- Experts warn Akira is using SonicWall VPNs to deploy two drivers
- One is a legitimate, vulnerable driver that allows the other one to be executed
- The other one disables antivirus and endpoint protection tools
Akira ransomware has dominated the headlines recently due to its abuse of SonicWall SSL VPNs to gain initial access and deploy an encryptor.
However, while initial access is important, it is still not enough to infect a device, especially if it’s protected by an antivirus, or an endpoint protection and response solution (EDR).
Now, security researchers from Guidepoint Security believe they have seen exactly how Akira disables security solutions, which allows them to drop the ransomware.
A handful of targets
In a recent report, researchers from Guidepoint outlined how Akira is engaged in a bring-your-own-vulnerable-driver (BYOD) attack, using the initial access to drop two drivers, one of which is legitimate.
“The first driver, rwdrv.sys, is a legitimate driver for ThrottleStop. This Windows-based performance tuning and monitoring utility is primarily designed for Intel CPUs,” the researchers explained. “It is often used to override CPU throttling mechanisms, improve performance, and monitor processor behavior in real time.”
The second driver, hlpdrv.sys is registered as a service but when executed, it modifies the DisableAntiSpyware settings of Windows Defender within the system registry.
“We assess that the legitimate rwdrv.sys driver may be used to enable the execution of the malicious hlpdrv.sys driver, though we have been unable to reproduce the exact mechanism of action at this time,” the experts said.
Multiple researchers have observed attacks coming from SonicWall SSL VPN’s, and since some of the instances were fully patched, they have speculated the threat actors could be exploiting a zero-day vulnerability.
However, in a statement shared with TechRadar Pro, SonicWall said that the criminals were actually exploiting an n-day vulnerability.
“Based on current findings, we have high confidence that this activity is related to CVE-2024-40766, which was previously disclosed and documented in our public advisory SNWLID-2024-0015, not a new zero-day or unknown vulnerability,” the company said.
“The affected population is small, fewer than 40 confirmed cases, and appears to be linked to legacy credential use during migrations from Gen 6 to Gen 7 firewalls. We’ve issued updated guidance, including steps to change credentials and upgrade to SonicOS 7.3.0, which includes enhanced MFA protections.”
Via BleepingComputer
