Summary: Chinese cybercriminals exploited a flaw in the “Truesight.sys” driver to conduct BYOVD attacks, allowing them to compromise thousands of systems in Southeast Asia, primarily China. This vulnerability stemmed from a mistake in Microsoft’s blocklist, which inadvertently permitted an unblocked version of the driver to remain exploitable. The attacks circumvented security measures and facilitated the deployment of malware like Gh0stRAT on victims’ devices.
Affected: Microsoft Windows Operating System, Adlice’s Roguekiller anti-malware program
Keypoints :
- The Chinese group “Silver Fox” utilized the vulnerable Truesight.sys driver to launch BYOVD attacks.
- The driver version 2.0.2 was incorrectly associated with a wrong TBS hash, bypassing Microsoft’s security measures.
- Thousands of potentially exploitable drivers, both old and new, exist, presenting a significant cybersecurity risk.
Source: https://www.darkreading.com/cyber-risk/silver-fox-byovd-attack-windows-blocklist