According to research by Sophos, a leading software security firm, a ransomware called "RobbinHood" has been making use of legitimate, but vulnerable, Gigabyte drivers to infect computer systems and take them over.
The attack works on Windows 7 and newer operating systems (OSes). Gigabyte had previously dismissed the claims that its driver was vulnerable to the flaw that the ransomware group is now exploiting, according to Sophos.
Gigabyte shares part of the blame for initially dismissing the vulnerability in 2018, when security researchers first reported it to the company. The public eventually put enough pressure on Gigabyte that it acknowledged the flaw.
However, instead of releasing a patch to fix the vulnerability for its older motherboards, the company discontinued support for that driver. This poor judgement on Gigatebyte’s part has now allowed attackers to weaponize its unpatched driver.
Another party responsible, Sophos said, is Verisign. Two years after Gigabyte discontinued its driver, it's still “trusted” by the Windows OS and many antivirus programs by default due to Verisign failing to revoke its signing certificate. This has allowed attackers to take advantage of the trusted driver to install another unsigned driver on the victims' machines.
After, the attackers would use this new driver first patch the Windows kernel in-memory and kill antivirus programs and other endpoint security solutions that would prevent the ransomware from taking over the machine.
Sophos researchers said that even though they’ve seen other ransomware try to kill antivirus programs before, they’ve never seen one where the ransomware uses a trusted third-party driver to achieve that.
Most security solutions have some kind of “trusted programs” list enabled by default on all installations. This is a compromise security companies have made in order to end a large amount of false positives and avoid having too many users block programs because they didn’t understand what the antivirus was asking them to do.
However, chances are that as other avenues to exploit the Windows OS close, malware makers will start to explore additional ways to use that trusted programs list in their favor. If they can trick antivirus programs to believe that their malware is one of the trusted programs in that list, then they later can get almost free reign on a user’s machine.Mitigation Against This Attack
As the RobbinHood ransomware has shown us, even if your OS is fully patched, a hacker can still leverage other techniques to bring vulnerabilities to your computer.
Sophos recommends not relying on a single program to keep you safe, while also adopting other security best practice, such as using OS accounts with limited access rights by default, making regular backups, using multi-factor authentication.
All Windows PC are vulnerable to this. There's nothing you can do to secure your system, other than not running the executable.
Thank you for the reply. But one thing doesn't make sense, that is if all the information in the article is correct. It states that Gigabyte stopped supporting that driver instead of patching it. So did they keep using it without blocking a hacker? The way it's written, my first thought is they came out with a new driver. If Gigabyte is still using the flawed driver, quit supporting it, and didn't issue a patch, then in my eyes, they are complicit with the hackers.
GIGABYTE App Center (v1.05.21 and below)
AORUS Graphics Engine (v1.33 and below)
XTREME Engine utility (v1.25 and earlier)
OC Guru II (v2.08)
This gives the false impression that there is nothing you can do when in reality, it is a few applications that no one uses.
The vulnerability can't be eliminated by a patch. The crooks will just continue to bundle the vulnerable version of the driver. To stop the OS from trusting the driver, the key used to sign it has to be revoked. But that would render other drivers signed with the same key unusable as well.
You're missing the point. In a ransomeware scenario, the victim is tricked into downloading and running the malware. The vulnerable driver doesn't need to be present prior to the attack. The malware itself can install it. Windows will ask for permission but the mildly worded warning won't defer people.