HQ/EMEAFind out how we can help your business
New research has identified about 34 flawed kernel drivers that could enable threat actors by being an initial intrusion entity for malicious attacks. Based on reports, attackers could exploit these drivers by manipulating firmware and escalating their privileges.
Various malicious threat entities, such as cyber criminals and state-sponsored groups, have exploited these kernel drivers to tamper with system processes, establish a lasting presence on a system, and bypass security measures.
The extensive research involved the collection of approximately 18,000 Windows driver samples from VirusTotal, utilising a specific Yara rule. Following the exclusion of drivers already acknowledged as vulnerable, the researchers uncovered a few hundred file hashes linked to 34 unique, previously unidentified vulnerable drivers.
This analysis extended to Windows Driver Model (WDM) and Windows Driver Framework (WDF) drivers. Moreover, the researchers have also made the list of file names linked to these vulnerable drivers publicly available, some of which belong to primary BIOS, PC, and chip manufacturers.
These flawed kernel drivers could play a massive role in every cybercriminal operation.
The newly identified flawed kernel drivers could grant attackers non-system privileges, allowing them to take over a targeted device. The researchers explained that once attackers exploit these vulnerable drivers, they could elevate their privileges or erase or alter firmware without the system privilege.
This disclosure has enabled the researchers to notify the developers of the vulnerable drivers earlier this year. Unfortunately, only two of the 36 drivers’ developers have addressed the issue.
However, the investigation has enabled the researchers to develop proof-of-concept (PoC) exploits for several of these vulnerable drivers to illustrate the severity of the situation. Furthermore, they have demonstrated how an attacker could exploit the drivers to manipulate firmware or escalate privileges.
Researchers have released an IDAPython script that automates the search for vulnerable WDM and WDF drivers to assist the cybersecurity community in addressing this issue.
The revelation of these vulnerable kernel drivers has shown the importance of ongoing vigilance and proactive measures to secure computer systems against potential threats in the digital landscape.
