"Old Intel Drivers Used by Scattered Spider Hackers to Get Around Security"

Scattered Spider, a financially-motivated threat actor, was observed attempting to distribute Intel Ethernet diagnostics drivers in a Bring Your Own Vulnerable Driver (BYOVD) attack to circumvent detection by Endpoint Detection and Response (EDR) security solutions. Attackers can escalate their privileges in Windows via the BYOVD technique by exploiting a vulnerable kernel-mode driver. Device drivers have access to the operating system's kernel, so by exploiting a flaw in them, threat actors can execute malware with the highest privileges in Windows. Shortly after Crowdstrike's previous report on Scattered Spider was made public in December 2022, the company became aware of this new technique. According to the latest Crowdstrike analysis, the hackers used the BYOVD approach to target SentinelOne, Palo Alto Networks Cortex XDR, and Microsoft Defender for Endpoint. The Scattered Spider threat actor has been discovered attempting to exploit CVE-2015-2291, a critical flaw in the Intel Ethernet diagnostics driver that allows an attacker to execute arbitrary code with kernel privileges via specially crafted calls. Although this flaw was fixed in 2015, threat actors can still exploit it by installing outdated software versions on compromised devices. This article continues to discuss Scattered Spider attempting to distribute Intel Ethernet diagnostics drivers in a BYOVD attack to evade EDR security solutions.

CyberIntelMag reports "Old Intel Drivers Used by Scattered Spider Hackers to Get Around Security"