Akira ransomware gang observed using exploiting CPU driver to disable security software | #ransomware | #cybercrime

“… based on several GuidePoint Incident Response cases in recent months, we have detected the repeated use of two Windows drivers by Akira affiliates,” GRIT said in an August 5 blog post.

“These drivers have almost certainly been used to facilitate AV/EDR evasion or disablement through a Bring Your Own Vulnerable Driver (BYOVD) exploitation chain.”

Baddy drivers

rwdrv.sys is a legitimate driver for ThrottleStop, a utility designed to monitor and tune an Intel CPU’s performance and capable of CPU throttling. GRIT believes that Akira’s affiliates are registering it as a service in order to gain kernel access to a device.

The second driver, hlpdrv.sys, is a similar service that can modify the DisableAntiSpyware settings of Windows Defender.

“We assess that the legitimate rwdrv.sys driver may be used to enable the execution of the malicious hlpdrv.sys driver, though we have been unable to reproduce the exact mechanism of action at this time,” GRIT said.

Cyber security firm Huntress tracked around 20 attacks targeting SonicWall devices between 25 July and 3 August, all of which ended with ransomware being deployed on the target network.

“This isn’t isolated; we’re seeing this alongside our peers at Arctic Wolf, Sophos and other security firms,” Huntress said in an August 4 blog post.

“The speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild.”