Tag Archive for: EDR

Ransomware Hackers Using AuKill Tool to Disable EDR Software Using BYOVD Attack


Apr 24, 2023Ravie LakshmananEndpoint Security / BYOVD

Ransomware Hackers

Threat actors are employing a previously undocumented “defense evasion tool” dubbed AuKill that’s designed to disable endpoint detection and response (EDR) software by means of a Bring Your Own Vulnerable Driver (BYOVD) attack.

“The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system,” Sophos researcher Andreas Klopsch said in a report published last week.

Incidents analyzed by the cybersecurity firm show the use of AuKill since the start of 2023 to deploy various ransomware strains such as Medusa Locker and LockBit. Six different versions of the malware have been identified to date. The oldest AuKill sample features a November 2022 compilation timestamp.

The BYOVD technique relies on threat actors misusing a legitimate, but out-of-date and exploitable, driver signed by Microsoft (or using a stolen or leaked certificate) to gain elevated privileges and turn off security mechanisms.

By using legitimate, exploitable drivers, the idea is to bypass a key Windows safeguard known as Driver Signature Enforcement that ensures kernel-mode drivers have been signed by a valid code signing authority before they are allowed to run.

“The AuKill tool requires administrative privileges to work, but it cannot give the attacker those privileges,” Sophos researchers noted. “The threat actors using AuKill took advantage of existing privileges during the attacks, when they gained them through other means.”

This is not the first time the Microsoft-signed Process Explorer driver has been weaponized in attacks. In November 2022, Sophos also detailed LockBit affiliates’ use of an open source tool called Backstab that abused outdated versions of the driver to terminate protected anti-malware processes.

Then earlier this year, a malvertising campaign was spotted utilizing the same driver to distribute a .NET loader named MalVirt to deploy the FormBook information-stealing malware.

The development comes as the AhnLab Security Emergency response Center (ASEC) revealed that poorly managed…

Source…

EDR: Endpoint Detection and Response


Endpoint detection and response (EDR) is a security analysis approach that focuses on detecting, analyzing, and responding to malicious activity on endpoints, such as laptops, servers, and mobile devices. It involves continuously monitoring endpoint activity for signs of potential threats, and then using that information to identify, investigate, and respond to those threats in real time.

EDR originated in the early 2010s as a way to address the growing complexity and volume of cyber threats faced by organizations. With the proliferation of cloud computing, mobile devices, and the Internet of Things (IoT), traditional security approaches were no longer sufficient to protect against the full range of threats facing organizations. EDR was developed as a way to provide more visibility and control over endpoint activity, and to enable organizations to respond more quickly to potential threats.

Threat hunters can leverage EDR to identify and investigate potential threats by analyzing endpoint data in real time. This includes analyzing network traffic, process execution, and other endpoint activity for signs of malicious behavior. EDR can also be used to detect and respond to threats that have already infiltrated an organization’s systems, by providing the visibility and context needed to understand the extent of the compromise and take appropriate action. Overall, EDR is an important tool for threat hunters because it provides the real-time visibility and context needed to identify and respond to potential threats, and to continuously improve an organization’s security posture.

The post EDR: Endpoint Detection and Response appeared first on Cyborg Security.

*** This is a Security Bloggers Network syndicated blog from Cyborg Security authored by Cyborg Security. Read the original post at: https://www.cyborgsecurity.com/glossary/edr-endpoint-detection-and-response/

Source…

Fileless Ransomware: Powershell Netwalker



Bitdefender vs Kaspersky: Ransomware Test