{"id":97137,"date":"2022-10-14T17:59:04","date_gmt":"2022-10-14T17:59:04","guid":{"rendered":"https:\/\/harchi90.com\/how-a-microsoft-blunder-opened-millions-of-pcs-to-potent-malware-attacks\/"},"modified":"2022-10-14T17:59:04","modified_gmt":"2022-10-14T17:59:04","slug":"how-a-microsoft-blunder-opened-millions-of-pcs-to-potent-malware-attacks","status":"publish","type":"post","link":"https:\/\/harchi90.com\/how-a-microsoft-blunder-opened-millions-of-pcs-to-potent-malware-attacks\/","title":{"rendered":"How a Microsoft blunder opened millions of PCs to potent malware attacks"},"content":{"rendered":"<div itemprop=\"articleBody\">\n<figure class=\"intro-image intro-left\">\n  <figcaption class=\"caption\">\n<p>Getty Images<\/p>\n<\/figcaption><\/figure>\n<aside id=\"social-left\" class=\"social-left\" aria-label=\"Read the comments or share this article\">\n<\/aside>\n<p><!-- cache hit 1250:single\/related:5e52a5de3aa4cac041f5b0acf1fd7574 --><!-- empty --><\/p>\n<p>For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months.<\/p>\n<p>Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook.  The malware technique\u2014known as BYOVD, short for &#8220;bring your own vulnerable driver&#8221;\u2014makes it easy for an attacker with administrative control to bypass Windows kernel protections.  Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities.  Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows.<\/p>\n<p>It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks.<\/p>\n<h2>As attacks surge, Microsoft countermeasures languish<\/h2>\n<p>Drivers typically allow computers to work with printers, cameras, or other peripheral devices\u2014or to do other things such as provide analytics about the functioning of computer hardware.  For many drivers to work, they need a direct pipeline into the kernel, the core of an operating system where the most sensitive code resides.  For this reason, Microsoft heavily fortifies the kernel and requires all drivers to be digitally signed with a certificate that verifies they have been inspected and come from a trusted source.<\/p>\n<p>Even then, however, legitimate drivers sometimes contain memory corruption vulnerabilities or other serious flaws that, when exploited, allow hackers to funnel their malicious code directly into the kernel.  Even after a developer patches the vulnerability, the old, buggy drivers remain excellent candidates for BYOVD attacks because they&#8217;re already signed.  By adding this kind of driver to the execution flow of a malware attack, hackers can save weeks of development and testing time.<\/p>\n<p>BYOVD has been a fact of life for at least a decade.  Malware dubbed &#8220;Slingshot&#8221; employed BYOVD since at least 2012, and other early entrants to the BYOVD scene included LoJax, InvisiMole, and RobbinHood.<\/p>\n<aside class=\"ad_wrapper\" aria-label=\"In Content advertisement\">\n    <span class=\"ad_notice\">Advertisement <\/span>    <\/p>\n<\/aside>\n<p>Over the past couple of years, we have seen a rash of new BYOVD attacks.  One such attack late last year was carried out by the North Korean government-backed Lazarus group.  It used a decommissioned Dell driver with a high-severity vulnerability to target an employee of an aerospace company in the Netherlands and a political journalist in Belgium.<\/p>\n<p>In a separate BYOVD attack a few months ago, cybercriminals installed the BlackByte ransomware by installing and then exploiting a buggy driver for Micro-Star&#8217;s MSI AfterBurner 4.6.2.15658, a widely used graphics card overclocking utility.<\/p>\n<p>In July, a ransomware threat group installed the driver mhyprot2.sys\u2014a deprecated anti-cheat driver used by the wildly popular game <em>Genshin Impact\u2014<\/em>during targeted attacks that went on to exploit a code execution vulnerability in the driver to burrow further into Windows.<\/p>\n<p>A month earlier, criminals spreading the AvosLocker ransomware likewise abused the vulnerable Avast anti-rootkit driver aswarpot.sys to bypass virus scanning.<\/p>\n<p>Entire blog posts have been devoted to enumerating the growing instances of BYOVD attacks, with this post from security firm Eclypsium and this one from ESET among the most notable.<\/p>\n<p>Microsoft is acutely aware of the BYOVD threat and has been working on defenses to stop these attacks, mainly by creating mechanisms to stop Windows from loading signed-but-vulnerable drivers.  The most common mechanism for driver blocking uses a combination of what&#8217;s called memory integrity and HVCI, short for Hypervisor-Protected Code Integrity.  A separate mechanism for preventing bad drivers from being written to disk is known as ASR, or Attack Surface Reduction.<\/p>\n<p>Unfortunately, neither approach seems to have worked as well as intended.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Getty Images For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months. Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known &hellip;<\/p>\n<p class=\"read-more\"> <a class=\"\" href=\"https:\/\/harchi90.com\/how-a-microsoft-blunder-opened-millions-of-pcs-to-potent-malware-attacks\/\"> <span class=\"screen-reader-text\">How a Microsoft blunder opened millions of PCs to potent malware attacks<\/span> Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"default","ast-global-header-display":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[4],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":101906,"url":"https:\/\/harchi90.com\/experts-warn-of-stealthy-powershell-backdoor-disguising-as-windows-update\/","url_meta":{"origin":97137,"position":0},"title":"Experts Warn of Stealthy PowerShell Backdoor Disguising as Windows Update","date":"October 19, 2022","format":false,"excerpt":"Details have emerged about a previously undocumented and fully undetectable (FUD) PowerShell backdoor that gains its stealth by disguising itself as part of a Windows update process. \"The covert self-developed tool and the associated C2 commands seem to be the work of a sophisticated, unknown threat actor who has targeted\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/thehackernews.com\/new-images\/img\/b\/R29vZ2xl\/AVvXsEgvfqow2z1XORevUpzKGWWXZ2DP4dMaNi-7cycpa3J_bSZKv0tO6MP40HLl7lvVJDIswOmb6I-YoNMLJym4v9oLZQczujsMqcttB3M_Cvm6E-zLs0XrpwaTZ_SGFjckDfi3CPfijZaii8Z88_btcKeHKKfxm7cDyF3kaVvsirGpb2JWVH0Ot3xGiC2sZg\/s1600\/strike-728.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":104542,"url":"https:\/\/harchi90.com\/vmware-bug-with-9-8-severity-rating-exploited-to-install-witchs-brew-of-malware\/","url_meta":{"origin":97137,"position":1},"title":"VMware bug with 9.8 severity rating exploited to install witch&#8217;s brew of malware","date":"October 22, 2022","format":false,"excerpt":"Hackers have been exploiting a now-patched vulnerability in VMware Workspace ONE Access in campaigns to install various ransomware and cryptocurrency miners, a researcher at security firm Fortinet said on Thursday. CVE-2022-22954 is a remote code execution vulnerability in VMware Workspace ONE Access that carries a severity rating of 9.8 out\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/cdn.arstechnica.net\/wp-content\/uploads\/2022\/10\/exploit-activity-640x323.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":61037,"url":"https:\/\/harchi90.com\/organizations-are-spending-billions-on-malware-defense-thats-easy-to-bypass\/","url_meta":{"origin":97137,"position":2},"title":"Organizations are spending billions on malware defense that&#8217;s easy to bypass","date":"August 30, 2022","format":false,"excerpt":"Getty Images\/Aurich Lawson Last year, organizations spent $2 billion on products that provide Endpoint Detection and Response, a relatively new type of security protection for detecting and blocking malware targeting network-connected devices. EDRs, as they're commonly called, represent a newer approach to malware detection. Static analysis, one of two more\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/cdn.arstechnica.net\/wp-content\/uploads\/2022\/08\/behavioral-analysis-640x359.jpg?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":5827,"url":"https:\/\/harchi90.com\/microsoft-warns-about-android-malware-that-could-secretly-steal-your-money\/","url_meta":{"origin":97137,"position":3},"title":"Microsoft warns about Android malware that could secretly steal your money","date":"July 6, 2022","format":false,"excerpt":"What you need to knowMicrosoft has issued a warning to Android users about toll fraud malware that is constantly evolving.This type of malware subscribes unsuspecting users to premium services without their knowledge.Hefty subscription fees will then be charged on your monthly phone bill with no consent.Microsoft has warned Android users\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":60657,"url":"https:\/\/harchi90.com\/genshin-security-impact-hackaday\/","url_meta":{"origin":97137,"position":4},"title":"Genshin Security Impact |  hackaday","date":"August 30, 2022","format":false,"excerpt":"An MMORPG with cute anime-style characters and maybe a bit too much inspiration taken from another classic Nintendo franchise, Genshin Impact is a relatively popular game across the PlayStation, iOS, Android, and PC platforms. That last one has already generated a bit of controversy, since the PC version game includes\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":27031,"url":"https:\/\/harchi90.com\/for-years-some-gigabyte-and-asus-motherboards-carried-uefi-malware\/","url_meta":{"origin":97137,"position":5},"title":"For years, some Gigabyte and Asus motherboards carried UEFI malware","date":"July 27, 2022","format":false,"excerpt":"In context: Security firm ESET discovered the first UEFI rootkit that had been used in the wild back in 2018. This type of persistent threat used to be the subject of theoretical discussions among security researchers, but over the past years, it's become clear that it's a lot more common\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/static.techspot.com\/images2\/news\/bigimage\/2022\/07\/2022-07-26-image-14.jpg?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]}],"fifu_image_url":"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2022\/10\/microsoft-windows-760x380.jpg","_links":{"self":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts\/97137"}],"collection":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/comments?post=97137"}],"version-history":[{"count":0,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts\/97137\/revisions"}],"wp:attachment":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/media?parent=97137"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/categories?post=97137"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/tags?post=97137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}