The Akira ransomware group has been detected utilizing a CPU driver to disable security software, enhancing their exploitation tactics.

Analysts at various cyber security firms have recently alerted the public about affiliates of the Akira ransomware gang exploiting an unknown vulnerability in SonicWall Gen 7 Firewalls. Researchers from GuidePoint Security’s Research and Intelligence Team, known as GRIT, have identified that these affiliates are leveraging two common Windows drivers to bypass anti-virus and endpoint protection tools after gaining initial access to networks secured by SonicWall firewalls. This information sheds light on the tactics employed by the hackers, highlighting the ongoing threat posed by ransomware groups.

In a blog post dated 5 August, GRIT noted that the Akira affiliates have repeatedly utilised two specific Windows drivers to facilitate evasion of anti-virus and endpoint detection and response (EDR) systems through a method known as bring-your-own-vulnerable-driver (BYOVD) exploitation. The first driver, rwdrv.sys, is a legitimate component of ThrottleStop, a utility for monitoring and tuning Intel CPU performance, which the affiliates are reportedly registering as a service to gain kernel access. The second driver, hlpdrv.sys, serves a similar purpose, allowing modifications to the DisableAntiSpyware settings of Windows Defender. This exploitation strategy underscores the sophisticated methods employed by cybercriminals to compromise network security. 

Categories: Cybersecurity Threats, Ransomware Tactics, Vulnerability Exploitation 

Tags: Akira, Ransomware, Vulnerability, SonicWall, Firewalls, Drivers, Evasion, Access, Exploitation, Security