Attackers are increasingly targeting vulnerabilities in drivers, which operate in kernel mode with the highest permissions, to bypass security measures and facilitate further infections. To prevent the abuse of vulnerable drivers, Microsoft’s 2015 policy required new drivers to be signed to avoid exploitation. However, the policy allowed pre-2015 drivers to run. Attackers exploited this loophole using a legacy version of the driver Truesight.sys, which is known to have vulnerabilities in later versions. To further evade detection, the attackers generated 2,500 variants of the 2.0.2 driver, each with different hashes, by modifying specific parts of the driver while keeping the digital […]
The post How hunting for vulnerable drivers unraveled a widespread attack appeared first on Check Point Blog.