After BYOB (Bring Your Own Bottle), there is another catchphrase rising and unlike the previous one, which has to do more with partying and celebrations, this one is posing itself as a new challenge for the cybersecurity mechanism.
The term is called BYOVD (Bring Your Own Valuable Driver), discovered by experts from cybersecurity firm Sophos. Using this, the threat actors can disable the anti-malware mechanism of the affected PCs/laptops/other computing devices.
Sophos, in its report, talked about a ransomware operating group BlackByte, which is taking advantage of a cyber vulnerability called CVE-2019-16098. This glitch has been discovered in software components RTCore64.sys and RTCore32.sys, often used by Taiwan-based Micro-Star’s MSI AfterBurner 4.6.2.15658.
The glitch is allowing authenticated users to perform functions such as reading and writing to arbitrary memory, resulting in privilege escalation and most importantly data theft. BlackByte has taken advantage of this and disabled over 1000 drivers which are the cybersecurity mechanisms used to keep the computing devices safe.
Recently, North Korean state-sponsored threat actor Lazarus Group used the BYOVD against American IT major Dell and has now approached Europe-based aerospace experts and political journalists with fake jobs Amazon offers. They are successfully evading the antivirus mechanisms as well.
To stop such recurring acts, Sophos has asked the IT company administrators to add RTCore64.sys and RTCore32.sys to an active blocklist and keep a watch over the new MSI drivers getting installed on the computing devices. Even regular audits of the network security endpoints have been advised as well.