The first installment of a series This article explores vulnerable driver byovd. . Watch for Part 2 next week.

Microsoft might be in a difficult situation when it comes to bring-your-own-vulnerable-driver (BYOVD) attacks. Threat actors, particularly ransomware groups, have been using the BYOVD technique more and more in the past year to disable security products in a targeted network. Threat actors use this tactic to find a driver that is vulnerable to attack and then drop it on a system of interest. See also: SmarterTools Vulnerability by the Warlock Gang Through Bugs in SmarterMail The disparity was brought to light by a recent attack that was reported by Huntress researchers, in which threat actors used a driver for Guardian Software's EnCase digital forensics suite as a weapon.

The driver's certificate was revoked by Guardian after it expired in 2010.

"How might loading a driver with a revoked certificate be useful? According to Jakub Soucek, senior malware researcher at ESET, "it doesn't make sense." "When the certificate is revoked, it indicates that the software driver's issuer or actual vendor took the required action to proactively revoke the driver after realizing there were some problems.

"Microsoft ought to implement a rule that restricts driver usage to the original intended application.Although many of the suggested enhancements will be challenging for Microsoft to execute, researchers contend that the BYOVD issue will only worsen.

Morgan explains, "I sympathize with Microsoft because it's a very tough problem, but I do think there are steps they can take." ## Temporary Solutions to the Long-Term BYOVD Issue When vulnerable drivers are found in attacks like the most recent "Reynolds" ransomware campaign, Microsoft claims to take a number of steps to prevent their misuse. Researchers from the Carbon Black Threat Hunter Team and Symantec found that the threat actors had included a vulnerable NsecSoft NSecKrnl driver with the ransomware payload in that activity.

This is a blatant indication that cybercriminals are using the BYOVD technique. A Microsoft representative tells ZeroOwl, "We take customer security seriously and have established processes in place to help keep customers protected from vulnerable driver abuse."

"We assess the impact of these reports, collaborate with publishing partners to guarantee a fixed version is accessible, and employ Microsoft Defender's layered protections to lower risk while users update.