NCC detects a high-impact threat to the Windows operating system
A high-impact threat to the Windows operating system, the Blackbyte Ransomware, has been detected by the Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT).
The threat has the ability to bypass protections by disabling more than 1,000 drivers used by various security solutions.
This was revealed in a statement from NCC spokesperson Reuben Mouka on Saturday.
The statement says that the BlackByte ransomware gang, which uses a new technique that researchers have called “bring your own vulnerable driver”, is exploiting the security issue that allowed it to disable drivers that prevent several detection and response products. to endpoints (EDR) and antivirus. like Avast, Sandboxie, Windows DbgHelp Library and Comodo Internet Security, to function normally.
“Recent attacks attributed to this group involved a version of the MSI Afterburner RTCore64.sys driver, which is vulnerable to a privilege escalation and a tracked code execution flaw as CVE-2019-16098,” he said. declared.
The “Bring Your Own Vulnerable Driver” (BYOVD) method is effective because vulnerable drivers are signed with a valid certificate and run with elevated privileges on the system.
Two notable recent examples of BYOVD attacks include Lazarus abusing a buggy Dell driver and unknown hackers abusing an anti-cheat driver/module for the game Genshin Impact.
The NCC-CSIRT advisory recommended that system administrators protect against BlackByte’s new security bypass trick by adding the particular MSI driver to an active blocklist, monitoring all driver installation events, and reviewing them. frequently to find malicious injections that have no hardware match.