Kernel drivers are critical components of modern operating systems, such as Windows. They have higher privileges than even the administrator user and are therefore a prime target for hackers. Attackers often try to exploit vulnerabilities in the drivers to gain complete control of the system.
To prevent these attacks, Microsoft requires drivers to be approved and digitally signed. This means that only trusted drivers can be loaded into the system's kernel. Although this design reduces the risk of malicious code executing in the kernel, attackers still find ways around this restriction. For instance, by exploiting vulnerabilities in legitimately signed drivers.
One type of attack that exploits these vulnerabilities is called 'Bring Your Own Vulnerable Driver' (BYOVD). In this case, attackers distribute a legitimate but vulnerable driver on the target system and use it to obtain the privileges needed to perform malicious actions, such as disabling antivirus programmes. These attacks, which require administrator privileges, are often used after the system has already been compromised.
Recently, our Malware Lab discovered and described a vulnerability, called CVE-2024-22830, in the ACE-BASE.sys kernel driver, used by an 'anti-cheat' solution for some popular online games.
The Lab reported the problem directly to Microsoft and contributed to the open source LOLDrivers project to report the risk to the community.
If you wish to learn more, here is the link to our full report.
In addition, you can subscribe to the specific mailing list Cyber Studios by Tinexta Defence, to receive updates on upcoming research: https://tinextadefence.it/mailing-list-cyber-studios/
