Threat actors linked to Qilin and Warlock ransomware operations have been observed leveraging the bring your own vulnerable driver (BYOVD) technique to disable over 300 endpoint detection and response (EDR) tools on compromised hosts.
According to research by Cisco Talos and Trend Micro, Qilin attacks involve the deployment of a malicious DLL named msimg32.dll, which plays a crucial role in silencing security tools running on infected systems.
The BYOVD technique allows attackers to exploit vulnerabilities in legitimate drivers, effectively disabling EDR tools and other security software, making it challenging for organizations to detect and respond to these ransomware attacks.
This tactic is particularly concerning, as it enables threat actors to carry out their malicious activities without being detected, emphasizing the need for organizations to prioritize driver vulnerability management and implement robust security measures to prevent such attacks.
Furthermore, the use of vulnerable drivers by Qilin and Warlock ransomware highlights the importance of keeping software up to date and ensuring that all systems are patched against known vulnerabilities, such as CVEs related to driver exploits.
Source: Original Article
