The BYOVD Attack That Should Keep You Up at Night (Plus Other Weekly Security Wake-Up Calls)

Page content

The BYOVD Attack That Should Keep You Up at Night (Plus Other Weekly Security Wake-Up Calls)

I’ve been digging into this week’s security incidents, and there’s one that really caught my attention – not just because of what happened, but because of how it happened. The new Osiris ransomware attack on a Southeast Asian food service company is a perfect example of how attackers are getting creative with legitimate tools to slip past our defenses.

When Legitimate Drivers Become Weapons

The Osiris ransomware campaign used something called a “bring your own vulnerable driver” (BYOVD) attack. If you haven’t encountered this technique yet, here’s the scary part: the attackers brought along a malicious driver called POORTRY specifically to disable security software before deploying their ransomware.

Think about it – they’re essentially using the operating system’s own trust mechanisms against us. Windows trusts signed drivers, so attackers find vulnerable but legitimately signed drivers, exploit them, and suddenly they have kernel-level access to do whatever they want. It’s like giving someone your house key because they’re wearing a uniform, except the uniform is stolen.

What makes this particularly concerning is that this isn’t some sophisticated zero-day exploit. This is attackers understanding our security model better than we do and finding ways to work within it. The food service company probably had endpoint protection running, but once that POORTRY driver was loaded, it was game over.

The Global Confidence Crisis

Speaking of things that should worry us, there’s some sobering data coming out of Latin America that I think reflects a broader global problem. According to the World Economic Forum’s latest findings, cybersecurity professionals in Latin America have the least confidence in their countries’ ability to defend critical infrastructure.

Now, before we get too comfortable thinking this is just a regional issue, ask yourself: how confident are you in your organization’s readiness for a coordinated attack on critical systems? Because I’ve seen plenty of companies in supposedly “cyber-mature” regions that are one phishing email away from a very bad day.

The skills gap is real everywhere. We’re all dealing with the same fundamental problem – the attack surface is growing faster than our ability to defend it, and we’re trying to solve a people problem with technology.

Zero-Days Still Pack a Punch

While we’re talking about immediate threats, Cisco just patched CVE-2026-20045, a critical vulnerability in Unified Communications products and Webex that was being actively exploited in the wild. CVSS score of 8.2, unauthenticated remote code execution – basically an attacker’s dream.

If you’re running Cisco UC or Webex Calling Dedicated Instance, this should be at the top of your patching queue. The fact that it was being exploited as a zero-day means someone out there already has working exploit code, and you can bet it’s going to spread.

This is one of those vulnerabilities that reminds us why we maintain those emergency patching procedures that everyone complains about. When something like this drops, especially with active exploitation, you’ve got hours, not days, to respond.

The Mundane Threats That Actually Get Us

Here’s what really struck me about this week’s threat roundup – most attacks aren’t using fancy new techniques. They’re using “familiar systems behaving exactly as designed, just in the wrong hands.”

That phrase should be printed on a poster in every SOC. We spend so much time looking for the exotic threats that we miss the obvious ones. Ordinary files, routine services, trusted workflows – these are what’s actually compromising our networks.

The report mentions something that really resonates: “how little friction attackers now need.” We’ve made it easier for legitimate users to access systems and data, which is great for productivity. But we’ve also made it easier for attackers who can masquerade as legitimate users.

Getting Back to Basics (Especially in the Cloud)

That brings me to something we all need to hear more often: securing Google Workspace isn’t just about enabling two-factor authentication and calling it a day. Fast-growing companies especially tend to optimize for speed over security, and then we inherit these environments and try to retrofit security controls.

The challenge is that in cloud environments like Google Workspace, the security model is fundamentally different. We’re not protecting a perimeter anymore – we’re protecting data and identities that could be accessed from anywhere, by anyone, at any time. The traditional “trust but verify” model becomes “never trust, always verify,” and that requires a completely different approach to access controls, monitoring, and incident response.

What This Means for Us

Looking at these incidents together, I see a pattern: attackers are getting better at working within our security models rather than around them. They’re using legitimate tools maliciously (BYOVD attacks), exploiting our trust relationships (zero-days in widely deployed software), and taking advantage of the complexity we’ve created in our own environments.

Our response can’t just be more tools and more complexity. We need to get better at understanding our own systems, maintaining visibility into what’s actually happening, and being able to respond quickly when things go wrong.

The Osiris ransomware attack succeeded because the attackers understood the target environment well enough to bring the right tools to disable defenses. The Cisco zero-day worked because attackers found a way to execute code without authentication. These aren’t failures of technology – they’re failures of security architecture and operational readiness.

We need to be asking ourselves: do we understand our environments as well as the attackers do? And are we ready to respond when they inevitably find a way in?

Sources