Scattered Spider exploits Windows driver and evades EDR tools

Hacker group called as Scattered Spider was found attempting a deployment of Intel Ethernet diagnostics drivers in a BYOVD attack to escape EDR detection. Hackers use the kernel-mode drive that is vulnerable to exploit and gain elevated privileges in Windows devices.

With drivers having kernel access to the OS, manipulating an exploit allows hackers to perform code with better control on Window machines.

Crowdstrike identified this new technique after a cyber intelligence report on Scattered Spider that was released last month.

As per Crowdstrike, hackers have tried to use the BYOVD to get pass several EDR tools including MS Defender for Endpoint, SentielOne and Plato Alto Networks Cortex XDR.

How does Scattered Spider disable EDR security?

Scattered Spider exploits the CVE-2015-2291 critical vulnerability in the Intel Ethernet diagnostics driver allowing them to perform arbitrary code execution with elevated kernel privileges with crafted calls.

This vulnerability was patched in 2015 with an older vulnerable version on the affected devices allowing hackers to still breach the devices irrespective of the version in the system.

Scattered Spider employs a 64-bit kernel driver with signature from NVIDIA and Global Software LLC hence making it look legitimate and evading MS security detections.

With these drivers, hackers can disable endpoint detection and response capabilities and reduce the visibility of malicious presence in the device.

While the machine starts, the malicious driver decrypts hard-coded string of EDR tools and updates the original drivers with hard-coded offsets.

The newly deployed payload will ensure the normal functioning of the security tools but when they aren’t actually doing what they are supposed to do. Scattered Spider is currently targeting only a limited network but the privilege and power they gain over BYOVD attacks can’t be overlooked.

Lazarus and BlackByte hacking group have also been seen exploiting BYOVD tactics to get elevated privileges on Windows devices.

How does Windows Patching stand against Scattered Spider

Although Microsoft patched the vulnerability in 2021 by introducing a driver blocklist, the problem wasn’t completely resolved as attacks like Scattered Spider were found exploiting the driver loopholes in that fix.

Microsoft recommends that Windows users enable the driver blocklist to protect against these BYOVD attacks. However, enabling Memory Integrity on Windows machines that may not have the latest drivers could be challenging.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, and Twitter.

You can reach out to us via Twitter/ Facebook or mail us at admin@thecybersecuritytimes.com for advertising requests.