Hackers using the famous Robinhood malware have decided to exploit security vulnerabilities in the Gigabytes motherboard driver.
The aim is to eliminate anti-virus protection target terminals.
It is remembered that by the end of 2019, the U.S. city of Baltimore had been computer-controlled by a ransomware malware. This program is called Robinhood. But his fame isn't just about attacking the city of Baltimore in Maryland. The city of Greenville, North Carolina, was also the victim of the same malware. Computer security experts from cybersecurity firm Sophos, after studying this malware have described some of its peculiarities. Users rely mainly on a security flaw (CVE-2018-19320) that was discovered in 2018.
This article will also interest you: 4 questions to answer for a safer security system
The vulnerability in question is now in Gigabytes motherboards. The supplier of this technology then stopped the production of the vulnerable driver. However, "it still exists and apparently remains a threat," Sophos experts said: "Verisign, whose code-signing mechanism was used to digitally authenticate the pilot, has not revoked the signature certificate, so Authenticode's certificate remains valid. ».
In addition, Taiwanese supplier Gigabyte is not the only manufacturer whose productions are exposed to the security breach. Indeed this has been detected on several other drivers not coming from the latter. And this through several strategies used by hackers. Other manufacturers of VirtualBox for the CVE-2008-3431 vulnerability. ASUS for CVE-2018-18537, ASUS for CVE-2018-18537 and CPU-Z for CVE-2017-15302.
the setting up the Robinhood program will consist for hackers to use the vulnerability discovered in motherboards to block the normal functioning of systems by blocking processes and tasks that would then be linked to "protective security products" endpoint terminals and devices to allow ransomware RobbinHood to be operational. The researchers explain: "This is the first time we observe the shipment through a signed driver but vulnerable to a ransomware capable of charging a driver in the Windows core unsigned malicious and remove space security applications core (…) Hackers use multiple types of files to make this attack, extracted from the C directory: WINDOWS-TEMP. Whose application Steel. EXE that kills the processes and files of security products using Windows core drivers, ROBNR. EXE to deploy an unsigned driver, Mr. GDRV. SYS, a driver signed Authenticode on the date of validity exceeded but containing a vulnerability, and RBNL. SYS, the malicious driver who kills process and erases the files in core memory. ».
Faced with this malware procedure to hijack the protection system in order to be able to undermine the entire network, Sophos experts give some recommendations to be able to avoid the problem posed by Robinhood:
1 – Include the use of the public cloud of its IT security strategy while avoiding the concentration of cybersecurity around a single strategy.
2- Implement a multi-factor authentication method with fairly complex passwords
3- Access must be limited cause just necessary
4- Consider offline backups of all of this data
5- Raise awareness among all staff and users with access to the information system.
Now access an unlimited number of passwords: