Sophos security researchers have identified two hacker attacks several united by the same technique and which, therefore, suggests the presence of the same hand behind the scenes. It would be a hacker group that exploits a vulnerability present in an old motherboard driver Gigabyte to unhinge the defenses of antivirus and antimalware and install the RobbinHood ransomware, normally used in attacks aimed at selected high-value targets, so that it can operate undisturbed.
In his analysis Sophos accurately describes the technique that unfolds in several steps:
-The group gains access to the victim's network
-Install driver GDRV.SYS (legitimate, but failed)
– Exploit the driver vulnerability to gain access to the kernel
-Use kernel access to temporarily disable the Windows driver signature request
-Install a compromised driver called RBNL.SYS
-Use this driver to disable or stop the antivirus and other security products on the target system
– Runs the RobbinHood ransomware to encrypt the files present on the system.
This technique, Sophos warns, works on Windows 7, Windows 8 and Windows 10. The security company is wearing it Gigabyte and Verisign are responsible for this situation: the technique is indeed successful precisely because of the way in which the vulnerability has been managed inside the Gigabyte driver.
The driver is part of a now discontinued software package dating back to 2018 and bearing the vulnerability identified by the code CVE-2018-19320. When the vulnerability was identified and communicated privately to Gigabyte, the Taiwanese company decided not to recognize the problem and, without issuing a corrective patch, he claimed that his products were not affected by any vulnerabilities. The company's refusal to recognize the problem led researchers who identified the vulnerability to openly publish their findings along with an example, the so-called proof-of-concpet code, to take advantage of the weak point. The publication of this information thus offered attackers a starting point for exploiting the vulnerability present in the Gigabyte driver.
Unconsciousness of security researchers? No, the common practice that is followed in these cases: the data subject is contacted privately to communicate the problem and, if this niche, information is disclosed to force the data subject to work on a solution. But even in this case Gigabyte has irresponsibly pulled straight: even with the pressure of having to solve the situation, Gigabyte has decided to abandon the use of the driver without releasing any patch.
It is here that the "guilt contest" is configured with Verisign who should have revoked the driver certificate. "Verisign, whose signature mechanism was used to digitally sign the driver, has not revoked the certificate and therefore the Authenticode signature remains valid" stressed Sophos, explaining why it is still possible today to load drivers in Windows deprecated and affected by known vulnerabilities. The driver, therefore, still in circulation and remains a threat.
It is not surprising, however, if this technique will be exploited and personalized by other singles or hacker groups to insert it in their offensive arsenal. In any case, RobbinHood is not the only ransomware that uses tricks to disable or circumvent security products. Others are for example Snatch, which restarts the PC in Safe Mode to disable antivirus from the beginning, and Nemty which stops the antivirus process using the taskkill utility.
Updated systems, properly protected and free of known vulnerabilities can also succumb to this problem. So what can be done to prevent? Since the first step of the attack is to gain access to the network where the target system is located, it is imperative to take all the necessary precautions to prevent the attackers from succeeding in this aim. And here the "usual" security best practices apply: multi-factor authentication, complex passwords, limitation of access rights and so on. To prevent problems resulting from a ransomare infection, the advice is to make regular backups and store them properly, preferably in a system disconnected from the rest of the network.
