What Are Bring Your Own Vulnerable Driver (BYOVD) Attacks?

What are Bring Your Own Vulnerable Driver (BYOVD) attacks, and why are they increasing in frequency?

Legitimate software applications with known vulnerabilities are useful to cyber attackers. These legitimate applications are often digitally signed and therefore trusted by our computer operating system (OS). On the other hand, malware does not usually include a valid digital signature from a reputable software vendor, unless the attackers have managed to steal a code signing private key. This makes legitimate software apps with known vulnerabilities a covert way for hackers to gain the upper hand on a system.

During the installation process, the application is often given elevated privileges to execute system level commands, and thus, they can act as a vector for privilege escalation [T1068]. Also, since they are less likely to be detected by endpoint security tools such as malware scanners and Endpoint Detection and Response (EDR) solutions, they can also provide an effective means of persistence [TA0003] on the victim's system or network. 

In this article we will uncover a form of attack known as the Bring Your Own Vulnerable Driver attack and how attackers are using this attack to leverage vulnerabilities in trusted digitally signed drivers to launch their attacks. 

Why Do Computers Need Drivers?

In the context of computers, drivers are software components that facilitate communication between the operating system and hardware devices. Their main purpose is to enable the OS to interact with and control various hardware components, such as printers, graphics cards, network adapters, and storage devices. Without drivers, the operating system would not be able to recognize or communicate with the vast array of various hardware devices.

Since there are so many hardware devices available on the market, the only feasible way to manage device drivers is to install only the required drivers for each particular hardware device; having all drivers installed by default would take up an incredibly large amount of disk space. 

What Are BYOVD Attacks?

BYOVD, or Bring Your Own Vulnerable Driver, is an adversarial tactic where attackers implant a legitimate yet vulnerable driver into a targeted system to exploit it for malicious purposes. Legitimately signed drivers are trusted by the OS, allowing attackers to evade detection.  Kernel-mode drivers also enable attackers to achieve kernel-level privilege escalation [T1068]. With elevated privileges, attackers can execute virtually any commands on a computer to disable security products or install low level highly covert persistence [TA0003] tools such as rootkits [T1014] or malicious firmware [T0839]. Furthermore, attacks can be concealed when required and whitelisted drivers are downgraded to vulnerable versions [T1562.010]. 

Originally utilized by top-tier APT groups like Turla [G0010] and the Equation Group [G0020], BYOVD attacks have become more widespread among various threat actors due to reduced costs. Open-source resources such as the Living Off The Land Drivers (LOLDrivers) project have recorded over 700 legitimate drivers that attackers can exploit, lowering the barrier for attackers to conduct BYOVD attacks.

BYOVD attacks have recently been used by the BlackByte and Scattered Spider threat actor and observed as a tactic in several large-scale cyber attack campaigns and corporate breaches, and the distribution of Kasseika Ransomware, among other attack campaigns.

How to Mitigate Bring Your Own Vulnerable Driver Attacks

Mitigating BYOVD attacks requires a comprehensive set of cybersecurity activities, policies, and controls that prevent attackers from gaining initial access [TA0001] to systems on your network, and then also implementing detective controls to identify breaches, allowing them to be remediated to reduce dwell time. Also, by using  Unified Endpoint Management (UEM) tools, defenders can identify any changes that happen on critical systems and investigate any new drivers that have been installed or changes to existing drivers.

By implementing effective mitigation strategies, organizations can reduce the risk of BYOD attacks and protect sensitive data and resources from unauthorized access or compromise. 

Here are several strategies to mitigate Bring Your Own Vulnerable Driver attacks:

• Prevent Initial Access: Ensure that personal devices are regularly updated with the latest security patches and software updates to address known vulnerabilities and reduce the risk of exploitation. Implement perimeter defenses according to best practices to ensure that the network attack surface is properly secured.  It's also important to educate staff about the risks associated with open files from untrusted sources and create policies regarding which software applications can be installed onto work devices. 

• Whitelisting Approved Drivers/Applications: Maintain a whitelist of approved drivers that are allowed to be installed on organizational devices. Block the installation of any drivers not included in the whitelist to prevent BYOVD attacks. Ensure that all device drivers, whether provided by the organization or brought in by users, are regularly updated with the latest patches and security fixes to address known vulnerabilities and scan to ensure that the newest drivers are in use.

• Use Endpoint Security Tools: Deploy endpoint security solutions, such as antivirus software, anti-malware programs, and intrusion detection/prevention systems (IDS/IPS), on personal devices to detect and mitigate security threats. Unified Endpoint Management (UEM) and Endpoint Detection and Response (EDR) solutions can track changes in files, configurations, and components such as drivers. However, since BYOVD attacks are also associated with privilege escalation, attackers may be able to disable these endpoint security programs.

• Continuous Monitoring and Auditing: Implement continuous monitoring and auditing of driver installations and also to ensure that endpoint security products are active and regularly updated with new threat profiles and malware signatures. 

• Conduct Security Testing: For high risk scenarios, regular security testing such as penetration testing can verify how well an organization's existing security activities, controls, and policies can withstand a real world cyber attack by simulating attacks. This allows an organization to verify it's security posture and continuously improve. 

Conclusion

In summary, Bring Your Own Vulnerable Driver (BYOVD) attacks represent a significant threat to organizational security, leveraging trusted yet vulnerable drivers to infiltrate systems and execute malicious actions. These attacks exploit the trust placed in legitimate drivers by the operating system, enabling attackers to achieve kernel-level privilege escalation and evade detection by traditional security tools. 

To mitigate the risk of BYOVD attacks, organizations must adopt a multifaceted approach that includes regular updating of drivers, maintaining whitelists of approved drivers, implementing driver sandboxing techniques, deploying endpoint security solutions, and continuous monitoring and auditing of driver activities. By implementing these strategies, organizations can bolster their defenses against Bring Your Own Vulnerable Driver attacks and protect critical systems and data from exploitation.

Looking for more deep-dives on topics related to BYOVD attacks and cybersecurity news? Sign up for our informational zero-spam newsletter.