The Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) has flagged a high-impact Windows operating system threat, Blackbyte Ransomware, which has the capacity to bypass protections by disabling more than 1,000 drivers using various security solutions.
This was disclosed in a statement by NCC spokesperson Ruben Muoka on Saturday.
The NCC-CSIRT said the BlackByte ransomware gang, which uses a new technique that researchers have dubbed, “Bring Your Vulnerable Driver”, exploits a security issue that allowed it to disable drivers that prevent Endpoint Multiple Detection and Response (EDR ) and antivirus products such as Avast, Sandboxie, Windows DbgHelp Library and Comodo Internet Security, do not work normally.
Recent attacks attributed to this group included a version of the MSI Afterburner driver RTCore64.sys, which is vulnerable to privilege escalation and a code execution flaw tracked as CVE-2019-16098.
The “Bring Your Own Vulnerable Driver” (BYOVD) method is effective because vulnerable drivers are signed with a valid certificate and run with high privileges on the system.
Two notable recent examples of BYOVD attacks include Lazarus, which abused a buggy Dell driver, and unknown hackers abusing the Genshin Impact driver/anti-cheat module.
The NCC-CSIRT advisory recommended that system administrators protect themselves against BlackByte’s new security bypass trick by adding a specific MSI driver to an active block list, monitoring all driver installation events, and checking frequently for any rogue injections that don’t match the hardware.
CSIRT is a center for cyber security in the telecommunications sector established by the NCC to focus on incidents in the telecommunications sector and as they may affect telecommunications consumers and citizens in general.
The CSIRT also works in collaboration with the Nigerian Cyber Emergency Response Team (ngCERT), which was established by the federal government to reduce the scope of future cyber risk incidents by preparing, protecting and securing the Nigerian cyberspace to prevent attacks and problems or related events.
:
Comments are closed.