Digging Up Ancient Relics, Turncloak Alert, Cyber Ninjas Arise, Ransomware Sentinels, MS Botnets Running Amok, and Major Oopsies. It's CISO Intelligence for Friday 28th February 2025.

Table of Contents

1. Silent Killers: Unmasking a Large-Scale Legacy Driver Exploitation Campaign
2. Cyber Soldier or Treasonous Technician? The AT&T Hacking Saga
3. Red Teaming: Bringing Out the Inner Ninja in Your Cybersecurity Squad
4. Becoming Ransomware Ready: Why Continuous Validation Is Your Best Defense
5. Botnets Behaving Badly: Microsoft 365 Mayhem
6. Adobe & Oracle Slip-Up: Someone's About to Get Fired

Silent Killers: Unmasking a Large-Scale Legacy Driver Exploitation Campaign

“Because hacking into the past is still a winning strategy.”

What You Need to Know

In a recent discovery by Check Point Security, a campaign exploiting over 2,500 variants of a legacy driver, Truesight.sys, threatens systems worldwide. This exploitation leverages loopholes in Windows' driver signing policy, effectively bypassing security mechanisms. Organizations must urgently update their defenses to cope with this evolving threat vector.

CISO Focus: Vulnerability Management
Sentiment: Negative
Time to Impact: Immediate

Death from the Past: Exploiting Ancient Drivers

Check Point Security has uncovered a significant cyber threat campaign leveraging outdated drivers to infiltrate systems undetected. This campaign involves thousands of malicious samples deploying an EDR/AV killer module in its initial stages. By exploiting vulnerabilities in the Truesight.sys driver (specifically version 2.0.2), attackers bypass modern Windows security measures, exposing businesses to significant risks.

The Vulnerability

The attackers take advantage of an older version of Truesight.sys, which is the RogueKiller Antirootkit Driver. This version has a known vulnerability that adversaries exploit to subvert Windows driver signature policies. Despite updates, the vulnerable driver can still be loaded on the latest Windows OS, slipping through security barricades erected by initiatives like the LOLDrivers project.

Sophisticated Evasion Tactics

To further their breach attempts, criminals deploy over 2,500 different variants of the driver, each with unique hashes yet maintaining valid signatures. This subtler approach allows the attackers to remain undetected, as traditional cybersecurity tools fail to recognize these altered versions.

Attack Infrastructure and Distribution

The campaign is orchestrated primarily from a public cloud service situated in China's region, focusing its impact on Asia—and China predominantly—by using deceptive methods typical of phishing. These vector attacks often resemble reliable applications and penetrate systems utilizing common phishing channels like deceptive websites and malicious messaging app communications.

Immediate Responses and Mitigation

Upon detecting this threat, CPR reported this critical issue to Microsoft Security Response Center (MSRC), leading to the enhancement of Microsoft Vulnerable Driver Blocklist, which as of December 2024, now defends against all known exploited variants of the legacy driver.

The Historical Horror Show

The alarming revelation that despite advancements in security protocols, old vulnerabilities continue to pose significant threats, is a sobering reminder of cyber resilience gaps. With the increasing ingenuity in distribution methods and evasion techniques, vigilance is paramount.

Reviving the Ancient to Ambush the Modern

Using historical weak points like legacy drivers not only indicates a refined understanding of technological histories but also demonstrates how these points can be effectively used against unsuspecting targets. While it sheds light on cybersecurity’s evolving nature, it also questions preparedness levels against sophisticated future threats.

Vendor Diligence Questions

1. Does your driver update policy actively check for and remove legacy drivers with known vulnerabilities?
2. How do your current defenses identify and respond to variants of previously known threats?
3. What measures are in place to monitor, report, and update potentially vulnerable driver lists?

Action Plan

1. Immediate Risk Assessment:

   • Conduct a comprehensive audit for the presence of Truesight.sys and similar vulnerable drivers in the system.

2. Update & Patch Management:

   • Ensure all systems are updated according to the latest Microsoft Vulnerable Driver Blocklist.
   • Deploy essential patches for vulnerabilities identified, focusing on driver-related security loopholes.

3. Enhance Detection and Response Systems:

   • Update cybersecurity frameworks to improve detection capabilities for altered or maliciously signed drivers.
   • Incorporate advanced threat intelligence platforms to enhance monitoring for infrastructure vulnerability in real-time.

4. User Awareness & Phishing Simulation:

   • Initiate heightened awareness campaigns on the signs and prevention of phishing attacks.
   • Regularly conduct phishing simulations to assess employee readiness and awareness to adapt promptly to potential intrusions.

The Driver’s Seat

The discovery highlights the continuous battle between aging vulnerabilities and emerging threats. As attackers empty the utility belt of legacy tools, it’s imperative for security professionals to remain more agile and adapt strategies to outpace this incessant rerun from the past.

Source: https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/