Jump to content
  • Ransomware Group Bypasses "Enormous" Range of EDR Tools

    aum

    • 357 views
    • 2 minutes
     Share


    • 357 views
    • 2 minutes

    A notorious ransomware group has been spotted leveraging sophisticated techniques to bypass endpoint detection and response (EDR) tools.

     

    BlackByte, which the US government has said poses a serious threat to critical infrastructure, used a “Bring Your Own Driver” technique to circumvent over 1000 drivers used by commercially available EDR products, according to Sophos.

     

    The UK cybersecurity vendor explained in a new report that the group had exploited a known vulnerability, CVE-2019-16098, in Windows graphics utility driver RTCorec6.sys.

     

    This enabled it to communicate directly with a victim system’s kernel and issue commands to disable callback routines used by EDR tools.

     

    The group also used EDR bypass techniques borrowed from open source tool EDRSandblast to deactivate the Microsoft-Windows-Threat-Intelligence ETW (Event Tracing for Windows) provider.

     

    This is a Windows feature “that provides logs about the use of commonly maliciously abused API calls such as NtReadVirtualMemory to inject into another process’s memory,” explained Sophos. Neutralizing it in this way renders any security tool relying on the feature also useless, the firm argued.

     

    “If you think of computers as a fortress, for many EDR providers, ETW is the guard at the front gate,” said Christopher Budd, senior manager, threat research at Sophos.

     

    “If the guard goes down, then that leaves the rest of the system extremely vulnerable. And, because ETW is used by so many different providers, BlackByte’s pool of potential targets for deploying this EDR bypass is enormous.”

     

    BlackByte is not the only ransomware group using these advanced techniques to get around existing detection tools, illustrating the continued arms race between attackers and defenders. AvosLocker used a similar method in May, Sophos said.

     

    “Anecdotally, from what we’re seeing in the field, it does appear that EDR bypass is becoming a more popular technique for ransomware threat groups,” confirmed Budd.

     

    “This is not surprising. Threat actors often leverage tools and techniques developed by the ‘offensive security’ industry to launch attacks faster and with minimal effort.”

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...