Ransomware installs Gigabyte driver to kill antivirus products

[steven36]

RobbinHood ransomware deploys novel technique to make sure it can encrypt files without being interrupted.

 

 

A ransomware gang is installing vulnerable GIGABYTE drivers on computers it wants to infect. The purpose of these drivers is to allow the hackers to disable security products so their ransomware strain can encrypt files without being detected or stopped.

 

This new novel technique has been spotted in two ransomware incidents so far, according to UK cybersecurity firm Sophos.

 

In both cases, the ransomware was RobbinHood [1, 2], a strain of "big-game" ransomware that's usually employed in targeted attacks against selected, high-value targets.

 

In a report published late last night, Sophos described this new technique as follows:

1. Ransomware gang gets a foothold on a victim's network.
2. Hackers install legitimate Gigabyte kernel driver GDRV.SYS.
3. Hackers exploit a vulnerability in this legitimate driver to gain kernel access.
4. Attackers use the kernel access to temporarily disable the Windows OS driver signature enforcement.
5. Hackers install a malicious kernel driver named RBNL.SYS.
6. Attackers use this driver to disable or stop antivirus and other security products running on an infected host.
7. Hackers execute the RobbinHood ransomware and encrypt the victim's files.

 

Per Sophos, this antivirus bypassing technique works on Windows 7, Windows 8, and Windows 10.

The Gigabyte driver patching fiasco

This technique is successful because of the way the vulnerability in the Gigabyte driver was handled, leaving a loophole that hackers can exploit.

 

For this debacle, two parties are at fault -- first Gigabyte, and then Verisign.

 

 

Gigabyte's fault resides in its unprofessional manner in which it dealth with the vulnerability report for the affected driver. Instead of acknowledging the issue and releasing a patch, Gigabyte claimed its products were not affected.

 

The company's downright refusal to recognize the vulnerability led the researchers who found the bug to publish public details about this bug, along with proof-of-concept code to reproduce the vulnerability. This public proof-of-concept code gave attackers a roadmap to exploiting the Gigabyte driver.

 

When public pressure was put on the company to fix the driver, Gigabyte instead chose to discontinue it, rather than releasing a patch.

 

But even if Gigabyte had released a patch, attackers could have simply used an older and still vulnerable version of the driver. In this case, the driver's signing certificate should have been revoked, so it wouldn't be possible to load the driver's older versions either.

 

"Verisign, whose code signing mechanism was used to digitally sign the driver, has not revoked the signing certificate, so the Authenticode signature remains valid," Sophos researchers said, explaining why it was still possible today to load a now-deprecated and known-vulnerable driver inside Windows.

 

But if we've learned something about cyber-criminals is that most of them are copy-cats and other ransomware gangs are expected to incorporate this trick into their arsenals as well, leading to more attacks using this technique.

 

RobbinHood is not the only ransomware gang that is using various tricks to disable or bypass security products. Other strains that engage in a similar behavior include Snatch (which reboots PCs in Safe Mode to disable AV software from starting) and Nemty (which shuts down antivirus process using taskkill utility).

 

Source

[duddy]

Ransomware Borrows Vulnerable Driver To Remove Security Software

 

Sophos has been investigating two different ransomware attacks where the adversaries deployed a legitimate, digitally signed hardware driver in order to delete security products from the targeted computers just prior to performing the destructive file encryption portion of the attack.

 

The signed driver, part of a now-deprecated software package published by Taiwan-based motherboard manufacturer Gigabyte, has a known vulnerability, tracked as CVE-2018-19320. The vulnerability, published along with proof-of-concept code in 2018 and widely reported at the time, was disclaimed by the company, who told the researcher who tried to report the bug that “its products are not affected by the reported vulnerabilities.” The company later recanted, and has discontinued using the vulnerable driver, but it still exists, and it apparently remains a threat.

 

Verisign, whose code signing mechanism was used to digitally sign the driver, has not revoked the signing certificate, so the Authenticode signature remains valid.

 

In this attack scenario, the criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver into Windows. This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference.

 

This is the first time we have observed ransomware shipping a trusted, signed (yet vulnerable) third party driver to patch the Windows kernel in-memory, load their own unsigned malicious driver, and take out security applications from kernel space. The ransomware that was being installed in both instances calls itself RobbinHood.

 

Ransomware trying to circumvent security products is not new. For example, Nemty kills processes and services using regular taskkill, and Snatch ransomware figured out how to reboot PCs into Safe Mode to get around endpoint protection. Obviously, doing the process killing from kernel mode has a lot of advantages.

 

This article takes a deep dive on how the attackers do it. We’re publishing this information now so other defenders can anticipate and enact defenses against this novel attack, where adversaries bring a vulnerable third party driver to subvert the Windows kernel, terminate defenses, and encrypt files unhindered by endpoint protection software.

 

What users can do to prevent this type of attack

Computers that are fully patched and have no known vulnerabilities can still end up in ruin because this attacker brings his own vulnerability. So what can you do to prevent the initial access by the attacker?

 

Adopt a three-pronged approach to minimize your risk of falling victim to an attack.

 

1. Threat protection that disrupts the whole attack chain

Today’s ransomware attacks use multiple techniques and tactics, so focusing your defense on a single technology leaves you very vulnerable.
Instead, deploy a range of technologies to disrupt as many stages in the attack as possible. And integrate the public cloud into your security strategy.

 

2. Strong security practices

These include:

Use multi-factor authentication (MFA)

Use complex passwords, managed through a password manager

Limit access rights; give user accounts and admins only the access rights they need

Make regular backups, and keep them offsite and offline where attackers can’t find them

Lock down your RDP; turn it off if you don’t need it, use rate limiting, 2FA or a VPN if you do

Ensure tamper protection is enabled – other ransomware strains attempt to disable your endpoint protection, and tamper protection is designed to prevent this from happening.

 

3. Ongoing staff education

People are invariably the weakest link in cybersecurity, and cybercriminals are experts at exploiting normal human behaviors for nefarious gain. Invest – and keep investing – in staff training.

 

Source

[Karlston]

Similar topics merged.