Blackbyte’s new cyberattack strategy
According to researchers from Sophos, Blackbyte is back with a new strategy to disable more than 1000 different drivers which security products rely on. Blackbyte has already abused various software to bypass security features in 2022.
Now, a new technic relies on a MSI driver and is therefore called „Bring your own Driver“. The driver RTCore64.sys is legitimately used for extended control over graphic cards and has the vulnerability CVE-2019-16098 which was used to gain access to additional privileges and to execute code.
The attack begins with identifying the kernel so that the correct offsets for the kernel memory structures can be chosen. Afterwards, RTCore64.sys is installed into AppData\Roaming and service is started. While the name of the service is always the same, the display name is randomly selected from a list of rather morbid strings like “I’m so lonely, help me.”, “I’m empty inside, help me.”, and a few more.
Once the driver is setup and ready to go, they use the earlier mentioned vulnerability to block the kernel notification routines. Those routines include callback functions which are used by EDR to protect the system.
What can you do against it? To prevent such an attack, it is important to monitor, maintain installed drivers and remove unused drivers from the endpoints.
Interested in knowing more? Here you can read the whole news by Sophos.
Patch of the Week – by Cisco
Cisco has released a patch to fix two high rated vulnerabilities for Cisco Expressway Series and Cisco Telepresence VCS, both rated with a 7.4 CVSS Base Score:
- The first vulnerability, CVE-2022-20814, allowed a Man-in-the-Middle attack. The attacker could use a self-singed certificated to intercept the communication between devices and impersonate the other endpoints.
- With the second vulnerability, CVE-2022-20853, the attacker was capable to create a Denial of Service (DOS) attack. Due to a weakness in Cross-site request forgery protection, the attacker was able to reset the system by luring the user of a REST API to click on a crafted link.
Both vulnerabilities have been fixed in the latest update.
For further information, check the article by Cisco Security Advisory.
Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.
Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.
And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.