The Akira ransomware has recently gained traction in the cybercrime landscape, with its latest iteration showcasing a particularly concerning tactic. Hackers are now leveraging a legitimate Intel CPU tuning driver to disable Microsoft Defender, a widely used antivirus solution. This development was highlighted in a report by Bleeping Computer, which detailed how attackers register the driver as a service to gain kernel-level access to systems.
Exploiting Vulnerabilities
Known as BYOVD, or “Bring Your Own Vulnerable Driver,” this method involves threat actors utilizing a signed driver that possesses known vulnerabilities. By exploiting these weaknesses, they can achieve privilege escalation, allowing them to load malicious tools or, in this case, disable antivirus protections. The researchers at Guidepoint Security observed that upon execution of the second driver, modifications are made to the DisableAntiSpyware settings of Microsoft Defender within the Windows Registry. This is accomplished through the execution of regedit.exe.
In response to these alarming findings, Guidepoint Security has taken proactive measures by providing a YARA rule along with comprehensive indicators of compromise (IoCs), service names, and file paths to assist organizations in defending against these attacks. They emphasize the importance of vigilance, recommending that system administrators monitor for any Akira-related activity, implement filters and blocks as new indicators arise, and ensure that software is only downloaded from official and trusted sources. The rise of malicious sites and counterfeit sources has made it increasingly crucial to exercise caution when acquiring software.
While it is disconcerting to witness hackers exploiting legitimate security tools, the swift detection of this attempt has allowed for timely intervention, preventing significant damage from occurring in this campaign.
