Akira affiliates have been observed exploiting two common drivers as part of a suspected AV/EDR evasion effort following initial access involving SonicWall abuse. The drivers, rwdrv.sys and hlpdrv.sys, are being used to facilitate AV/EDR evasion or disablement through a Bring Your Own Vulnerable Driver (BYOVD) exploitation chain. This behavior has been prevalent in recent Akira ransomware incident response cases. The campaign may be driven by an unreported zero-day vulnerability in SonicWall VPNs. Defenders are advised to harden SonicWall VPNs, implement recommended mitigations, and use provided YARA rules for detection and response to pre-ransomware activity. Author: AlienVault
Related Tags:
drivers
T1078.004
T1547.006
sonicwall
T1078.003
T1078.001
T1078.002
BYOVD
Zero-Day
Associated Indicators:
null