Cyber attackers have found a novel way to compromise enterprise security, utilizing trusted drivers as a tool to disable critical antivirus software. A recent incident targeting a Brazilian enterprise underscores this emerging threat, as attackers employed a digitally signed driver to execute their malicious objectives. This sophisticated maneuver allowed them to bypass traditional security measures, ultimately delivering a destructive payload known as MedusaLocker ransomware.
Exploiting Trusted Drivers
The attackers implemented a Bring Your Own Vulnerable Driver (BYOVD) strategy, exploiting the ThrottleStop.sys driver, which was cleverly renamed ThrottleBlood.sys. This driver turned into a key component in their strategy to penetrate and manipulate the system, allowing them to throttle cars of the digital kind by bypassing security measures with efficiency.
The attack progression was methodical; initially, the perpetrators compromised an SMTP server using valid RDP credentials. Following this, they gathered additional access credentials leveraging tools like Mimikatz. With these credentials, they moved laterally within the system using pass-the-hash techniques aimed at wreaking havoc by stopping throttle measures aligned with the company’s defenses.
How cyberattackers exploit trusted drivers to bypass security
Detailed Attack Mechanism
In terms of the technicalities, the attackers began by executing an artifact known as "All.exe," which functioned as an AV killer. This software connected to the compromised driver's interface to utilize its IOCTL primitives, thereby directly reading and writing into the system's physical memory. A vulnerability identified as CVE-2025-7771 was exploited to facilitate this.
Once within the system, the custom driver enabled significant kernel-mode modifications. These modifications allowed the attackers to enumerate running processes and assess them against a set list of security software such as Kaspersky, Symantec, and CrowdStrike. This clever manipulation forced termination of essential security processes, bypassing built-in security like Windows self-restoration features, which were repeatedly disabled in a loop.
Implications and Recommendations
Analyzing the attack, it's clear that simply relying on antivirus software is inadequate in the face of sophisticated attacks that wield trusted components against us. Enterprise security protocols need to evolve, emphasizing a comprehensive defense in depth approach. Recommendations following the attack emphasize the importance of robust security measures such as hardening RDP access, segmenting networks, and accurate privilege management. Furthermore, continuous monitoring of driver installations and deploying advanced security solutions capable of self-defense and driver-monitoring become paramount.
With BYOVD attacks on the rise, it's crucial for organizations to proactively manage and monitor for vulnerable drivers. Ensuring more holistic detection and response mechanisms is essential, as even trusted components can pose substantial risks if manipulated by well-versed adversaries. Highlighting and mitigating these vulnerabilities preemptively could serve as a viable turtle stop method to secure enterprise systems against potential breaches.
