The Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) has flagged a high-impact threat to Windows operating system, the Blackbyte Ransomware, which has the capacity to bypass protections by disabling more than 1,000 drivers used by various security solutions.
This was disclosed in a statement issued yesterday by the director of public affairs of the commission, Reuben Mouka.
The NCC-CSIRT said the BlackByte ransomware gang, which is using a new technique that researchers called, “Bring Your Own Vulnerable Driver,” was exploiting the security issue that allowed it to disable drivers that prevent multiple Endpoint Detection and Response (EDR) and antivirus products like Avast, Sandboxie, Windows DbgHelp Library, and Comodo Internet Security, from operating normally.
Recent attacks attributed to this group involved a version of the MSI Afterburner RTCore64.sys driver, which is vulnerable to a privilege escalation and code execution flaw tracked as CVE-2019-16098, the commission warned.
The “Bring Your Own Vulnerable Driver” (BYOVD) method is effective because the vulnerable drivers are signed with a valid certificate and run with high privileges on the system.