Ransomware Gangs Abuse Process Explorer Driver to Kill Security Software
Summary:
Aukill, a newly developed hacking tool, is being utilized by threat actors to disable Endpoint Detection & Response (EDR) Software on targeted systems. This is done in preparation for the deployment of backdoors and ransomware in what is known as Bring Your Own Vulnerable Driver (BYOVD) attacks. During such attacks, the perpetrators implant legitimate drivers that have been signed with a valid certificate and can operate with kernel privileges on the victims’ devices. This allows them to disable security solutions and take control of the system.
"The AuKill malware, first spotted by Sophos X-Ops security researchers, drops a vulnerable Windows driver (procexp.sys) next to the one used by Microsoft's Process Explorer v16.32. This is a very popular and legitimate utility that helps collect information on active Windows processes. To escalate privileges, it first checks if it's already running with SYSTEM privileges, and if not, it impersonates the TrustedInstaller Windows Modules Installer service to escalate to SYSTEM. To disable security software, AuKill starts several threads to continuously probe and disable security processes and services (and ensure they remain disabled by preventing them from restarting). So far, multiple AuKill versions have been observed in the wild, some deployed in at least three separate incidents that have led to Medusa Locker and LockBit ransomware infections since the start of the year".
Analyst comments:
Researchers at Sophos X-Ops reported that the Aukill toll was used in at least three ransomware incidents since the start of 2023. In each case, the tool was utilized to disable the target’s security measures before deploying the ransomware. During the months of January and February, the attackers behind the incidents used the AuKill tool before deploying the Medusa Locker ransomware. Additionally, in February, an attacker employed AuKill just before deploying the LockBit ransomware. AuKill and another open source tool Backstab share similarities in their method of operation. Both use a Process Explorer driver to disable security solutions on compromised devices. The LockBit gang has previously employed Backstab in at least one attack, according to Sophos. The similarities between AuKill and Backstab include shared debug strings and nearly identical code flow logic for interacting with the driver. The oldest known sample of Aukill dates back to November 2022, while the latest sample was compiled in mid-February. During this period, it was also used in an attack linked to the LockBit ransomware group.
Mitigation:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.
Source:
https://www.bleepingcomputer.com/ne...ss-explorer-driver-to-kill-security-software/