Ethical Hacking News
Akira ransomware has been exploiting a legitimate Intel CPU tuning driver to disable Microsoft Defender, highlighting the importance of keeping all software and drivers up-to-date. Recent attacks have been linked to SonicWall VPNs, and system administrators are advised to remain vigilant for signs of Akira-related activity until the situation is resolved.
Akira ransomware uses a legitimate Intel CPU tuning driver to disable Microsoft Defender.The malicious tactic is known as "Bring Your Own Vulnerable Driver" (BYOVD).The 'rwdrv.sys' driver, used by ThrottleStop, is registered as a service, allowing unauthorized access.Akira ransomware manipulates the DisableAntiSpyware settings in Windows Defender registry to disable its protections.Staying up-to-date with software and drivers, and being cautious when installing new programs, are crucial in preventing exploitation.The abuse of this driver is part of a larger pattern of behavior by Akira ransomware.SonicWall VPNs may be vulnerable to an unknown zero-day flaw, which can be exploited for Akira ransomware attacks.Measures like disabling or restricting SSLVPN services and enforcing multi-factor authentication are temporary solutions.Akira ransomware also uses Bumblebee malware loader delivered via trojanized MSI installers.The use of such tactics underscores the importance of vigilance in cybersecurity.
Akira ransomware, a growing concern in the cybersecurity world, has been discovered abusing a legitimate Intel CPU tuning driver to disable Microsoft Defender on infected systems. This malicious tactic, known as "Bring Your Own Vulnerable Driver" (BYOVD), allows threat actors to exploit known vulnerabilities or weaknesses in signed drivers to gain kernel-level access and ultimately manipulate Windows Defender to turn off its protections.
The abuse of the 'rwdrv.sys' driver, which is used by ThrottleStop, was observed by Guidepoint Security. The researchers noted that this driver is registered as a service, allowing it to gain unauthorized access to the system. Once inside, the malicious tool manipulates the DisableAntiSpyware settings in the Windows Defender registry, effectively disabling its ability to protect against ransomware attacks.
The method used by Akira ransomware to disable Microsoft Defender via CPU tuning drivers highlights the importance of keeping all software and drivers up-to-date, as well as being cautious when installing new programs. The use of legitimate drivers with known vulnerabilities can provide a significant entry point for attackers, making it essential to stay informed about the latest security patches and updates.
The abuse of this driver is not an isolated incident but rather part of a larger pattern of behavior exhibited by Akira ransomware. Recent attacks have been linked to SonicWall VPNs, which may be vulnerable to exploitation due to an unknown zero-day flaw. While Guidepoint Security could neither confirm nor debunk the presence of this vulnerability, they did report seeing repeated abuse of the 'rwdrv.sys' driver in Akira ransomware attacks since July 15, 2025.
In response to these growing concerns, SonicWall advised disabling or restricting SSLVPN services until the situation is resolved. They also recommended enforcing multi-factor authentication (MFA), enabling Botnet/Geo-IP protection, and removing unused accounts. While these measures may provide temporary relief, they do not address the underlying vulnerabilities that allow Akira ransomware to exploit.
In addition to exploiting CPU tuning drivers, researchers have identified another tactic used by Akira ransomware: the use of the Bumblebee malware loader delivered via trojanized MSI installers of IT software tools. This malicious tool is launched via DLL sideloading and uses AdaptixC2 for persistent access, allowing attackers to conduct internal reconnaissance, create privileged accounts, and exfiltrate data using FileZilla while maintaining access via RustDesk and SSH tunnels.
After approximately 44 hours, the main Akira ransomware payload (locker.exe) is deployed to encrypt systems across domains. The use of such tactics by threat actors underscores the importance of vigilance in cybersecurity. System administrators must remain vigilant for signs of Akira-related activity and apply filters and blocks as new indicators emerge from security research.
In light of these growing concerns, it is strongly advised to only download software from official sites and mirrors, as impersonation sites have become a common source for malware. Furthermore, system administrators should monitor for Akira-related activity until the SonicWall VPN situation clears up.
The report also highlights the importance of staying informed about emerging threats and vulnerabilities in the cybersecurity landscape. Malware targeting password stores has surged three times as attackers execute stealthy Perfect Heist scenarios, infiltrating and exploiting critical systems.
To better understand these tactics and improve defensive strategies, readers are encouraged to explore the Red Report 2025: Analyzing the Top ATT&CK Techniques Used by 93% of Malware. This report provides a comprehensive analysis of the top 10 MITRE ATT&CK techniques behind 93% of attacks, along with guidance on how to defend against them.
Related Information:
https://www.ethicalhackingnews.com/articles/Akira-Ransomware-Exploits-CPU-Tuning-Tool-to-Disable-Microsoft-Defender-A-Growing-Concern-for-Cybersecurity-ehn.shtml
https://www.bleepingcomputer.com/news/security/akira-ransomware-abuses-cpu-tuning-tool-to-disable-microsoft-defender/
Published: Wed Aug 6 21:35:03 2025 by llama3.2 3B Q4_K_M
