Home » Tech » ESET analyzes attacks on Windows kernels

ESET analyzes attacks on Windows kernels

pts20220113027 Technology/digitization, research/development

European IT security manufacturer publishes new research results

Jena (pts027/13.01.2022/14:30) – The ESET Research department publishes the results of their vulnerability analysis of signed Windows kernel drivers in their latest blog article. According to the security experts, these are increasingly being exploited by so-called APT groups (Advanced Persistent Threat) for targeted attacks on companies. The detailed technical analyzes and effective defense techniques are now available as a blog post on WeLiveSecurity.


There are different types of kernel drivers in Microsoft Windows operating systems. While there is a strict development process with a focus on security for device drivers, the whole thing looks different for “software” drivers, for example for diagnostic data. Possible software errors and known vulnerabilities are therefore actively exploited by malicious code developers and cyber attackers.

“If hackers want to get into the Windows kernel on x64 systems, the drivers must be signed. Signed but vulnerable drivers are a viable way to do this. This technique is known as Bring Your Own Vulnerable Driver, or BYOVD for short, and has been implemented in free observed in the wild both by known APT actors and in common malware,” explains Peter Kálnai, Senior Malware Researcher at ESET.

At a Glance: “Signed Kernel Drivers – Unguarded Access to the Windows Kernel”

* The article provides a deep dive into kernel driver vulnerabilities.

* What is the Windows kernel? The kernel is the central component of the Windows operating system.

* What was discovered? ESET researchers have discovered vulnerabilities in three drivers.

* Who exploits these vulnerabilities? Cheat developers for computer games use vulnerabilities in signed drivers to circumvent the software manufacturers’ anti-cheat measures. At the same time, several APT groups and malware developers have also become active.

* What are successful methods? Distributing even an insecure driver is proving to be a popular scam for attackers – this technique is known as “Bring Your Own Vulnerable Driver” (BYOVD).

* What are known cases? BYOVD was used in attacks by the “Slingshot” and “InvisiMole” APT groups, the “RobbinHood” ransomware family – and LoJax, the first UEFI rootkit used in cybercrime.

* What are defense strategies? The ESET blog post details what countermeasures can be taken to protect against such attacks.

The results of the analysis are available on WeLiveSecurity: https://www.welivesecurity.com/deutsch/2022/01/13/signierte-kernel-fahrer-unbewachte-zugaenge-zum-windows-kern/



Leave a Comment