Hackers exploit old EnCase driver to disable security tools

As outlined in Bleeping Computer, hackers are leveraging a legitimate but outdated and revoked EnCase kernel driver to create an "EDR killer" capable of disabling 59 different security tools. This technique, known as Bring Your Own Vulnerable Driver (BYOVD), allows attackers to gain kernel-level access and terminate security software.

Researchers discovered a custom EDR killer disguised as a firmware update utility. The attackers initially breached a network using compromised SonicWall SSL VPN credentials, exploiting a lack of multi-factor authentication. After gaining access, they conducted aggressive internal reconnaissance. The EDR killer utilizes the "EnPortv.sys" driver, originally from EnCase, which has a certificate issued in 2006 and revoked in 2010. Despite revocation, Windows accepts the driver because its signature validation does not check Certificate Revocation Lists, and an exception exists for certificates issued before July 29, 2015. The driver is installed as a fake OEM hardware service for persistence and uses its IOCTL interface to terminate 59 targeted security processes, bypassing protections like Protected Process Light.

Recommendations include enabling multi-factor authentication for all remote access, monitoring VPN logs, and enforcing memory integrity. Additionally, deploying Windows Defender Application Control and Attack Surface Reduction rules can help block vulnerable signed drivers and prevent kernel services from masquerading as legitimate hardware components.

Source: Bleeping Computer