Oct 07, 2022
In yet another case of bring your own vulnerable driver (BYOVD) attack, the operators of the BlackByte ransomware are leveraging a flaw in a legitimate Windows driver to bypass security solutions. "The evasion technique supports disabling a whopping list of over 1,000 drivers on which security products rely to provide protection," Sophos threat researcher Andreas Klopsch said in a new technical write-up. BYOVD is an attack technique that involves threat actors abusing vulnerabilities in legitimate, signed drivers to achieve successful kernel-mode exploitation and seize control of compromised machines. Weaknesses in signed drivers have been increasingly co-opted by nation-state threat groups in recent years, including Slingshot , InvisiMole , APT28 , and most recently, the Lazarus Group . BlackByte, believed to be an offshoot of the now-discontinued Conti group , is part of the big game cybercrime crews, which zeroes in on large, high-profile targets as part of