Criminals With Drivers. What's the fuss?

If you are in my LinkedIn content feed, you have likely seen news about a malicious Windows driver.

Let's break that down a bit, with the what, the why, the how, and why the #securityindustry vendor response is certainly inadequate to protect businesses.

I should note, this discussed issue doesn't really affect Cyber Crucible customers. In early 2021, we suspected we would shortly start seeing this, developed countermeasures, and by late 2021 we think we were actually defending against this.

What is a driver, in this context?

A driver is a piece of software to be installed inside of Windows. Except this piece of software is designed to run inside of the less-visible parts of the operating system, and not really interact with the user.

This type of software powers things like communication with your printer, or makes sure your network connection works.

It is typically more difficult to write than a user application, but the tradeoff is that the developer gets a LOT more power and functionality than normal applications get.

Since we know extortionists want the most power against their victims as possible, it makes sense they would eventually use this software.

Just as a side note - the picture I used for this article is another malicious driver. That one was used by Russia (allegedly) against Ukraine.

What does Microsoft (etc) do, to protect from criminal drivers?

Microsoft has a process in which this special, powerful software is submitted by a legitimate software company (or, company that needs to have this). Without getting into too many details, attackers can work around these checks by:

1. Opening up a "front" business, that, when asked for various business credentials, are able to produce them. This is an old organized crime tactic with a new twist.

2. Steal a legitimate business' access to submit a software driver on the business' behalf (probably without the business knowing).

https://www.quora.com/What-businesses-are-usually-used-as-fronts-for-crime

How did the criminals get Microsoft (etc) to trust them?

In this case, identity theft was used to enable further extortion. We see this in most attacks now, and it is why Cyber Crucible prevents identity theft. The extortion starts there.

So, in this case, #2 above was used, according to the news.

What are the attackers doing with this criminal driver?

For quite some time, attackers have been disabling security tools before an extortion/theft operation. It is a bit like painting the lenses of all the security cameras right before robbing the bank.

This special driver software gives attackers some simpler more automated ways to do what they have been doing -> putting the guards to sleep.

What are security people doing in response?

There are limited actions "your security gal" at work can do to protect against this. You'll likely get a reminder not to click on links, practice good hygiene, things like that.

On the "geeky" side of things, where my peers and I live, the criminal drivers have been blacklisted. That means that security tools, and even Microsoft itself, will remove the driver.

Blacklisting drivers sounds big. That's big, right?

Here's the thing about criminals - they usually have backup software prepared in case their digital henchman gets caught. Also, criminal activities are a bit like finding a cockroach. If you see one bug, you will find more bugs if you keep looking. So, other criminals are likely using Windows drivers for ill, that nobody knows about yet.

What this means is that blacklisting these particular drivers is good, but this is not a "one and done" win for the good guys. There are new drivers which will be found only after they've been used for awhile to extort victims, and there are other drivers that simply were not caught up in this investigation.

OK Mr. Doom & Gloom. How can I protect myself?

The good news really is two fold:

First, Cyber Crucible is largely immune to attacks designed to disable it. This is just one more type of attack we have prepared for. So, our customers don't need to really worry about the issue. We do not blindly trust any software on the system, no matter how privileged they appear to be.

Second, this is just one more step in the cat and mouse game between extortionist criminals and defenders. I'm deeply concerned that specific drivers being blacklisted is being advertised as some really big protection. It is like a modern version of canceling the license plate of a criminal's getaway car. Good? Yes. Will the criminal just use another license plate, or another car? Yes.

There are some tricks up Microsoft's sleeve that they can use, though, that we may see them take in the future. Some of them cause service disruption to business and consumers, so I'm sure they are carefully considering next steps. In the meantime, though, Cyber Crucible will still do what it must to prevent identity and data theft & extortion on this, and many other extortion prevention issues.