They utilize a modified TrueSight.sys driver to bypass Microsoft’s driver blocking system, enabling them to forcibly terminate security processes such as antivirus and endpoint detection and response (EDR) systems. A sophisticated attack employing Legacy Driver Exploitation technique has emerged as a significant cybersecurity threat, according to a recent security report. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Organizations should apply the latest security updates and conduct regular vulnerability analyses to protect against these sophisticated attacks targeting core system security components. ASEC analysts identified that the core of this attack revolves around exploiting vulnerabilities in the TrueSight.sys driver, a component of the RogueKiller Antirootkit developed by Adlice Software. While Microsoft added vulnerable TrueSight.sys versions to their Vulnerable Driver Blocklist, version 2.0.2.0 received an exemption as it was signed before July 29, 2015. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The attack, first documented in June 2024 by CheckPoint-Research (CPR), primarily focuses on remotely controlling infected systems using GhOstRAT malware while evading detection mechanisms. Attackers exploited this loophole by employing certificate area tampering to create multiple files masquerading as the legitimate TrueSight 2.0.2.0 version. Windows does not validate this padding area during certificate verification, allowing tampered files to appear legitimately signed and successfully bypass validation through WinVerifyTrust. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Microsoft updated their Vulnerable Driver Blocklist on December 17, 2024, to address this threat.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 19 Mar 2025 16:20:51 +0000