Hackers have grown craftier and craftier over the years, and now, a new method has been discovered wherein the attackers were able to disable the user's antivirus solutions. Once the antivirus solutions were disabled, this is where the real damage began.
A New Method was Discovered and Being Used by Hackers to Bypass Antivirus Solutions
According to the story by Tech Radar, a new method was discovered by threat actors wherein they were able to disable the antivirus solutions of users. Aside from the antivirus, they could also disable other endpoint protection tools.
The method that they are using is reportedly growing extremely popular. Cybersecurity researchers coming from Sophos shared how the method works.
The Vulnerability Method was Known as CVE-2019-16098
As per cybersecurity researchers, the method is widely known as the Bring Your Own Vulnerable Driver method. The researchers warn that not only does the method work, but it could also be very dangerous to businesses worldwide.
The company's research found that BlackByte, ransomware operators, abused this vulnerability. The vulnerability was tracked as the CVE-2019-16098 and was reportedly spotted in drivers used by Micro-Star's MSI AfterBurner 4.6.2.15658, known as the RTCore64.sys and the RTCore32.sys.
BlackByte was Found Using the Method to Disable Over 1,000 Drivers
Afterburner is a utility for GPU overclocking, and it gives users more control over the particular hardware they are using. The vulnerability works by giving authenticated users access to read and write to arbitrary memory.
This could lead to privilege escalation, data theft, and code execution. This method was able to help BlackByte disable over 1,000 drivers that need to be run with security products.
Sophos Gave Tips on How Organizations can Protect Themselves Against This Method
Sophos released a blog post noting that there is a good chance that legitimate drivers will continue to be abused to bypass different security products. Sophos has also given suggestions to protect users from this new attack method.
The cybersecurity researchers are suggesting that IT admins add the "particular MSI drivers to an active blocklist" to ensure that they won't be run on their endpoints. It was also noted that it is important to observe all drivers being installed on their devices.
Read Also: Uber Hack: Former Security Chief Hid a 2016 Breach from Public, Authorities
Lazarus Group was Spotted Using This Technique to Target Dell
Users were also urged to regularly audit the endpoints to look for different rogue injections potentially found without a match in terms of hardware. Although Bring Your Own Vulnerable Driver might not necessarily be a new method, it is starting to grow rapidly in popularity.
The Lazarus Group was recently observed using this particular technique to target Dell. ESET cybersecurity researchers have also seen this particular approach being used to target experts within the aerospace field and journalists.
Another way users were being targeted was with offering fake jobs from Amazon. The fake job descriptions would be sent via pdfs which were actually vulnerable Dell drivers.
Related Article: New Android Malware Detected: RatMilad Spyware Can Steal Data and Read Conversations
This article is owned by Tech Times
Written by Urian B.