- Experts warn Akira user Sonicwall VPNs to implement two drivers
- One is a legitimate, vulnerable driver that allows the other to be performed
- The other disables antivirus and end point protection tools
Akira Ransomware has recently dominated the headlines due to its abuse of Sonicwall SSL VPNs to gain initial access and insert an encryption.
Although the first access is important, it is still not enough to infect a device, especially if it is protected by an antivirus or a endpoint protection and response solution (EDR).
Now, GuidePoint Security security researchers believe they have seen exactly how Akira disables security solutions that allow them to drop ransomware.
A handful of goals
In a recent report, researchers from GuidePoint outlined how Akira is engaged in a Bring-your-Oown-Vulnerable Driver (Byod) attacks using the original access to drop two drivers, one of whom is legitimate.
“The first driver, RWDRV.SYS, is a legitimate driver for throttel stop. This Windows-based Performance Tuning and Monitoring Utility is primarily designed for Intel CPUs,” the researchers explained. “It is often used to override the CPU throttling mechanisms, improve benefits and monitor processing behavior in real time.”
The other driver, HLPDRV.SYS, is registered as a service, but when performed, it changes the disabling Settings for Windows Defender within the System Register.
“We believe that the legitimate RWDRV.SYS driver can be used to enable the performance of the malicious HLPDRV.SYS driver, although we have not been able to reproduce the exact mechanism of action at this time,” the experts said.
Several researchers have observed attacks coming from Sonicwall SSL VPNs, and as some of those cases were fully patched, they have speculated in the threat that the actors could exploit a zero-day vulnerability.
In a statement shared with Techradar Pro, however, Sonicwall said the criminals were actually exploiting an N-day vulnerability.
“Based on current findings, we have great confidence that this activity is related to CVE-2024-40766, which was previously revealed and documented in our public advisory Snwlid-2024-0015, not a new zero-day or unknown vulnerability,” says the company.
“The affected population is small, fewer than 40 confirmed cases and appears to be linked to legacy credentials under migrations from Gen 6 to Gen 7 Firewalls. We have issued updated guidance, including steps for changing credentials and upgrading to Sonico’s 7.3.0, which includes improved MFA protection.”
Via Bleeping computer
