perm_phone_msgUNDER ATTACK? Chat With US


todayMay 23, 2020

Whitepapers BCyber

RSA 2017 Features Huge Demonstration of Support for Cyber Threat Intelligence, Encryption, and Cryptography Standards as 24 OASIS Member Companies Collaborate | OASIS

Bay Dynamics, DFLabs, EclecticIQ, Fujitsu, IBM, LookingGlass, New Context, NC4, ThreatConnect, ThreatQuotient, TruSTAR, and Verisign Demo STIX and TAXII Support. Cryptsoft, Feitan, Fornetix, Hancom Secure, Hewlett Packard Enterprise (HPE), IBM, Kryptus, Oracle, Quintessence Labs, SafeNet, Utimaco, and Watchdata Demo KMIP Interoperability and/or PKCS #11 Support. San Francisco, CA; 13 February [...]

Ransomware installs Gigabyte driver to kill antivirus products

Ransomware BCyber todayMarch 6, 2020 18

share close


A ransomware gang is installing vulnerable GIGABYTE drivers on computers it wants to infect. The purpose of these drivers is to allow the hackers to disable security products so their ransomware strain can encrypt files without being detected or stopped.

This new novel technique has been spotted in two ransomware incidents so far, according to UK cybersecurity firm Sophos.

In both cases, the ransomware was RobbinHood [1, 2], a strain of “big-game” ransomware that’s usually employed in targeted attacks against selected, high-value targets.

In a report published late last night, Sophos described this new technique as follows:

Per Sophos, this antivirus bypassing technique works on Windows 7, Windows 8, and Windows 10.

The Gigabyte driver patching fiasco

This technique is successful because of the way the vulnerability in the Gigabyte driver was handled, leaving a loophole that hackers can exploit.

For this debacle, two parties are at fault — first Gigabyte, and then Verisign.

Gigabyte’s fault resides in its unprofessional manner in which it dealt with the vulnerability report for the affected driver. Instead of acknowledging the issue and releasing a patch, Gigabyte claimed its products were not affected.

The company’s downright refusal to recognize the vulnerability led the researchers who found the bug to publish public details about this bug, along with proof-of-concept code to reproduce the vulnerability. This public proof-of-concept code gave attackers a roadmap to exploiting the Gigabyte driver.

When public pressure was put on the company to fix the driver, Gigabyte instead chose to discontinue it, rather than releasing a patch.

But even if Gigabyte had released a patch, attackers could have simply used an older and still vulnerable version of the driver. In this case, the driver’s signing certificate should have been revoked, so it wouldn’t be possible to load the driver’s older versions either.

“Verisign, whose code signing mechanism was used to digitally sign the driver, has not revoked the signing certificate, so the Authenticode signature remains valid,” Sophos researchers said, explaining why it was still possible today to load a now-deprecated and known-vulnerable driver inside Windows.

But if we’ve learned something about cyber-criminals is that most of them are copy-cats and other ransomware gangs are expected to incorporate this trick into their arsenals as well, leading to more attacks using this technique.

RobbinHood is not the only ransomware gang that is using various tricks to disable or bypass security products. Other strains that engage in a similar behavior include Snatch (which reboots PCs in Safe Mode to disable AV software from starting) and Nemty (which shuts down antivirus process using taskkill utility).

This content was originally published here.

Written by: BCyber

Rate it
Previous post

Global news BCyber / March 6, 2020

Prepared Remarks: Conference on Data Privacy and Cybersecurity Compliance Toolkit for Small Businesses at the Colorado Department of Law (Jan. 28, 2020) – Colorado Attorney General | Colorado Attorney General

Prepared Remarks: Conference on Data Privacy and Cybersecurity Compliance Toolkit for Small Businesses at the Colorado Department of Law (Jan. 28, 2020) I want to thank all of you for joining us at the Colorado Attorney General’s Office for an [...]