{"id":402893,"date":"2022-10-07T21:50:51","date_gmt":"2022-10-07T23:50:51","guid":{"rendered":"https:\/\/teknomers.com\/fr\/blackbyte-ransomware-abuse-dun-pilote-windows-vulnerable-pour-desactiver-les-solutions-de-securite\/"},"modified":"2022-10-07T21:50:52","modified_gmt":"2022-10-07T23:50:52","slug":"blackbyte-ransomware-abuse-dun-pilote-windows-vulnerable-pour-desactiver-les-solutions-de-securite","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/blackbyte-ransomware-abuse-dun-pilote-windows-vulnerable-pour-desactiver-les-solutions-de-securite\/","title":{"rendered":"BlackByte Ransomware abuse d&#8217;un pilote Windows vuln\u00e9rable pour d\u00e9sactiver les solutions de s\u00e9curit\u00e9"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both\"><\/div>\n<p>Dans un autre cas d&#8217;attaque BYOVD (Apportez votre propre pilote vuln\u00e9rable), les op\u00e9rateurs du ran\u00e7ongiciel BlackByte exploitent une faille dans un pilote Windows l\u00e9gitime pour contourner les solutions de s\u00e9curit\u00e9.<\/p>\n<p>&#8220;La technique d&#8217;\u00e9vasion prend en charge la d\u00e9sactivation d&#8217;une liste \u00e9norme de plus de 1 000 pilotes sur lesquels les produits de s\u00e9curit\u00e9 s&#8217;appuient pour fournir une protection&#8221;, a d\u00e9clar\u00e9 Andreas Klopsch, chercheur sur les menaces chez Sophos. <a rel=\"nofollow noopener\" href=\"https:\/\/news.sophos.com\/en-us\/2022\/10\/04\/blackbyte-ransomware-returns\/\" target=\"_blank\">a dit<\/a> dans une nouvelle r\u00e9daction technique.<\/p>\n<p>BYOVD est un <a rel=\"nofollow noopener\" href=\"https:\/\/www.eset.com\/int\/about\/newsroom\/press-releases\/research\/esets-research-into-bring-your-own-vulnerable-driver-details-attacks-on-drivers-in-windows-core-1\/\" target=\"_blank\">techniques d&#8217;attaque<\/a> cela implique que les acteurs de la menace exploitent les vuln\u00e9rabilit\u00e9s des pilotes l\u00e9gitimes et sign\u00e9s pour r\u00e9ussir l&#8217;exploitation en mode noyau et prendre le contr\u00f4le des machines compromises.<\/p>\n<div class=\"ad_two clear\"><a rel=\"nofollow noopener\" href=\"https:\/\/go.thn.li\/strike-d\" target=\"_blank\" title=\"DevOps backupy\"><img decoding=\"async\" alt=\"La cyber-s\u00e9curit\u00e9\" class=\"lazyload\" loading=\"lazy\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2022\/08\/La-nouvelle-vulnerabilite-Amazon-Ring-aurait-pu-exposer-tous-vos.png\" width=\"300\" height=\"250\" \/><\/a><\/div>\n<p>Les faiblesses des pilotes sign\u00e9s ont \u00e9t\u00e9 de plus en plus coopt\u00e9es par des groupes de menaces d&#8217;\u00c9tats-nations ces derni\u00e8res ann\u00e9es, notamment Slingshot, InvisiMole, APT28 et, plus r\u00e9cemment, le groupe Lazarus.<\/p>\n<div class=\"separator\" style=\"clear: both\"><img decoding=\"async\" alt=\"Pilote Windows\" border=\"0\" data-original-height=\"504\" data-original-width=\"728\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2022\/10\/1665186651_219_BlackByte-Ransomware-abuse-dun-pilote-Windows-vulnerable-pour-desactiver-les.jpg\" title=\"Pilote Windows\" \/><\/div>\n<p>BlackByte, consid\u00e9r\u00e9 comme une \u00e9manation du groupe Conti, d\u00e9sormais abandonn\u00e9, fait partie des \u00e9quipes de cybercriminalit\u00e9 du grand jeu, qui se concentrent sur de grandes cibles de premier plan dans le cadre de son syst\u00e8me de ransomware-as-a-service (RaaS).<\/p>\n<p>Selon la firme de cybers\u00e9curit\u00e9, les r\u00e9centes attaques mont\u00e9es par le groupe ont profit\u00e9 d&#8217;une escalade de privil\u00e8ges et d&#8217;une faille d&#8217;ex\u00e9cution de code (<a rel=\"nofollow noopener\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-16098\" target=\"_blank\">CVE-2019-16098<\/a>score CVSS : 7,8) affectant le pilote Micro-Star MSI Afterburner RTCore64.sys pour d\u00e9sactiver les produits de s\u00e9curit\u00e9.