OXFORD, U.K. — Ottobre 4, 2022 —

Sophos, a global leader in next-generation cybersecurity, today announced that BlackByte, one of the newer, “heavy-hitter” ransomware gangs, has added a sophisticated “Bring Your Own Driver” technique to bypass more than 1,000 drivers used by industry Endpoint Detection and Response (EDR) products. Sophos details the attack tactics, techniques and procedures (TTPs) in the report, “Remove all the Callbacks – BlackByte Ransomware Disables EDR via RTCore64.sys Abuse.”

BlackByte, featured in a Secret Service and FBI special advisory earlier this year as a threat to critical infrastructure, reemerged in May from a brief hiatus with a new leak site and new extortion tactics. Now, it appears that the group has added new attack methods, as well. Specifically, they’ve been abusing a vulnerability in RTCorec6.sys, a graphics utility driver for Windows systems. This particular vulnerability allows them to communicate directly with the targeted system’s kernel, commanding it to disable callback routines used by EDR providers, as well as the ETW (Event Tracing for Windows) Microsoft-Windows-Threat-Intelligence-Provider. EDR vendors frequently use this feature to monitor the use of commonly maliciously abused API calls; if this feature is disabled, the EDR vendors that rely on this feature are also rendered ineffective.

“If you think of computers as a fortress, for many EDR providers, ETW is the guard at the front gate. If the guard goes down, then that leaves the rest of the system extremely vulnerable. And, because ETW is used by so many different providers, BlackByte’s pool of potential targets for deploying this EDR bypass is enormous,” commented Christopher Budd, senior manager, threat research, Sophos.

BlackByte is not the only ransomware gang taking advantage of the “Bring Your Own Driver” to bypass security products. AvosLocker abused a vulnerability in a different driver to disable antivirus solutions in May.

“Anecdotally, from what we’re seeing in the field, it does appear that EDR bypass is becoming a more popular technique for ransomware threat groups. This is not surprising. Threat actors often leverage tools and techniques developed by the ‘offensive security’ industry to launch attacks faster and with minimal effort. In fact, it appears that BlackByte pulled at least part of its EDR bypass implementation from the open-source tool EDRSandblast,” said Budd. “With criminals adopting work done by the offensive security industry, it’s critical for defenders to monitor new evasion and exploitation techniques and implement mitigations before these techniques become widely available on the cybercrime scene.”

To learn more about BlackByte's latest TTPs and how to keep systems safe, download the full report from Sophos.com.

Informazioni su Sophos

Sophos è un’azienda leader nell’ambito della cybersecurity e protegge 600.000 organizzazioni in tutto il mondo con una piattaforma basata sull’IA e servizi a cura di esperti. Sophos viene incontro alle esigenze delle organizzazioni, adattandosi al loro livello di maturità di sicurezza informatica e crescendo insieme ai clienti per tutelarli dai cyberattacchi. La sua soluzione offre la combinazione ottimale tra machine learning, automazione e dati di intelligence sulle minacce in tempo reale, aggiungendo le competenze umane degli esperti del team Sophos X-Ops, che lavorano in prima linea per garantire monitoraggio, rilevamento e risposta alle minacce 24/7.
Sophos offre un servizio di Managed Detection and Response (MDR) leader di settore, nonché una linea completa di tecnologie di sicurezza, tra cui soluzioni per la protezione di endpoint, rete, e-mail e cloud, nonché Extended Detection and Response (XDR), rilevamento delle minacce all’identità (Identity Threat Detection and Response, ITDR) e SIEM next-gen. Unite a servizi di consulenza a cura di esperti, queste funzionalità aiutano le organizzazioni a ridurre proattivamente il rischio e a rispondere in maniera più tempestiva, ottenendo il giusto livello di visibilità e scalabilità richiesto per tenersi un passo avanti rispetto a minacce in continua evoluzione.
La strategia go-to-market di Sophos si basa su un ecosistema di Partner che include Managed Service Provider (MSP), Managed Security Service Provider (MSSP), Rivenditori e Distributori, integrazioni per il marketplace, e Partner Cyber Risk; questa strategia offre alle organizzazioni la flessibilità di scegliere come stabilire rapporti di fiducia per la protezione della loro attività.  Sophos ha sede a Oxford, nel Regno Unito. Ulteriori informazioni sono disponibili su www.sophos.it.