As the cyber security company CrowdStrike reports, it appears that it was attempted to use Intel Network Adapter Drivers in a BYOVD (Bring Your Own Vulnerable Driver) attack meant to bypass EDR products from companies such as Microsoft, Palo Alto and SentinelOne.
The attack consists of installing a driver that has a known vulnerability, which allows the attacker to gain the highest available authorisations in the system and run the malicious code. This is possible because the drivers have access to the system’s kernel.
These attacks exploited the CVE-2015-2291 vulnerability, which has a high-risk status (score of 7.8). The vulnerability is located in the diagnostic driver for Intel Network Adapters and allows the attacker to run code with the highest available authorisations in the system.
Although the vulnerability was patched in 2015, it is still exploitable with proper modification of the driver’s digital signature. In this case, they were signed with stolen certificates from Nvidia and Global Software LLC, so Windows did not block them.
Microsoft has tried to solve this problem by introducing a list of blocked drivers with known vulnerabilities or those not signed digitally. However, it is only in Windows 11 that they are blocked by default, while updates to the aforementioned list are very rare (released with major system updates).
