Observed Malicious Driver Use Associated with Akira SonicWall Campaign
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
Akira affiliates have been observed exploiting two common drivers as part of a suspected AV/EDR evasion effort following initial access involving SonicWall abuse. The drivers, rwdrv.sys and hlpdrv.sys, are being used to facilitate AV/EDR evasion or disablement through a Bring Your Own Vulnerable Driver (BYOVD) exploitation chain. This behavior has been prevalent in recent Akira ransomware incident response cases. The campaign may be driven by an unreported zero-day vulnerability in SonicWall VPNs. Defenders are advised to harden SonicWall VPNs, implement recommended mitigations, and use provided YARA rules for detection and response to pre-ransomware activity.
OPENCTI LABELS :
vpn,ransomware,zero-day,byovd,akira,drivers,sonicwall,av/edr evasion
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Observed Malicious Driver Use Associated with Akira SonicWall Campaign