- Experts warn Akira uses Sonicwall VPN to deploy two pilots
- One is a legitimate and vulnerable pilot that allows the other to be executed
- The other deactivates the tools for protection against antivirus and final points
Akira Ransomware dominated the headlines recently because of its abuse of VPN SSL Sonicwall to obtain initial access and deploy an encryptor.
However, although initial access is important, it is not enough to infect a device, especially if it is protected by an antivirus, or a protection and response solution (EDR).
From now on, GuidePoint Security security researchers think they have seen exactly how Akira deactivates safety solutions, which allows them to remove ransomware.
A handful of targets
In a recent report, the researchers of GuidePoint described how Akira is engaged in a vulnerable driver attack (byod) bringing your own your drivers, one of which is legitimate.
“The first pilot, RWDRV.SYS, is a legitimate pilot for Throttlestop. This performance adjustment and monitoring utility based on Windows is mainly designed for Intel processors,” explained the researchers. “It is often used to replace processor limitation mechanisms, improve performance and monitor processor behavior in real time.”
The second pilot, HLPDRV.SYS is recorded as a service but when executed, it changes the disablesatispyware parameters of Windows Defender in the system register.
“We assess that the legitimate rwdrv.sys pilot can be used to allow the execution of the malicious driver hlpdrv.sys, although we were unable to reproduce the exact action mechanism,” said experts.
Several researchers have observed attacks from Sonicwall SSL VPNs, and as some cases have been fully corrected, they speculated that threat actors could exploit zero-day vulnerability.
However, in a shared press release with Techradar Pro, Sonicwall said that criminals really exploited a vulnerability of the day.
“Based on the current results, we have great confidence that this activity is linked to the CVE-2024-40766, which has already been disclosed and documented in our public advice SNWLID-2024-0015, not a new zero-day or unknown vulnerability,” said the company.
“The affected population is small, less than 40 confirmed cases, and seems to be linked to the use of identification information inherited during generation 6 migrations at generation 7.
Via Bleeping Compompute
