- Experts warn that Akira is using Sonicwall VPN to display two drivers
- One is a legitimate and vulnerable driver that allows the other to be executed
- The other disables antivirus and end point protection tools
The Akira ransomware has recently dominated the headlines due to its Sonicwall SSL VPN abuse to obtain initial access and implement an encrucador.
However, although initial access is important, it is not enough to infect a device, especially if it is protected by an antivirus or a final point protection and response solution (EDR).
Now, GuidePoint Security security researchers believe that they have seen exactly how Akira disables security solutions, which allows them to release ransomware.
A handful of goals
In a recent report, GuidePoint researchers described how Akira is dedicated to a vulnerable driving attack (Byod), using initial access to release two drivers, one of which is legitimate.
“The first controller, rwdrv.sys, is a legitimate controller for TrotTlastop. This use utility and monitoring of Windows -based performance is mainly designed for the Intel CPUs,” explained the researchers. “It is often used to cancel the strangulation mechanisms of the CPU, improve performance and monitor processor behavior in real time.”
The second controller, HLPDRV.SYS is registered as a service, but when it is executed, it modifies the Windows deactivation configuration in the system record.
“We evaluate that the legitimate driver of RWDRV.SYS can be used to allow the execution of the Malicious controller of HLPDRV.sys, although we have not been able to reproduce the exact mechanism of action at this time,” experts said.
Multiple researchers have observed attacks from VPN of Sonicwall SSL, and since some of the instances were completely paved, they have speculated that threat actors could be exploiting a zero day vulnerability.
However, in a statement shared with Techradar Pro, Sonicwall said that the criminals were exploiting a vulnerability of N-Day.
“According to current findings, we have great confidence that this activity is related to CVE-2024-40766, which was previously disseminated and documented in our public advisor SNWLID-2024-0015, not a new zero or unknown vulnerability,” the company said.
“The affected population is small, less than 40 confirmed cases, and seems to be linked to the use of inherited credentials during the migrations of Gen 6 to Gen 7.
Through Bleepingcomputer
