Unscrupulous hackers exploit Intel's instrument for disabling Windows 11's proprietary antivirus software, caution advised for users to avoid this tactic.
In a concerning turn of events, a new wave of cyber attacks has been making headlines, with the Akira ransomware exploiting a legitimate Intel CPU tuning driver to bypass security protections.
The Intel CPU driver being abused is rwdrv.sys, a component used by ThrottleStop. Hackers have been registering this driver as a system service, granting them kernel-level access to the system. This access is then used to load a secondary, malicious driver named hlpdrv.sys. Once executed, this malicious driver modifies the Windows Registry, specifically the DisableAntiSpyware value under Microsoft Defender policies, effectively disabling Defender's key security features.
This method, known as a Bring Your Own Vulnerable Driver (BYOVD) attack, involves using legitimate, digitally signed drivers with known security flaws to elevate privileges and circumvent security solutions. The threat actors exploit vulnerable IOCTL functions in the legitimate rwdrv.sys driver to gain unauthorized kernel memory access and privileges.
Once Microsoft Defender is disabled, the ransomware runs its encryption operations unimpeded, increasing the attack's success rate. This technique has also been linked to other malicious activities, including credential theft, lateral movement, and persistent termination of multiple security processes to maintain a clean attack environment.
To defend against such attacks, it's recommended to monitor for indicators of compromise (IoCs) and suspicious activity related to Akira ransomware. This includes the presence and execution of rwdrv.sys and hlpdrv.sys drivers, unusual service registrations, and registry changes to Defender settings. Additionally, applying YARA rules and filters provided by security researchers can help detect these vulnerable driver usages and associated malicious behaviors.
It's also crucial to block the execution or loading of untrusted or vulnerable drivers, especially drivers not from verified sources, to prevent unauthorized kernel-level access. Ensuring software, especially CPU tuning utilities like ThrottleStop, is downloaded only from official, trusted sources can help avoid inadvertently introducing compromised or manipulated drivers.
Keeping Windows and security software up to date, including patches for drivers with known vulnerabilities, is another essential measure. Employing endpoint detection and response (EDR) tools capable of detecting kernel-level manipulations and registry tampering can also help. Lastly, limiting administrative privileges and controlling user access rigorously can help mitigate the risk of such attacks.
This attack serves as a reminder of the ongoing threat posed by the abuse of legitimate but vulnerable components to evade defenses. Vigilant monitoring, patch management, and controls around driver execution within secure enterprise environments are more important than ever.
- The air of cybersecurity threats is intensifying, with the growing prevalence of BYOVD attacks like the one involving Akira ransomware, which leverage technology like Intel CPU drivers and digitally signed drivers with known security flaws to bypass security protections.
- As the battle against cybercrime escalates, it's crucial to employ strategies such as monitoring for indicators of compromise, using YARA rules and filters, blocking the execution of untrusted drivers, keeping software updated, and adopting EDR tools to safeguard against the potential abuse of legitimate but vulnerable technology components.
