Akira Ransomware Gang Exploits CPU Drivers to Bypass Security
Introduction to the Cyber Threat
Recent reports from cybersecurity experts have shed light on the Akira ransomware gang, known for its innovative tactics. These hackers have been observed executing a specific type of attack called a bring-your-own-vulnerable-driver (BYOVD) exploit, particularly targeting SonicWall firewall devices.
How the Attack Works
The Akira affiliates are leveraging an unknown vulnerability present in SonicWall Gen 7 firewalls. Analysts from GuidePoint Security’s Research and Intelligence Team (GRIT) have detailed the methodologies used by these hackers to compromise network security. Notably, once they gain initial access to networks safeguarded by SonicWall firewalls, they employ two common Windows drivers to circumvent antivirus protections and endpoint security measures.
According to GRIT, their analysis identified consistent use of these drivers in various incident response scenarios. This strategy highlights a notable shift in the attack landscape, where attackers utilize existing software components to disable security features.
The Exploited Drivers
Rwdrv.sys and Hlpdrv.sys
The two drivers under scrutiny are rwdrv.sys and hlpdrv.sys.
-
Rwdrv.sys is a legitimate driver associated with ThrottleStop, a utility designed for optimizing Intel CPU performance. The clever manipulation by Akira’s affiliates involves registering this driver as a service to gain kernel-level access. This is crucial for disabling or evading security tools.
- Hlpdrv.sys, on the other hand, functions similarly and can alter the DisableAntiSpyware settings of Windows Defender. The fear is that rwdrv.sys facilitates the operation of hlpdrv.sys, although researchers have not yet pinpointed the exact mechanics of this process.
GRIT’s findings indicate that these techniques provide a stealthy means of gaining deeper access to systems while eluding traditional security protocols.
Frequency of Attacks and Impact
Huntress, another cybersecurity firm, tracked approximately 20 different attacks against SonicWall devices between July 25 and August 3. Alarmingly, all these attempts ended with the deployment of ransomware on the affected networks. The collective findings from firms like Huntress, Arctic Wolf, and Sophos underscore the serious nature of this threat.
The speed and effectiveness of these attacks—despite the presence of multi-factor authentication (MFA)—strongly suggest that a zero-day vulnerability is being actively exploited.
Conclusion
The activities of the Akira ransomware gang illustrate a concerning trend in cybercrime, where attackers utilize legitimate tools to disable security measures and infiltrate networks. This BYOVD approach emphasizes the need for organizations to remain vigilant, implement rigorous security protocols, and regularly update their systems to safeguard against these evolving threats.
