Jump to content
  • This sneaky ransomware attack tries to switch off your security software

    aum

    • 472 views
    • 3 minutes
     Share


    • 472 views
    • 3 minutes

    Cybersecurity researchers detail how one ransomware gang has started using a new technique to help power extortion attacks.

     

    A major ransomware gang is using a new technique that allows attacks to bypass detection by security products by exploiting a vulnerability in more than 1,000 drivers used in antivirus software.

     

    The technique has been detailed by cybersecurity researchers at Sophos, who've seen it being used in attacks by the BlackByte ransomware gang.

     

    BlackByte is a relatively new ransomware operation, but a series of attacks going after critical infrastructure and other high-profile targets have led to the FBI issuing a warning about the group.

     

    Also: The scary future of the internet: How the tech of tomorrow will pose even bigger cybersecurity threats

     

    Now the BlackByte ransomware gang is apparently using CVE-2019-16098, a vulnerability in RTCorec64.sys, a graphics utility driver for Windows systems. This driver is legitimately used for overclocking by providing extended control over the graphics card.

     

    However, by exploiting the vulnerability, attackers which have gained access to an authenticated user account that can read and write to arbitrary memory, which could be exploited for privilege escalation, code execution or accessing information.

     

    Researchers describe this as "Bring Your Own Driver". When abused, it allows attackers to bypass more than 1,000 drivers used by industry endpoint detection and response (EDR) products – antivirus software.

     

    This tactic is achieved by exploiting the vulnerability to communicate directly with the targeted system's kernel and telling it to switch off routines used in antivirus software, as well as ETW (Event Tracing for Windows).

     

    "If you think of computers as a fortress, for many EDR providers, ETW is the guard at the front gate. If the guard goes down, then that leaves the rest of the system extremely vulnerable. And, because ETW is used by so many different providers, BlackByte's pool of potential targets for deploying this EDR bypass is enormous," said Christopher Budd, senior manager for threat research at Sophos.

     

    By abusing this vulnerability, BlackByte can gain the privileges required to quietly access systems, before triggering a ransomware attack and demanding a ransom payment for the decryption key. Like many other ransomware groups, BlackByte also steals data from victims and threatens to release it if their extortion demands aren't met.

     

    In order to help protect against Bring Your Own Driver attacks, Sophos recommends that drivers are regularly updated, so any known vulnerabilities in them can be remedied. Researchers also recommend blocklisting drivers that are known to still be exploitable.

     

    "It's critical for defenders to monitor new evasion and exploitation techniques and implement mitigations before these techniques become widely available on the cybercrime scene," said Budd.

     

    Ransomware continues to be one of the biggest cybersecurity issues facing organisations today. Additional steps that organisations can take to help protect against ransomware and other malware attacks include applying security patches and updates in a timely fashion, as well as providing multi-factor authentication to users.  

     

    These can help prevent cyber criminals from being able to access the network in the first place.

     

    Source

    • Like 2

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...