Now the BlackByte ransomware gang is apparently using CVE-2019-16098, a vulnerability in RTCorec64.sys, a graphics utility driver for Windows systems. This driver is legitimately used for overclocking by providing extended control over the graphics card.
However, by exploiting the vulnerability, attackers which have gained access to an authenticated user account that can read and write to arbitrary memory, which could be exploited for privilege escalation, code execution or accessing information.
Researchers describe this as "Bring Your Own Driver". When abused, it allows attackers to bypass more than 1,000 drivers used by industry endpoint detection and response (EDR) products – antivirus software.
This tactic is achieved by exploiting the vulnerability to communicate directly with the targeted system's kernel and telling it to switch off routines used in antivirus software, as well as ETW (Event Tracing for Windows).
"If you think of computers as a fortress, for many EDR providers, ETW is the guard at the front gate. If the guard goes down, then that leaves the rest of the system extremely vulnerable. And, because ETW is used by so many different providers, BlackByte's pool of potential targets for deploying this EDR bypass is enormous," said Christopher Budd, senior manager for threat research at Sophos.
By abusing this vulnerability, BlackByte can gain the privileges required to quietly access systems, before triggering a ransomware attack and demanding a ransom payment for the decryption key. Like many other ransomware groups, BlackByte also steals data from victims and threatens to release it if their extortion demands aren't met.
In order to help protect against Bring Your Own Driver attacks, Sophos recommends that drivers are regularly updated, so any known vulnerabilities in them can be remedied. Researchers also recommend blocklisting drivers that are known to still be exploitable.
"It's critical for defenders to monitor new evasion and exploitation techniques and implement mitigations before these techniques become widely available on the cybercrime scene," said Budd.