close
close

EDR-killing malware linked to RansomHub discovered in the wild • The Register

short Malware that destroys Endpoint Detection and Response (EDR) software has already been discovered. Given RansomHub's use, this malware could soon become widespread.

Discovered by Sophos analysts after a failed attack and dubbed EDRKillShifter, the malware uses legitimate but vulnerable drivers on Windows computers to deliver ransomware to targets.

Both variants tested by Sophos analysts use known vulnerable drivers with publicly available proofs of concept. Their ultimate goal is to disable endpoint detection and response software and unlock the victim's computer. The tactic of exploiting publicly known driver vulnerabilities is common among EDR-killing malware, Sophos says.

RansomHub – which emerged earlier this year and has quickly become one of the most commonly used tools by ransomware actors – suggests that EDRKillShifter is already on the verge of becoming a serious threat. However, a look inside the malware shows that it is not as dangerous as it appears at first glance, provided the appropriate precautions are taken.

Sophos' investigation does not mention the access path for attackers using EDRKillShifter, but notes that “this attack is only possible if the attacker escalates the privileges they control or gains administrative privileges.”

Once an attacker has the necessary permissions, they must run the malware from the command line and enter a password to launch it. At this point, things get a little more complicated – EDRShiftKiller obfuscates its activity using self-modifying code and several different EDR killers written in Go that are also obfuscated.

If EDRShiftKiller's initial attempts to embed itself in memory are successful, it deploys one of two payloads that create a new service for the infected driver, forcing it into an infinite loop that kills all of its targets.

Because an attacker must first access the target computer with elevated privileges to run EDRShiftKiller and distribute ransomware, Sophos recommends good Windows security role hygiene as the best prevention. This means clearly separating users and administrators, ensuring that EDR software tamper protection is enabled, and keeping systems and drivers up to date.

Still, given its close connection to such widespread ransomware, it's a good idea to keep an eye on this threat.

Critical vulnerabilities of the week: SolarWinds again?

Since we're just coming off a Patch Tuesday week, we can't report many vulnerabilities that haven't already been covered.

However, there was a major flaw in the form of a SolarWinds vulnerability (CVE-2024-28986), which the enterprise software vendor disclosed last week but is now believed to be actively exploited.

The critical vulnerability with a CSVV score of 9.8 can be found on the SolarWinds Web Help Desk. It is a remote code execution vulnerability in Java deserialization that, if exploited, allows an attacker to execute commands on the host machine.

“Although this is an unauthenticated vulnerability, after thorough testing, SolarWinds was unable to reproduce it without authentication,” the vendor explained. “However, out of an abundance of caution, we recommend that all Web Help Desk customers install the patch, which is now available.”

Public NetSuite sites can lose data

Organizations running NetSuite SuiteCommerce or SiteBuilder are urged to review their setups as thousands of external-facing websites have been found to be exploitable to leak customer personal data.

Aaron Costello, head of SaaS security research at AppOmni, wrote in a blog post last week that poor access control configuration combined with improper use of recording and search APIs allows an unauthenticated user to extract data.

There are many limitations here – for example, the attacker needs to know which customer record types (CRTs) are being used – but the advice remains the same: review your NetSuite setups, tighten access controls for CRTs, and lock down these publicly accessible sites.

“I would strongly recommend that administrators start by evaluating field-level access controls and determining which fields, if any, need to be unlocked,” Costello added.

Ransomware miners strike gold (mining company)

An Australian gold mining company has admitted to being the victim of a ransomware attack, but has revealed little information other than confirming the incident.

Evolution Mining has issued a warning [PDF] of the incident last week and stated that it was believed to be under control and that there would be no significant impact on operations.

“The incident was handled proactively with a focus on protecting the health, safety and privacy of people as well as the company’s systems and data,” noted Evolution.

Other than mentioning that the company's IT systems were affected, no details were provided.

Evolution's report is far less detailed than an attack on another Australian mining operation that took place in March. Northern Minerals Limited suffered a “cyber incident” that resulted in the theft of its employees' personal data, including scans of their passports.

During the Northern Minerals attack, research and mining project data and other company details were also stolen and published online by the BianLian ransomware gang in June.

Half a million patient records from an Idaho-based healthcare company were stolen

Idaho-based Kootenai Health has admitted to an unspecified incident in which the personal information of nearly half a million patients was stolen following a data breach in late February.

Kootenai wrote in a letter to the victims that names, dates of birth, social security and identification documents, and medical data may have been stolen – but there was no mention of ransomware.

However, several sources have reported that the 3AM ransomware gang is behind the attack. The Russian-speaking 3AM crew, which first appeared last year, reportedly published around 22GB of data stolen from Kootenai on their leak site.

If you work in the healthcare industry, consider this another warning to keep your systems up to date and your defenders on high alert.

Five malware variants that caused a stir in the second quarter

ReliaQuest has published a list of five malware variants that it says will have a major impact in the second quarter of 2024. Surprisingly, infostealers continue to be very popular.

Windows infostealer LummaC2 topped the list after a quarter of significant growth, according to ReliaQuest: Compared to the first quarter of 2024, LummaC2's quotations on the Russian market increased by 51.9 percent.

Next on the list are all kinds of Rust-based infostealers, which ReliaQuest says are becoming increasingly popular because Rust is fast, easy to program to evade antivirus software, and works across platforms.

The SocGholish remote access trojan has long been a popular tool and remains so thanks to a new infection modification that leverages Python to create persistence, and AsyncRAT is also growing in popularity.

Bringing up the rear is the Oyster backdoor malware, which is distributed by websites that supposedly host legitimate malware-infected software. ReliaQuest found that Oyster – also known as Broomstick and CleanUpLoader – is associated with some of the largest Russian malware gangs, including Wizard Spider.

Make sure your security systems are protected against the various tricks these malware families use, as explained in the ReliaQuest report. ®

You may also like...