Github repository and have been known about for some time.

Preventing the Spread of EDRKillShifter

The mechanics of EDRKillShifter are effective and dangerous but are nothing new. Similar attacks, such as AuKill, have been carried out in the last year, and the technique currently appears popular with threat actors.

Luckily, your organization doesn’t have to fall victim to malware such as EDRKillShifter and its variants. Instead, you can maintain the security of your IT infrastructure by following these best practices:

Enable Tamper Protection: It’s important that you limit user privileges for installing drivers. For the average PC user, there’s no reason why they should be installing drivers. Therefore, you can protect your security defenses by limiting driver privileges to restricted admin accounts. This ensures that unauthorized users are unable to disable your EDR software.

Always Install Updates: Vulnerable drivers, such as those exploited by EDRKillShifter, are often updated once vulnerabilities have been detected. This is why it’s paramount that your organization always installs updates as quickly as possible. By eliminating compromised files from your PCs, you’re instantly strengthening the safety of your machines.

Use Driver Signature Enforcement: Windows has a tool called Driver Signature Enforcement (DSE), which can help protect your PC from BYOVD malware. DSE ensures that only drivers signed by Microsoft can be installed on your devices. By enlisting the help of DSE, you’re adding another layer of protection to your defenses.

For more ways to secure and optimize your business technology, contact your local IT professionals .

Category Archives: BYOVD