{"id":14571,"date":"2025-08-06T12:11:31","date_gmt":"2025-08-06T12:11:31","guid":{"rendered":"https:\/\/newestek.com\/?p=14571"},"modified":"2025-08-06T12:11:31","modified_gmt":"2025-08-06T12:11:31","slug":"akira-affiliates-abuse-legitimate-windows-drivers-to-evade-detection-in-sonicwall-attacks","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14571","title":{"rendered":"Akira affiliates abuse legitimate Windows drivers to evade detection in SonicWall attacks"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Threat researchers at GuidePoint Security have uncovered Akira affiliates abusing legitimate Windows drivers in a previously unreported tactic, even as the ransomware strain intensifies its targeting of SonicWall firewalls.<\/p>\n

According to GuidePoint\u2019s threat intelligence consultant Jason Baker, Akira attackers were found hijacking two common Windows drivers as kernel-level tools to evade antivirus and EDR systems.<\/p>\n

\u201cWe have observed Akira affiliates exploiting two common drivers as part of a suspected AV\/EDR evasion effort following initial access involving SonicWall abuse,\u201d Baker said in a blog post. \u201cThis high-fidelity indicator can be used for proactive detection and retroactive threat hunting.\u201d<\/p>\n

Baker\u2019s blog came just hours after SonicWall confirmed on Monday that it is experiencing a notable increase in cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled.<\/p>\n

SonicWall said<\/a> it is currently investigating the infection vector and recommended that its customers disable SSLVPN, which is not a small ask considering it is a core access method used by its customers.<\/p>\n

Satnam Narang, senior staff research engineer at Tenable, explained the implications. \u201cVPNs are a requirement for many organizations for their employees to access the corporate network, so expecting every customer to disable the service is not viable, but it is the only current way to halt the malicious activity against these devices,\u201d he said. \u201cWhile the list of additional security actions organizations can take is valuable in lieu of disabling the VPN, it is highly advised that organizations initiate an incident response to determine their exposure.\u201d<\/p>\n

<\/a>Windows drivers abused in BYOVD attacks<\/h2>\n

GuidePoint reports that two Windows drivers, \u201crwdrv.sys\u201d and \u201chlpdrv.sys,\u201d are being co-opted by attackers as part of a Bring-your-Own-Vulnerable-Drivers (BYOVD) strategy. rwdrv.sys is meant to ThrottleStop CPU tuning, and hlpdrv.sys toggles Windows Defender\u2019s \u201cDisableAntiSpyware\u201d key.<\/p>\n

These drivers are registered and executed as services, with rwdrc.sys likely used to elevate privileges to kernel mode, enabling deployment of the malicious hlpdrv.sys to turn off anti-spyware protections via registry modifications executed through \u201cregedit.exe.\u201d<\/p>\n

\u201cWe are flagging this behavior because of its ubiquity in recent Akira ransomware IR cases,\u201d Baker said<\/a>, adding that GuidePoint is providing a YARA rule that \u201ccan help facilitate detection of the malicious hlpdrv.sys driver based on associated strings, conditions, and imports.\u201d<\/p>\n

He added that traces of this abuse date back to at least July 15, the day when SonicWall attacks reportedly started. Admins are provided with the YARA rule along with a list of indicators of compromise (IOCs) for admins to set up detection.<\/p>\n

Reports hint at SonicWall \u2018zero-day\u2019<\/h2>\n

While SonicWall\u2019s disclosure did not reveal an infection vector and said it is currently investigating initial access, reports of attackers possibly exploiting a zero-day bug have surfaced.<\/p>\n

\u201cWhile credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability,\u201d said an Arctic Wolf report<\/a>.<\/p>\n

The uptick in ransomware activity, beginning on July 15, appears distinct from several malicious VPN logins observed since October 2024, where an access control flaw (CVE-2024-40766) was being exploited<\/a> by Fog and Akira ransomware affiliates.<\/p>\n

Making a stronger case for a zero-day abuse, Arctic Wolf said, \u201cIn some instances, fully patched SonicWall devices were affected following credential rotation.\u201d Some accounts were also compromised despite TOTP MFA being enabled, it added.<\/p>\n

Both times, Arctic Wolf confirmed, a short interval was observed between initial SSLVPN account access and ransomware encryption.<\/p>\n

SonicWall did not immediately respond to CSO\u2019s request for comment, but had addressed the \u2018zero-day\u2019 reports in the disclosure, stating it is \u201ccommitted to releasing updated firmware and instructions promptly if a new vulnerability is confirmed\u201d. Earlier this year, SonicWall informed customers of a high-severity bug (tracked as CVE-2024-53704) affecting SSLVPN services that allowed authentication bypass by remote attackers. Apart from disabling SSLVPN services where practical, users are advised to limit SSLVPN connectivity to trusted source IPs, enable Botnet protection, Geo-IP filtering, and other security services, enforce MFA, and remove unused accounts.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Threat researchers at GuidePoint Security have uncovered Akira affiliates abusing legitimate Windows drivers in a previously unreported tactic, even as the ransomware strain intensifies its targeting of SonicWall firewalls. According to GuidePoint\u2019s threat intelligence consultant Jason Baker, Akira attackers were found hijacking two common Windows drivers as kernel-level tools to evade antivirus and EDR systems. \u201cWe have observed Akira affiliates exploiting two common drivers as… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14571","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14571","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14571"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14571\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14571"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14571"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14571"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}