This devious ransomware is able to hijack your system to turn off Microsoft Defender

2 hours ago 2

(Image credit: Avast)

Experts warn Akira is using SonicWall VPNs to deploy two drivers
One is a legitimate, vulnerable driver that allows the other one to be executed
The other one disables antivirus and endpoint protection tools

Akira ransomware has dominated the headlines recently due to its abuse of SonicWall SSL VPNs to gain initial access and deploy an encryptor.

However, while initial access is important, it is still not enough to infect a device, especially if it’s protected by an antivirus, or an endpoint protection and response solution (EDR).

Now, security researchers from Guidepoint Security believe they have seen exactly how Akira disables security solutions, which allows them to drop the ransomware.

A handful of targets

In a recent report, researchers from Guidepoint outlined how Akira is engaged in a bring-your-own-vulnerable-driver (BYOD) attack, using the initial access to drop two drivers, one of which is legitimate.

“The first driver, rwdrv.sys, is a legitimate driver for ThrottleStop. This Windows-based performance tuning and monitoring utility is primarily designed for Intel CPUs,” the researchers explained. “It is often used to override CPU throttling mechanisms, improve performance, and monitor processor behavior in real time.”

The second driver, hlpdrv.sys is registered as a service but when executed, it modifies the DisableAntiSpyware settings of Windows Defender within the system registry.

“We assess that the legitimate rwdrv.sys driver may be used to enable the execution of the malicious hlpdrv.sys driver, though we have been unable to reproduce the exact mechanism of action at this time," the experts said.

Multiple researchers have observed attacks coming from SonicWall SSL VPN’s, and since some of the instances were fully patched, they have speculated the threat actors could be exploiting a zero-day vulnerability.

However, in a statement shared with TechRadar Pro, SonicWall said that the criminals were actually exploiting an n-day vulnerability.

“Based on current findings, we have high confidence that this activity is related to CVE-2024-40766, which was previously disclosed and documented in our public advisory SNWLID-2024-0015, not a new zero-day or unknown vulnerability,” the company said.

“The affected population is small, fewer than 40 confirmed cases, and appears to be linked to legacy credential use during migrations from Gen 6 to Gen 7 firewalls. We’ve issued updated guidance, including steps to change credentials and upgrade to SonicOS 7.3.0, which includes enhanced MFA protections.”

Via BleepingComputer

Another major MOVEit flaw could be on the way - here's what we know
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article