AhnLab published a report detailing cases of attacks on institutions and other organizations using drivers with vulnerabilities.
AhnLab’s ASEC analysis team recently released a report titled ‘Lazarus Attack Group’s Rootkit Malware Analysis Report’. In this report, AhnLab’s ASEC analysis team analyzed the latest cases using the ‘Bring Your Own Vulnerable Driver (BYOVD) technique’. ‘BYOVD’ contains a legal signature and runs normally on the Windows operating system, but in fact, it refers to an attack technique that uses a driver with a vulnerability to gain access to the target’s system.
The attacker first targeted an environment where security patches for specific software had not been applied and installed backdoor malware on the victim system. Afterwards, the ‘rootkit’ needed to achieve the attacker’s goal was downloaded to the victim system using backdoor malware. A rootkit is a kit of programs needed to easily obtain root privileges, which are the key to accessing the overall system, and contains various resources needed for attacks.
In this case, the attacker included a vulnerability in the rootkit, but included a vulnerable driver for a specific foreign product that was legally signed and could run normally on Windows. The driver had a vulnerability in that it could access the OS kernel without proper verification procedures. The attacker used this driver to gain access to kernel data that was originally impossible to read and write.
The attacker then shut down all monitoring systems except for system-essential driver files, blocking the ability of various security solutions to track malware behavior. Attackers can then perform additional malicious acts such as information theft and ransomware infection in an environment where security is disabled.
Currently, V3 and intelligent threat response solution ‘AhnLab MDS’ is currently blocking attacks at the initial stage by utilizing file and behavior-based diagnosis functions.
In order to prevent attacks exploiting vulnerable drivers, the organization’s security personnel must ▲set security policies to prevent drivers from being executed (loaded) in the general user environment ▲use and update security solutions such as anti-virus software to prevent the initial stage of attacks ▲SW security patches You must follow security rules, such as executing updates immediately.
“There may be more drivers similar to those used in this case of using the ‘BYOVD technique,’” said Han Myeong-wook, head of the AhnLab analysis team. “Organizational security managers must adhere to basic security rules while using TI services, etc. “We must identify changes in attack techniques, and based on this, we must establish security policies necessary for the organization and make efforts from various angles, such as providing member security education,” he said.
Source: Pangyo Techno Valley Official Newsroom
→ Go to ‘Asian Innovation Hub Pangyo Techno Valley 2022’ news