This is a 'Bring Your Own Vulnerable Driver' (BYOVD) attack, where threat actors use legitimate signed drivers that have known vulnerabilities or weaknesses that can be abused to achieve privilege escalation. This driver is then used to load a malicious tool that disables Microsoft Defender.
"The second driver, hlpdrv.sys, is similarly registered as a service. When executed, it modifies the DisableAntiSpyware settings of Windows Defender within \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware," explain the researchers.
"The malware accomplishes this via execution of regedit.exe."
"We are flagging this behavior because of its ubiquity in recent Akira ransomware IR cases. This high-fidelity indicator can be used for proactive detection and retroactive threat hunting," continued the report.
Akira ransomware was recently linked to attacks on SonicWall VPNs using what is believed to be an unknown flaw.
Meanwhile, The DFIR Report has published an analysis of recent Akira ransomware attacks, highlighting the use of the Bumblebee malware loader delivered via trojanized MSI installers of IT software tools.
An example involves searches for "ManageEngine OpManager" on Bing, where SEO poisoning redirected the victim to the malicious site opmanager[.]pro.
.jpg)
Bumblebee is launched via DLL sideloading, and once C2 communication is established, it drops AdaptixC2 for persistent access.The attackers then conduct internal reconnaissance, create privileged accounts, and exfiltrate data using FileZilla, while maintaining access via RustDesk and SSH tunnels.
After approximately 44 hours, the main Akira ransomware payload (locker.exe) is deployed to encrypt systems across domains.
A new post-exploitation command-and-control (C2) evasion method called 'Ghost Calls' abuses TURN servers used by conferencing apps like Zoom and Microsoft Teams to tunnel traffic through trusted infrastructure.
0
Nigerian national Chukwuemeka Victor Amachukwu has been extradited from France to the U.S. to face charges of hacking, fraud, and identity theft for suspected spearphishing attacks on U.S. tax preparation businesses.
0
Google is the latest company to suffer a data breach in an ongoing wave of Salesforce CRM data theft attacks conducted by the ShinyHunters extortion group.
0
National Bank of Canada (Banque Nationale du Canada), the sixth largest commercial bank of Canada is currently experiencing a widespread service outage affecting its online banking and mobile app platforms.
0
ControlVault3 firmware vulnerabilities impacting over 100 Dell laptop models can allow attackers to bypass Windows login and install malware that persists across system reinstalls.
0 The United States is warning people traveling to China about chikungunya, a virus that spreads to humans through mosquito bites.
The Centers for Disease Control and Prevention has issued a Level 2 travel notice for people traveling to the country, urging them to "practice enhanced precautions."
The notice, issued last week, says the chikungunya outbreak is in Guangdong Province, with most cases reported in the city of Foshan. In recent weeks, the region near Hong Kong has reported more than 7,000 cases.
Those most at risk for severe illness are newborns who are infected around the time they're born, as well as adults 65 and older and people with conditions like heart disease and diabetes. Pregnant women are urged to reconsider traveling to impacted areas, as the virus can be passed to a baby before birth.
"The symptoms of chikungunya are similar to those of dengue and Zika, making chikungunya easy to misdiagnose and making it more difficult for countries to accurately determine the number of people infected," according to the World Health Organization.
While the CDC notes there is no specific treatment, vaccines are available and recommended for people planning to visit an area with an outbreak of chikungunya.. .
Beijing has learned strict, fast containment lessons fighting SARS in 2003 and COVID-19 since 2019. Doctors have forced patients to stay in hospitals for seven days to stop further spread.
"The current situation is preventable, treatable and controllable," Chinese Foreign Ministry spokesperson Guo Jiakun said.
