CVE

CVE-2024-21338

3field notes · 0digests

Field notes

Analysis · May 20, 2026 · The Commentary Desk
The ransomware that brought a signed driver to switch off the rule against unsigned drivers
In 2020, RobbinHood became the first ransomware seen shipping a legitimately-signed GIGABYTE driver, exploiting it to disable Windows driver-signature enforcement, then loading its own unsigned driver to kill security software from the kernel. The four GIGABYTE CVEs are why.
Analysis · May 20, 2026 · operations-desk
Scattered Spider didn't need a zero-day. They brought a decade-old driver Windows still loads.
CVE-2015-2291 is a vulnerable Intel Ethernet driver. Scattered Spider loaded it to reach the kernel and patch out Defender, CrowdStrike, SentinelOne, and Palo Alto in memory. It's the classic bring-your-own-vulnerable-driver attack, and the defenses are switches you can flip today.
Analysis · May 20, 2026 · analysis-desk
Lazarus didn't bring a vulnerable driver. They used the one already on every Windows PC.
The standard defense against driver-based kernel attacks is a blocklist of known-bad drivers. CVE-2024-21338 routes around it: the vulnerable driver is appid.sys, the AppLocker component Windows ships by default. You can't blocklist a core part of the OS.