Cybercrime group disables EDR software to launch RansomHub ransomware
Cybercrime group disables EDR software to launch RansomHub ransomware SC Media
A New EDR-Killing Tool Discovered in Ransomware Attack
A new utility designed to terminate endpoint detection and response (EDR) tools was observed being deployed by an undetermined criminal group in an attempt to attack an organization with RansomHub ransomware.
This news caused concern among security professionals because RansomHub was used in many prominent attacks, most notably Change Healthcare, Frontier Communications, and Christie’s auction house.
Sophos Researchers Discover EDRKillShifter
In an Aug. 14 blog post, Sophos researchers said the EDR-killing tool they dubbed “EDRKillShifter,” attempted to use the utility to terminate Sophos protection on a targeted computer, but failed.
The researchers said they discovered EDERKillShifter in a post-mortem analysis. They also pointed out that since 2022, they have seen an increase in the sophistication of malware designed to disable EDR systems. Sophos said it previously published research on AuKill, an EDR-killer tool their team discovered last year that was being sold on criminal marketplaces.
Sophistication of the Criminal Group
Craig Jones, vice president of security operations at Ontinue, said from what he can gather, the cybercriminal group behind this operation remains unidentified, but its use of RansomHub suggests they’re experienced and determined. Jones added that the fact that they’re employing this new tool and designed it specifically to disable EDR software is a clear indicator of their sophistication.
Jones explained that EDRKillShifter fits into a broader category of tools known as Bring Your Own Vulnerable Driver (BYOVD). In BYOVD, an attacker leverages a legitimately signed, but vulnerable driver to undermine security mechanisms.
Jones said essentially they tried to take advantage of a flaw in an existing driver, one that was already trusted by the system, to shut down the EDR software without raising red flags. In 2022, the Lazarus Group exploited a flaw in a Dell driver in a similar fashion, highlighting the effectiveness and danger of this technique.
The Danger of EDR Disabling
“The danger here is significant,” said Jones. “Once EDR is out of the picture, these attackers can operate on compromised systems with much less risk of being detected, giving them a wider window to deploy ransomware or other malicious payloads.”
Evan Dornbush, a former NSA cybersecurity expert, explained that many EDR tools operate from a special context within the operating system that gives them near total observability into processes using file or network resources accessible to the system. As a result, Dornbush said programs operating from a lesser context cannot typically interfere with these EDR products. However, drivers often operate with permissions that would make it feasible to interfere with EDR products.
“So one technique an adversary can take is to exploit a driver and then assume those permissions, making direct access to the EDR achievable,” said Dornbush. “From a tactical level, an adversary operating from a lower context can install a known-vulnerable driver to the Windows operating system and then exploit it to assume greater access on par with the EDR.”
Importance of Tight Controls on Drivers
John Bambenek, president at Bambenek Consulting, pointed out that because the tool was sold on the dark web, presumably other groups can purchase it as well.
“Threat actors trying to kill EDR agents on systems before going further in their chain of attacks is not news,” said Bambenek. “However, security teams should keep tight controls on drivers being installed to avoid this tool.”
SDGs, Targets, and Indicators
SDGs | Targets | Indicators |
---|---|---|
SDG 16: Peace, Justice, and Strong Institutions | Target 16.1: Significantly reduce all forms of violence and related death rates everywhere | Indicator not mentioned in the article |
SDG 16: Peace, Justice, and Strong Institutions | Target 16.3: Promote the rule of law at the national and international levels and ensure equal access to justice for all | Indicator not mentioned in the article |
SDG 16: Peace, Justice, and Strong Institutions | Target 16.5: Substantially reduce corruption and bribery in all their forms | Indicator not mentioned in the article |
SDG 16: Peace, Justice, and Strong Institutions | Target 16.10: Ensure public access to information and protect fundamental freedoms, in accordance with national legislation and international agreements | Indicator not mentioned in the article |
SDG 9: Industry, Innovation, and Infrastructure | Target 9.3: Increase the access of small-scale industrial and other enterprises to financial services, including affordable credit, and their integration into value chains and markets | Indicator not mentioned in the article |
SDG 9: Industry, Innovation, and Infrastructure | Target 9.5: Enhance scientific research, upgrade the technological capabilities of industrial sectors in all countries, in particular developing countries, including, by 2030, encouraging innovation and substantially increasing the number of research and development workers per 1 million people and public and private research and development spending | Indicator not mentioned in the article |
SDG 9: Industry, Innovation, and Infrastructure | Target 9.c: Significantly increase access to information and communications technology and strive to provide universal and affordable access to the Internet in least developed countries by 2020 | Indicator not mentioned in the article |
SDG 3: Good Health and Well-being | Target 3.4: By 2030, reduce by one-third premature mortality from non-communicable diseases through prevention and treatment and promote mental health and well-being | Indicator not mentioned in the article |
SDG 3: Good Health and Well-being | Target 3.5: Strengthen the prevention and treatment of substance abuse, including narcotic drug abuse and harmful use of alcohol | Indicator not mentioned in the article |
SDG 3: Good Health and Well-being | Target 3.6: By 2020, halve the number of global deaths and injuries from road traffic accidents | Indicator not mentioned in the article |
SDG 3: Good Health and Well-being | Target 3.9: By 2030, substantially reduce the number of deaths and illnesses from hazardous chemicals and air, water, and soil pollution and contamination | Indicator not mentioned in the article |
SDG 3: Good Health and Well-being | Target 3.b: Support the research and development of vaccines and medicines for the communicable and non-communicable diseases that primarily affect developing countries, provide access to affordable essential medicines and vaccines, in accordance with the Doha Declaration on the TRIPS Agreement and Public Health, which affirms the right of developing countries to use to the full the provisions in the Agreement on Trade-Related Aspects of Intellectual Property Rights regarding flexibilities to protect public health, and, in particular, provide access to medicines for all | Indicator not mentioned in the article |
SDG 16: Peace, Justice, and Strong Institutions | Target 16.7: Ensure responsive, inclusive, participatory, and representative decision-making at all levels | Indicator not mentioned in the article |
SDG 16: Peace, Justice, and Strong Institutions | Target 16.10: Ensure public access to information and protect fundamental freedoms, in accordance with national legislation and international agreements | Indicator not mentioned in the article |
Source: scmagazine.com