BYOVD: Cyber Threats, EDR/XDR Disablement, and the Power of Air-Gap Backups with Instant Recovery
In the ever-evolving landscape of cyber threats, a new challenge has emerged known as "Bring Your Own Vulnerable Driver" (BYOVD). This cyber-attack technique, employed by both cybercriminal groups and nation-state actors, exploits vulnerabilities in legitimate, signed drivers – components crucial to the functionality of security products like Antivirus (AV), Extended Detection and Response (XDR), and Endpoint Detection and Response (EDR).
BYOVD allows threat actors to successfully exploit systems, explicitly using legitimate signed drivers to turn off essential components of AV, XDR, and EDR, effectively neutralizing traditional defense solutions.
Two recent high-profile BYOVD attacks underscore the severity of this threat. The BlackByte ransomware gang, as revealed by Sophos researchers, demonstrated the sophistication of BYOVD by exploiting a vulnerability in the Micro-Star MSI Afterburner utility. This attack leveraged a known vulnerability in the legitimate RTCore64.sys driver, turning off crucial components relied upon by security products. Concurrently, the Lazarus APT group utilized BYOVD to deploy a Windows rootkit, exploiting a Dell firmware driver vulnerability (CVE-2021-21551) in targeted attacks against aerospace industry employees and journalists during the autumn of 2021.
The reach of BYOVD extends beyond nation-state actors, with cybercrime groups such as RobbinHood and AvosLocker incorporating this technique. These groups exploited vulnerabilities (e.g., CVE-2018-19320) in drivers to bypass security solutions and compromise target systems. Other instances involve threat actors abusing a vulnerable anti-cheat driver in the Genshin Impact video game, AvosLocker disabling essential components, and the Candiru surveillance spyware leveraging BYOVD to elevate privileges through zero-day exploits.
As the threat landscape evolves, traditional security solutions like AV, XDR, and EDR face limitations against the sophistication of BYOVD. Relying solely on these tools proves insufficient. The cybersecurity paradigm must shift towards prioritizing air-gapped backups with instant recovery, mainly when attackers successfully use legitimate signed drivers to turn off critical AV, XDR, and EDR components. This approach ensures the security of critical data, even in the event of BYOVD attacks.
In the dynamic field of cybersecurity, Salvador Technologies provides innovative solutions with a recovery capability that sets a new standard for operational resilience.
Our Security Failover Technology ensures a quick 30-second recovery from BYOVD attacks and other sophisticated exploits. With air-gapped data protection, we strengthen cyber defense beyond traditional detection measures. As BYOVD threats grow, we empower organizations to navigate the challenges of the digital era with innovative recovery capability.