How BYOVD Attacks Target Windows and How to Stop Them?

BYOVD attacks are a sophisticated method cybercriminals employ to exploit legitimate but vulnerable drivers in Windows systems. By introducing these drivers, attackers can gain kernel-level access, bypassing traditional security measures and compromising system integrity.

Let’s learn how BYOVD attacks work, the types of drivers they exploit, why they’re a rising threat, and how to effectively prevent them.

How BYOVD Works?

BYOVD ( Bring Your Own Vulnerable Driver ) attacks likely began in the gaming scene as a method to bypass anti-cheat systems, but have since evolved into a powerful hacking tactic. One of the earliest major uses was in 2012, when the Shamoon wiper malware targeted Saudi Aramco using a vulnerable driver, marking the technique’s rise to global attention, bringing global attention to these techniques:

• Acquisition of a Vulnerable Driver: Attackers identify and obtain drivers with known vulnerabilities.
  
• Deployment: The malicious driver is introduced into the target system.
  
• Exploitation: Leveraging the driver’s vulnerabilities, attackers execute code at the kernel level, granting them elevated privileges.
  
• Payload Execution: With elevated access, malicious payloads are deployed, potentially disabling security tools and compromising data.
  

This technique has been utilized in various cyberattacks, including those involving ransomware groups like Cuba, highlighting the critical need for robust defense mechanisms.

Strategies to Prevent BYOVD Attacks

1. Enable Memory Integrity (HVCI)

Memory Integrity, also known as Hypervisor-Protected Code Integrity (HVCI), ensures that only trusted drivers are loaded into memory.

Steps for Windows 10/11:

1. Open Windows Security: Navigate to Start > Settings > Update & Security > Windows Security.
   
2. Access Device Security: Click on Device Security.
   
3. Core Isolation Details: Under Core Isolation, select Core Isolation Details.
   
4. Enable Memory Integrity: Toggle the switch to On.
   
5. Restart Your PC: A system reboot is required to apply changes.
   

Enabling HVCI adds a layer of protection against malicious drivers by enforcing strict code integrity policies.

2. Utilize Microsoft’s Vulnerable Driver Blocklist

Microsoft maintains a blocklist of drivers known to be vulnerable, preventing them from loading on Windows systems.

Steps to Enable:

1. Open Windows Security: Go to Start > Settings > Update & Security > Windows Security.
   
2. Access Device Security: Click on Device Security.
   
3. Core Isolation Details: Under Core Isolation, select Core Isolation Details.
   
4. Enable Memory Integrity: Ensure it’s turned On.
   
5. Update Blocklist: The blocklist is updated automatically with Windows updates, but you can manually check for updates via Settings > Update & Security > Windows Update.
   

By keeping this blocklist updated, you can prevent known vulnerable drivers from compromising your system.

3. Restrict Driver Installation Privileges

Limiting who can install drivers reduces the risk of unauthorized or malicious drivers being introduced.

Steps:

1. Open Local Group Policy Editor: Press Win + R, type gpedit.msc, and press Enter.
   
2. Navigate to Driver Installation Settings: Go to Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions.
   
3. Enable Policy: Double-click on Prevent installation of devices not described by other policy settings, set it to Enabled, and click OK.
   

This policy ensures that only administrators can install new drivers, adding a layer of control over driver installations.

4. Regularly Audit Installed Drivers

Conducting periodic audits helps identify and remove outdated or vulnerable drivers.

Steps:

1. Open Device Manager: Press Win + X and select Device Manager.
   
2. Review Drivers: Expand each category and review the drivers listed.
   
3. Update or Remove: Right-click on a driver and choose Update driver or Uninstall device if it’s unnecessary or outdated.
   

Regular audits help maintain a secure and efficient system by ensuring all drivers are up-to-date and necessary.

5. Fortify Your Defense with Fortect

While manual configurations are essential, leveraging advanced security solutions can provide comprehensive protection against BYOVD attacks.

Fortect is a third-party antivirus solution offering real-time malware protection. It automatically scans your Windows PC for threats, including those introduced through vulnerable drivers, and optimizes your system for peak performance.

Key Features:

• Real-Time Threat Detection: Continuously monitors your system to detect and block malware threats instantly.
• Automatic Repairs: Identifies and fixes issues caused by malware, including corrupted files and system instability.
• System Optimization: Enhances your PC’s performance by addressing underlying issues and removing unnecessary files.
• With Built-in Driver Updater: Fortect driver updater feature automatically scans all installed drivers to identify which ones are outdated or corrupted, and updates them automatically. As a Windows user, you don’t need to check which drivers on your PC are outdated. Fortect saves you from that hassle. 

By integrating Fortect into your security strategy, you can proactively defend against BYOVD attacks and maintain a secure, high-performing system. Fortect is not only the best third-party PC repair due to its real-time malware protection but also with driver updater which makes every Windows user protected and have a peace of mind.

Download Fortect and enhance your system’s security and performance.

Note: Always ensure that your operating system and all drivers are up-to-date. Regular updates often include patches for known vulnerabilities, reducing the risk of exploitation.

Types of Exploited Drivers

CrowdStrike classifies abused drivers into three types: vulnerable, weaponizable, and malicious. Vulnerable and weaponizable drivers are key to BYOVD attacks. These are legitimate drivers with flaws, like allowing unauthorized access to kernel memory, which attackers can exploit to load unsigned malicious drivers and bypass Windows security checks.

gdrv.sys

gdrv.sys is a Gigabyte kernel driver used for system tuning and hardware control. Older versions have serious flaws (e.g., CVE-2018-19320 to CVE-19323) that allow attackers to access kernel memory and system registers. The RobbinHood ransomware exploited one such flaw to disable Driver Signature Enforcement (DSE), load a malicious driver, and disable security tools like EDR.

GMER

GMER is a rootkit detection tool that uses a driver to scan and interact with kernel structures. While designed for security, its driver has been misused by attackers to weaponize or terminate protected processes. It exposes the ZwTerminateProcess API through the 0x9876C094 IOCTL, allowing attackers to kill any process by simply sending its PID.

Mimikatz

Mimikatz is a popular tool for extracting Windows credentials, often used for both security testing and malicious attacks. It includes a signed kernel driver that can load without disabling Windows Driver Signature Enforcement (DSE). Despite its origins in security research, the driver is considered malicious due to its ability to aid in credential theft and lateral movement.

Why BYOVD Is a Growing Threat?

The increasing prevalence of BYOVD attacks can be attributed to:

• Accessibility of Vulnerable Drivers: Many drivers with known vulnerabilities are readily available online.
  
• Evasion of Security Measures: BYOVD attacks can bypass traditional antivirus and endpoint detection systems.
  
• Persistence: Once a vulnerable driver is installed, it can be challenging to detect and remove.
  

Given these factors, it’s imperative to adopt comprehensive strategies to mitigate the risks associated with BYOVD attacks.

You may also check the related article, BYOD Security Risks, for more reference.