Kaspersky has issued a warning to Windows users about a significant increase in attacks targeting vulnerable drivers.
According to the cybersecurity firm, the number of systems attacked using this technique grew by nearly 23% in the second quarter of 2024 compared to the previous quarter.
What are vulnerable drivers?
Drivers are essential software components that enable your computer’s operating system to communicate with hardware devices like printers, graphics cards, and network adapters. However, like any software, some drivers can contain vulnerabilities that can be exploited by malicious actors.
“Vulnerable drivers may be exploited for a wide range of attacks, including ransomware and Advanced Persistent Threats (APTs),” according to Kaspersky.
”While the drivers themselves are legitimate, they may contain vulnerabilities. These vulnerabilities can then be exploited for malicious purposes. Perpetrators use various tools and methods to install a vulnerable driver on the system. Once the operating system loads this driver, the attacker can exploit it to circumvent OS kernel security boundaries for their own goals,” Vladimir Kuskov, Head of Anti-Malware Research at Kaspersky, explains.
This type of attack, known as BYOVD (Bring Your Own Vulnerable Driver), involves attackers installing a driver with known vulnerabilities onto your system. Kaspersky says that these drivers “allow threat actors to attempt to disable security solutions on a system and escalate privileges, enabling them to carry out various malicious activities, such as installing ransomware or establishing persistence for espionage or sabotage, particularly if an Advanced Persistent Threat (APT) group is behind the attack.”
Kaspersky reports that the number of tools available online to exploit vulnerable drivers has increased significantly in recent years. In 2023 alone, they identified 16 such tools, compared to just one or two in previous years.
”Although nothing really stops threat actors from developing their own private tools, the publicly available ones eliminate the need for the specific skills required to research and exploit vulnerable drivers,” says Kuskov. “In 2023 alone, we identified approximately 16 new tools of this nature, marking a substantial increase from the mere one or two we observed in previous years. Given this rise, it is highly advisable to implement robust protective measures for any system.”
To protect yourself from attacks targeting vulnerable drivers, Kaspersky recommends the following:
· Thoroughly understand your infrastructure and closely monitor its assets, focusing on the perimeter.
· To protect the company against a wide range of threats, use solutions from the Kaspersky Next product line. It provides real-time protection, threat visibility, investigation and response capabilities of EDR and XDR for organisations of any size and industry, as well as safeguarding systems against vulnerable driver exploitation.
· Implement a Patch Management process to detect vulnerable software within the infrastructure and promptly install security patches. Solutions like Kaspersky Endpoint Security and Kaspersky Vulnerability Data Feed can assist in this regard.
· Conduct regular security assessments to identify and patch vulnerabilities before they become an entry point for an attacker.”