BYOVD (Bring Your Own Vulnerable Drivers) are still very popular among threat actors as EDR killers.
One reason is that this raises the prospect of a kernel-level attack, which gives cybercriminals a wide range of options - from hiding malware to spying on login credentials to attempting to disable EDR solutions. Sophos security specialists Andreas Klopsch and Matt Wixey have closely examined what has been happening with the Terminator tools over the last six months and summarized them in the report “It'll be back: Attackers still abusing Terminator tool and variants”.
Driver smuggling
BYOVD is a class of attack in which threat actors inject known yet vulnerable drivers onto a compromised computer to gain kernel-level privileges. Cybercriminals have an easy time choosing vulnerable drivers: For example, the open source repository loldrivers.io lists 364 entries for vulnerable drivers, including the corresponding signatures and hashes. This convenient identification of suitable drivers is one of the reasons why BYOVD attacks are now not only reserved for highly professional threat actors, but can also be carried out by less sophisticated ransomware attackers.
Another possible reason for BYOVD's continued popularity among less technically proficient cybercriminals is the fact that they can purchase the kits and tools they need almost off the shelf on criminal forums. One of these tools attracted particular attention in May 2023, when well-known threat actor “spyboy” offered a tool called Terminator on the Russian-language ransomware forum RAMP. The tool should cost between $300 and $3.000 and should be able to disable 24 security products.
This is how companies can protect themselves
Many of the security providers on spyboy's list, including Sophos, acted quickly to investigate driver variants and develop protection measures. Sophos recommends four steps to protect yourself from BYOVD attacks:
- TestingWhether the endpoint security product has implemented tamper protection.
- Implementation strict hygiene in Windows security roles, as BYOVD attacks are usually enabled through privilege escalation and UAC bypassing.
- All operating systems and applications always up to date and the removal of older software.
- Recording vulnerable driver into the vulnerability management program. Threat actors could attempt to exploit vulnerable legitimate drivers already present on a compromised system.
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.