Microsoft Under Pressure to Bolster Defenses for BYOVD Attacks

• Microsoft Under Pressure to Bolster Defenses for BYOVD Attacks Threat actors are exploiting security gaps to weaponize Windows drivers and terminate security processes in targeted networks, and there may be no easy fixes in sight. • Stay tuned for Part 2 next week. • When it comes to bring-your-own-vulnerable-driver (BYOVD) attacks, Microsoft may be stuck between a rock and a hard place. • Over the past year, threat actors - most notably, ransomware groups - have increasingly embraced the BYOVD technique to disable security products in a targeted network. • The technique involves threat actors identifying a vulnerable driver that they can exploit and dropping it on a targeted system. • Attackers then use the kernel-level access and elevated privileges of the driver to kill security processes on a system before deploying their payload, be it ransomware, infostealers, or backdoors.

Article Summaries:

• Microsoft faces mounting pressure to strengthen its Windows kernel against “bring‑your‑own‑vulnerable‑driver” (BYOVD) attacks. Ransomware groups increasingly drop compromised drivers that exploit kernel‑level privileges to terminate security processes before delivering payloads such as ransomware or backdoors. Despite decades of kernel hardening-including Driver Signature Enforcement-researchers point to significant gaps, notably the inability to check certificate revocation lists at boot, which allows attackers to use revoked or legacy drivers. The problem has shifted much of the defensive burden onto EDR vendors, while potential fixes risk system instability or new vulnerabilities. Microsoft’s next steps remain uncertain as the industry seeks more robust countermeasures.

Sources:

• https://www.darkreading.com/application-security/microsoft-under-pressure-defenses-byovd-attacks