Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Hackers have been caught using a bring-your-own-vulnerable-driver (BYOVD) attack to exploit SonicWall firewall devices.
Analysts at multiple cyber security firms recently warned of affiliates of the Akira ransomware gang targeting an unknown vulnerability in SonicWall Gen 7 Firewalls, but now we know exactly how the hackers are going about it.
Researchers at GuidePoint Security’s Research and Intelligence Team, also known as GRIT, have observed an Akira affiliate taking advantage of a pair of common Windows drivers to evade anti-virus and endpoint protection tools once they’ve managed to gain initial access to networks protected by SonicWall’s firewalls.
“... based on several GuidePoint Incident Response cases in recent months, we have detected the repeated use of two Windows drivers by Akira affiliates,” GRIT said in a 5 August blog post.
“These drivers have almost certainly been used to facilitate AV/EDR evasion or disablement through a bring-your-own-vulnerable-driver (BYOVD) exploitation chain.”
Baddy drivers
Rwdrv.sys is a legitimate driver for ThrottleStop, a utility designed to monitor and tune an Intel CPU’s performance and capable of CPU throttling. GRIT believes that Akira’s affiliates are registering it as a service in order to gain kernel access to a device.
The second driver, hlpdrv.sys, is a similar service that can modify the DisableAntiSpyware settings of Windows Defender.
“We assess that the legitimate rwdrv.sys driver may be used to enable the execution of the malicious hlpdrv.sys driver, though we have been unable to reproduce the exact mechanism of action at this time,” GRIT said.
Cyber security firm Huntress tracked around 20 attacks targeting SonicWall devices between 25 July and 3 August, all of which ended with ransomware being deployed on the target network.
“This isn’t isolated; we’re seeing this alongside our peers at Arctic Wolf, Sophos and other security firms,” Huntress said in a 4 August blog post.
“The speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
