Lazarus is latest group to pull off "bring your own vulnerable device" attack.

microsoft

Getty Images

Over the past 15 years, Microsoft has made huge progress fortifying the Windows kernel, the core of the OS that hackers must control to successfully take control of a computer. A cornerstone of that progress was the enactment of strict new restrictions on the loading of system drivers that could run in kernel mode. These drivers are crucial for computers to work with printers and other peripherals, but they’re also a convenient inroad that hackers can take to allow their malware to gain unfettered access to the most sensitive parts of Windows. With the advent of Windows Vista, all such drivers could only be loaded after they’d been approved in advance by Microsoft and then digitally signed to verify they were safe.

Last week, researchers from security firm ESET revealed that about a year ago, Lazarus, a hacking group backed by the North Korean government, exploited a mile-wide loophole last year that existed in Microsoft’s driver signature enforcement (DSE) from the start. The malicious documents Lazarus was able to trick targets into opening were able to gain administrative control of the target’s computer, but Windows’ modern kernel protections presented a formidable obstacle for Lazarus to achieve its objective of storming the kernel.

Path of least resistance

Further Reading

Severe vulnerabilities in Dell firmware update driver found and fixedSo Lazarus chose one of the oldest moves in the Windows exploitation playbook—a technique known as BYOVD, short for bring your own vulnerable driver. Instead of finding and cultivating some exotic zero-day to pierce Windows kernel protections, Lazarus members simply used the admin access they already had to install a driver that had been digitally signed by Dell prior to the discovery last year of a critical vulnerability that could be exploited to gain kernel privileges.

ESET researcher Peter Kálnai said Lazarus sent two targets—one an employee of an aerospace company in the Netherlands and the other a political journalist in Belgium—Microsoft Word documents that had been booby-trapped with malicious code that infected computers that opened it. The hackers’ objective was to install an advanced backdoor dubbed Blindingcan but to make that happen, they first had to disable various Windows protections. The path of least resistance, in this case, was simply to install dbutil_2_3.sys, the buggy Dell driver, which is responsible for updating Dell firmware through Dell’s custom Bios Utility.

“For the first time in the wild, the attackers were able to leverage CVE-2021-21551 for turning off the monitoring of all security solutions,” Kálnai wrote, referring to the designation used to track the vulnerability in the Dell driver. “It was not just done in kernel space, but also in a robust way, using a series of little- or undocumented Windows internals. Undoubtedly this required deep research, development, and testing skills.”

In the case involving the journalist, the attack was triggered but was quickly stopped by ESET products, with just one malicious executable involved.

Further Reading

Potent malware that hid for six years spread through routersWhile it may be the first documented case of attackers exploiting CVE-2021-21551 to pierce Windows kernel protections, it’s by no means the first instance of a BYOVD attack. A small sampling of previous BYOVD attacks include:

  • Malware dubbed SlingShot that hid on infected systems for six years until it was discovered by security firm Kaspersky. Active since 2012, SlingShot exploited vulnerabilities that had been found as early as 2007 in drivers including Speedfan.sys, sandra.sys, and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0824. Because these drivers had been digitally signed at one time, Microsoft had no viable way to prevent Windows from loading them, even though the vulnerabilities were well known.
  • RobbinHood, the name of ransomware that installs the GIGABYTE motherboard driver GDRV.SYS and then exploits the known vulnerability CVE-2018-19320 to install its own malicious driver.
  • LoJax, the first UEFI rootkit known to be used in the wild. To gain access to targets’ UEFI modules, the malware installed a powerful utility called RWEverything that had a valid digital signature.

TECH NEWS RELATED

Activision CEO confident "this deal will close" despite FTC suing Microsoft

The situation only "sounds alarming," according to Bobby Kotick

View more: Activision CEO confident "this deal will close" despite FTC suing Microsoft

FTC sues Microsoft to block its acquisition of Activison Blizzard

Microsoft’s planned acquisition of Activision Blizzard has another hurdle: the Federal Trade Commission in the United States In a press release, the FTC announced that it is officially suing to block Microsoft’s acquisition of Activision Blizzard. The agency argues that such an acquisition would allow the company to limit ...

View more: FTC sues Microsoft to block its acquisition of Activison Blizzard

Microsoft is Bringing its Windows 11 Screen Recorder to the Inside

Available in the coming weeks, the Windows 11 screen recorder works through an integration with the native Snipping Tool.

View more: Microsoft is Bringing its Windows 11 Screen Recorder to the Inside

FTC Could Curb Microsoft's Metaverse Ambitions with Activision Lawsuit

Is it “game over” for Microsoft's purchase of Activision Blizzard, developers of Call of Duty?

View more: FTC Could Curb Microsoft's Metaverse Ambitions with Activision Lawsuit

Japanese Charts: Pokémon And Nintendo Continue To Dominate

There's just no stopping them

View more: Japanese Charts: Pokémon And Nintendo Continue To Dominate

Microsoft Teams wants to build an all-new workplace community for your business

You can now run your group, club, or committee from Teams for free

View more: Microsoft Teams wants to build an all-new workplace community for your business

This rugged mouse will conquer your multicomputer setup [Review]

★★★★☆ The rugged Zagg Pro Mouse mouse pairs with multiple computers and charges wirelessly. Photo: Ed Hardy/Cult of Mac Your iMac, MacBook and iPad can easily share the Zagg Pro Mouse. With the press of a button, the rugged Bluetooth mouse switches between multiple computers. As a bonus, the accessory ...

View more: This rugged mouse will conquer your multicomputer setup [Review]

Xbox Cant install purchased Games

Usually, one shouldn’t have any problem downloading their purchased games on Xbox. Like Windows Store, games and other downloadable content are installed automatically on Xbox if your gaming console is set to Instant-on mode. However, Xbox might not let you download purchased games in some instances. This post will share ...

View more: Xbox Cant install purchased Games

FTC Looks To Block Microsoft Buy of Activision with Lawsuit

Google Is Finally Making Chrome Use Less RAM

Fallout 5 release date, single-player, and latest details

Hackers have developed a clever new way to add malware to Android apps

Apple reportedly developing 20-inch foldable display for MacBooks

Florida mints radiated as peninsula sank and resurfaced during ice ages, finds study

FTC sues to block Microsoft-Activision Blizzard $69B merger

Diablo 4 Development Mired In Crunch And Poor Leadership According To New Report

Microsoft's acquisition of Activision Blizzard faces roadblock as FTC sues to stop it

The FTC is Suing Microsoft to Block Proposed Activision Blizzard Acquisition

Microsoft's Activision deal faces its biggest obstacle yet in FTC lawsuit

FTC opens suit against Microsoft’s deal to acquire Activision Blizzard

OTHER TECH NEWS

Top Car News Car News