Attackers use a vulnerable driver from antivirus company Avast to disable antivirus software in organizations and then deploy ransomware, Microsoft warns. The software company therefore calls on organizations to be alert when virus scanners are turned off and to monitor for this.
In a blog post, Microsoft describes an attack with the Cuba ransomware against an unnamed organization, which attackers had access to for eight months before the attack took place. How the attackers gained access could not be determined, as the log files did not go back eight months. In addition, the encrypted systems were reinstalled before the analysis could take place.
The organization was using Microsoft Defender Antivirus, but the attackers were able to disable the security solution via a vulnerable driver from Avast. The technique is called Bring Your Own Driver or Bring Your Own Vulnerable Driver. Drivers run with elevated rights on the system. Vulnerabilities in drivers allow attackers to read or write kernel memory and execute code in it, in order to disable security software.
Earlier this year, it was revealed that the attackers behind the AvosLocker ransomware are using a vulnerable driver from Avast in their attacks. Attackers who use Cuba ransomware also do this, according to Microsoft. By disabling the antivirus software across the organization, it was possible to roll out the ransomware without being blocked.
Organizations should therefore monitor and respond to the disabling of antivirus software, Microsoft said. It is also recommended that you enable Defender's "anti-tampering" settings to prevent attackers from disabling the virus scanner. Microsoft offers a blocklist on Windows 10 to block vulnerable drivers, but it turned out that it had not been automatically updated for at least three years due to an error at the software company.