The Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) has raised concern about a high-impact threat to Windows operating system, the Blackbyte Ransomware, which has the capacity to bypass protections by disabling more than 1,000 drivers used by various security solutions.
The NCC-CSIRT stated the BlackByte ransomware gang, which is using a new technique that researchers called, “Bring Your Own Vulnerable Driver,” was exploiting the security issue that allowed it to disable drivers that prevent multiple Endpoint Detection and Response (EDR) and antivirus products like Avast, Sandboxie, Windows DbgHelp Library, and Comodo Internet Security, from operating normally.
According to the Team, recent attacks attributed to this group involves a version of the MSI Afterburner RTCore64.sys driver, which is vulnerable to a privilege escalation and code execution flaw tracked as CVE-2019-16098.
It further stated that “Bring Your Own Vulnerable Driver” (BYOVD) method remained effective because the vulnerable drivers are signed with a valid certificate and run with high privileges on the system, adding that two notable recent examples of BYOVD attacks include Lazarus, abusing a buggy Dell driver and unknown hackers abusing an anti-cheat driver/module for the Genshin Impact game.
The NCC-CSIRT advisory recommended that system administrators protect against BlackByte’s new security bypassing trick by adding the particular MSI driver to an active blocklist, monitoring all driver installation events, and scrutinising them frequently to find any rogue injections that do not have a hardware match.
The CSIRT is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.
