Scattered Spider tried the BYOVD attack to bypass security

January 24, 2023
Scattered Spider Threat Group BYOVD Cyberattack Bypass Security

The financially motivated threat group called Scattered Spider has attempted to utilise the Bring Your Own Vulnerable Driver (BYOVD) strategy through vulnerable third-party drivers to bypass security detections.

Last month, a security company linked that massive increase in attacks against telecommunication and BPO firms to the group, which was confirmed as the group tried to use the earlier mentioned method.


The Scattered Spider group tried to abuse a critical vulnerability for their attacks.


According to investigations, the Scattered Spider operators attempted to exploit CVE-2015-2291 in the Intel Ethernet diagnostics driver. The flaw could enable an unauthorised individual to run arbitrary code with kernel privileges through specially developed calls.

Unfortunately, the threat actors could still exploit the flaw by planting an older and vulnerable version on infected devices even though the vulnerability was fixed by researchers nearly a decade ago.

The driver utilised by the group is a small 64-bit kernel driver with about 35 features and is signed by different stolen certificates from Global Software LLC and NVIDIA. Moreover, these stolen certificates explained how Windows could not block the attempt.

The scary part of the attack is that the threat actors could utilise the drivers to deactivate EDR. Hence, it could limit the security’s visibility and prevention capabilities and prepares a targeted network for follow-up attacks.

Subsequently, the driver decrypts a hard-coded string of targeted security products and fixes the target drivers at hard-coded offsets upon startup. The injected malware routine also shows that the infected security software generally functions despite deactivation.

The Bring Your Own Vulnerable Driver attack has been adopted by numerous groups for the past few months. One malicious group that employed such a strategy is the notorious BlackByte ransomware gang.

This threat group was discovered abusing a flaw in Micro-Star’s MSI AfterBurner to disable over 1,000 drivers during its BYOVD campaign.

Windows users should secure their driver blocklist feature to keep the BYOVD attacks at bay. Researchers noted that the Scattered Spider threat group is known for focusing on a single target and pouring their attention on it.

Therefore, companies should secure their networks as the BYOVD attack is a formidable tactic.

About the author

Leave a Reply