<\/p>\n<div class=\"ad_two clear\"><a rel=\"nofollow noopener\" href=\"https:\/\/go.thn.li\/crowd-mid-d\" target=\"_blank\" title=\"CyberSecurity\"><img decoding=\"async\" alt=\"La cyber-s\u00e9curit\u00e9\" class=\"lazyload\" loading=\"lazy\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2022\/08\/Google-Cloud-bloque-une-attaque-DDoS-record-de-46-millions.png\" width=\"728\" height=\"90\" \/><\/a><\/div>\n<p>De plus, une analyse de la <a rel=\"nofollow noopener\" href=\"https:\/\/www.virustotal.com\/gui\/file\/9103194d32a15ea9e8ede1c81960a5ba5d21213de55df52a6dac409f2e58bcfe\" target=\"_blank\">exemple de ran\u00e7ongiciel<\/a> a d\u00e9couvert de multiples similitudes entre les <a rel=\"nofollow noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/Endpoint_detection_and_response\" target=\"_blank\">EDR<\/a> contourner l&#8217;impl\u00e9mentation et celle d&#8217;un outil open source bas\u00e9 sur C appel\u00e9 <a rel=\"nofollow noopener\" href=\"https:\/\/github.com\/wavestone-cdt\/EDRSandblast\" target=\"_blank\">EDRSandblast<\/a>qui est con\u00e7u pour abuser des pilotes vuln\u00e9rables sign\u00e9s afin d&#8217;\u00e9chapper \u00e0 la d\u00e9tection.<\/p>\n<p>BlackByte est la derni\u00e8re famille de ran\u00e7ongiciels \u00e0 adopter la m\u00e9thode BYOVD pour atteindre ses objectifs, apr\u00e8s <a rel=\"nofollow noopener\" href=\"https:\/\/www.welivesecurity.com\/2022\/01\/11\/signed-kernel-drivers-unguarded-gateway-windows-core\/\" target=\"_blank\">RobbinHood<\/a> et AvosLocker, qui ont tous deux des bogues militaris\u00e9s dans gdrv.sys (<a rel=\"nofollow noopener\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-19320\" target=\"_blank\">CVE-2018-19320<\/a>) et asWarPot.sys pour mettre fin aux processus associ\u00e9s au logiciel de protection des terminaux.<\/p>\n<p>Pour se prot\u00e9ger contre les attaques BYOVD, il est recommand\u00e9 de garder une trace des pilotes install\u00e9s sur les syst\u00e8mes et de s&#8217;assurer qu&#8217;ils sont \u00e0 jour, ou de choisir de bloquer les pilotes connus pour \u00eatre exploitables.<\/p>\n<p><\/p>\n<\/div>\n<p><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2022\/10\/blackbyte-ransomware-abuses-vulnerable.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Dans un autre cas d&#8217;attaque BYOVD (Apportez votre propre pilote vuln\u00e9rable), les op\u00e9rateurs du ran\u00e7ongiciel BlackByte exploitent une faille dans un pilote Windows l\u00e9gitime pour contourner les solutions de s\u00e9curit\u00e9. &#8220;La technique d&#8217;\u00e9vasion prend en charge la d\u00e9sactivation d&#8217;une liste \u00e9norme de plus de 1 000 pilotes sur lesquels les produits de s\u00e9curit\u00e9 s&#8217;appuient pour [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":402894,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[10785,115145,4168,4158,4165,4161,24853,74,4157,4159,4171,4170,65,4167,4160,4163,4162,2017,185,4392,1835,4172,4169,8357,4166,4164,4891,45020],"class_list":["post-402893","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-abuse","tag-blackbyte","tag-comment-pirater","tag-cyber-actualites","tag-cyber-attaques","tag-cyber-mises-a-jour","tag-desactiver","tag-dun","tag-lactualite-de-la-cybersecurite","tag-lactualite-de-la-cybersecurite-aujourdhui","tag-lactualite-des-hackers","tag-la-securite-des-informations","tag-les","tag-logiciel-malveillant-de-ransomware","tag-mises-a-jour-de-la-cybersecurite","tag-nouvelles-de-piratage","tag-nouvelles-de-pirates","tag-pilote","tag-pour","tag-ransomware","tag-securite","tag-securite-informatique","tag-securite-internet","tag-solutions","tag-violation-de-donnees","tag-vulnerabilite-logicielle","tag-vulnerable","tag-windows"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/402893","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=402893"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/402893\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/402894"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=402893"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=402893"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=402893"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}