Korea’s primary cybersecurity firm discloses reports on BYOVD
South Korea’s top cybersecurity company AhnLab recently released a detailed report on an attack using the BYOVD technique performed by hackers of the Lazarus Group this year.
AhnLab noted that the report offered an in-depth look into the BYOVD technique, carrying and loading legitimate, signed drivers that also contain known vulnerabilities in the Windows kernel.
Short for bring your own vulnerable driver, BYOVD refers to a malware technique designed to make it easy for an attacker, who has administrative control to sidestep Windows kernel protections.
By loading it, the threat actors can exploit the driver’s vulnerabilities to have full read and write access right to the kernel.
In this attack, after successful initial infiltration, threat actors deployed several malicious tools, including a rootkit that contains a driver module developed by ENE Technology, according to AhnLab.
The legitimately signed driver has a vulnerability that fails to add checks that restrict read and write access to kernel memory.
After gaining write access to the kernel memory by exploiting the vulnerability, the threat actors launched malicious commands with kernel-level privileges to blind security solutions and monitoring tools in an infected system.
“Since directly loading a malicious, unsigned driver is no longer possible in the recent versions of Windows, the attackers are abusing legitimate, signed drivers,” AhnLab said in the report.
“It is possible that even more legitimately signed drivers with vulnerabilities could be found and utilized in future attacks. It means that the organizations should be on high alert for such cyberattacks.”
AhnLab researchers believe that the attackers performed more malicious acts, such as data breaches, ransomware infection, and espionage in the compromised systems.
AhnLab has updated its engine to detect the malware used in the attack.
How to deal with BYOVD
To stay safe from sophisticated threats, AhnLab recommended people to take the following security measures.
First of all, users are required to check and deploy security patches for the software that is currently used in organizations and apply the newest one.
And then, they need to set the organizations’ security policy to disable drivers to be loaded in user mode, on top of continuing to update security solutions, including anti-malware ones.
Last but not least, they should provide actual users with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques.
The full-page AhnLab report, which tracked based on Lazarus Group’s Rootkit Malware, which uses BYOVD, is available on the firm’s blog.
Lazarus Group is known to be a group of hackers in North Korea. They have attacked not only Korea but various countries, according to AhnLab.