Threat researchers at GuidePoint Security have uncovered Akira affiliates abusing legitimate Windows drivers in a previously unreported tactic, even as the ransomware strain intensifies its targeting of SonicWall firewalls.
According to GuidePoint’s threat intelligence consultant Jason Baker, Akira attackers were found hijacking two common Windows drivers as kernel-level tools to evade antivirus and EDR systems.
“We have observed Akira affiliates exploiting two common drivers as part of a suspected AV/EDR evasion effort following initial access involving SonicWall abuse,” Baker said in a blog post. “This high-fidelity indicator can be used for proactive detection and retroactive threat hunting.”
Baker’s blog came just hours after SonicWall confirmed on Monday that it is experiencing a notable increase in cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled.
SonicWall said it is currently investigating the infection vector and recommended that its customers disable SSLVPN, which is not a small ask considering it is a core access method used by its customers.
Satnam Narang, senior staff research engineer at Tenable, explained the implications. “VPNs are a requirement for many organizations for their employees to access the corporate network, so expecting every customer to disable the service is not viable, but it is the only current way to halt the malicious activity against these devices,” he said. “While the list of additional security actions organizations can take is valuable in lieu of disabling the VPN, it is highly advised that organizations initiate an incident response to determine their exposure.”
Windows drivers abused in BYOVD attacks
GuidePoint reports that two Windows drivers, “rwdrv.sys” and “hlpdrv.sys,” are being co-opted by attackers as part of a Bring-your-Own-Vulnerable-Drivers (BYOVD) strategy. rwdrv.sys is meant to ThrottleStop CPU tuning, and hlpdrv.sys toggles Windows Defender’s “DisableAntiSpyware” key.
These drivers are registered and executed as services, with rwdrc.sys likely used to elevate privileges to kernel mode, enabling deployment of the malicious hlpdrv.sys to turn off anti-spyware protections via registry modifications executed through “regedit.exe.”
“We are flagging this behavior because of its ubiquity in recent Akira ransomware IR cases,” Baker said, adding that GuidePoint is providing a YARA rule that “can help facilitate detection of the malicious hlpdrv.sys driver based on associated strings, conditions, and imports.”
He added that traces of this abuse date back to at least July 15, the day when SonicWall attacks reportedly started. Admins are provided with the YARA rule along with a list of indicators of compromise (IOCs) for admins to set up detection.
Reports hint at SonicWall ‘zero-day’
While SonicWall’s disclosure did not reveal an infection vector and said it is currently investigating initial access, reports of attackers possibly exploiting a zero-day bug have surfaced.
“While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability,” said an Arctic Wolf report.
The uptick in ransomware activity, beginning on July 15, appears distinct from several malicious VPN logins observed since October 2024, where an access control flaw (CVE-2024-40766) was being exploited by Fog and Akira ransomware affiliates.
Making a stronger case for a zero-day abuse, Arctic Wolf said, “In some instances, fully patched SonicWall devices were affected following credential rotation.” Some accounts were also compromised despite TOTP MFA being enabled, it added.
Both times, Arctic Wolf confirmed, a short interval was observed between initial SSLVPN account access and ransomware encryption.
SonicWall did not immediately respond to CSO’s request for comment, but had addressed the ‘zero-day’ reports in the disclosure, stating it is “committed to releasing updated firmware and instructions promptly if a new vulnerability is confirmed”. Earlier this year, SonicWall informed customers of a high-severity bug (tracked as CVE-2024-53704) affecting SSLVPN services that allowed authentication bypass by remote attackers. Apart from disabling SSLVPN services where practical, users are advised to limit SSLVPN connectivity to trusted source IPs, enable Botnet protection, Geo-IP filtering, and other security services, enforce MFA, and remove unused accounts.
No Responses