- Статьи
- Internet and technology
- Defenseless mechanisms: hackers have found a way to disable antiviruses
Defenseless mechanisms: hackers have found a way to disable antiviruses
A new hacker group has emerged in Russia that disables protective solutions when attacking organizations, cybersecurity companies told Izvestia. Attackers penetrate the corporate network through a vulnerability in the software used for remote computer control and download malicious software. Such a breach, experts pointed out, has remained in many companies since the remote-remote period in the coronavirus pandemic. And through it, as it turns out, you can disable almost any antivirus. Details - in the material "Izvestia".
What is the method used by hackers
A new cybergroup that disables protective solutions when attacking Russian companies, experts of the Solar 4RAYS Cyber Threat Research Center of the Solar Group of Companies discovered. The investigation revealed that attackers penetrated corporate networks through a vulnerability in the DameWare Mini Remote Control software, which is used for remote computer control. It turned out that since the pandemic for individual systems in the infrastructure, the DameWare port was still accessible from an external network.
The company said it had identified several attacks from this grouping and the hackers' method of operation was identical - through the Remote Control port. It allows you to disable antivirus from almost any developer.
In particular, during an attack on an industrial company, cybercriminals placed a malicious file in the directory of the administration agent of an antivirus solution and disabled Kaspersky Lab's antivirus.
- Experts informed the vendor about the discovered mechanics, after which Kaspersky Lab promptly finalized the self-protection mechanisms of the products and released the corresponding updates," Solar said. - One of the malware's functions was to disable MiniFilter, a Windows file system filtering technology. The security components of many security solutions use this filter to collect information about file system operations, detect unusual behavior, monitor applications and analyze potential threats.
This technology is also used to protect antivirus from unauthorized access and disabling by hackers. And during an attack, a malicious driver creates and registers its own MiniFilter of the defense solution, and then replaces it with a dummy blocker function. Thus, the antivirus is blocked from monitoring and cybercriminals can download any malicious software.
Recently, hackers are increasingly using tools that allow them to disable and bypass security features supplied by various vendors, Dmitry Marichev, an expert at the Solar 4RAYS cyberthreat research center, told Izvestia.
- The approaches and technical implementation of evasion and deactivation of defense solutions differ only in details, such as the file names of their components," he explained. - A particular danger is that the technique is now being actively used by pro-Ukrainian groups that aim to destroy Russian infrastructure, rather than "quiet" espionage, like attackers from the Asian region.
When carrying out targeted attacks to penetrate infrastructure, attackers often take advantage of vulnerabilities in software available from an external network, confirmed Vladimir Kuskov, head of Kaspersky Lab's antivirus research lab.
- If they succeed, they often try to bypass or disable security software in order to avoid detection," the expert said. - For this purpose, attackers can use vulnerable or malicious drivers, the code of which is executed in the operating system at the most privileged level and can threaten the integrity of the OS security mechanisms.
How to protect yourself from malware
This is not the only technique criminals use to disable and lock down a security solution. Earlier in one of the attacks, attackers disrupted the IT infrastructure of a Russian industrial company by also disabling antivirus beforehand. The hackers penetrated the industrial organization's network in April 2024 through a compromised contractor account.
They accessed a number of systems from the contractor's host via RDP (Remote Desktop Protocol) and were able to disable security software so that their actions could not be detected and blocked. They were able to do this because of a flaw in the Windows operating system's interaction with the drivers' digital signatures.
Legitimate remote control tools have been in hackers' arsenal for a long time, said Oleg Skulkin, head of BI.ZONE Threat Intelligence.
- This often allows them to draw minimal attention to malicious activity, especially if such software is used in a compromised organization," the expert explained. - Vulnerabilities in publicly available applications have been among the top three popular methods of gaining initial access for years.
What else do criminals use
Neuroinform CEO Alexander Dmitriev added that even before the pandemic, in 2019, attackers were using remote access vulnerabilities.
- Employees had to first connect via VPN, and after that to the remote management system, - said the expert. - Apparently, someone in the companies wanted to save resources on security, effort, time and so on. We ourselves discovered during our tests that the whole user systems stick out. And when companies went pandemic, many of them were not ready to work remotely.
Back then, all the information was mostly not on servers, but on users' local computers. And in some companies, the user logged into the same IP address.
- Accordingly, all this was hacked quite easily and had unfortunate consequences. And there are still such flaws, " he added.
Valentin Polyakov, owner of PRO32 antivirus product, told Izvestia that most often cybercriminals hack into company servers through bruteforce attacks (a method of automatic password search), connect remotely using tools built into the operating system, manually disable the antivirus (if it has not been password-protected) and launch malicious programs that have been prepared in advance.
- Typically, these are encryption viruses that encrypt an organization's critical files, after which the ransomware leaves its own contacts to pay a ransom to obtain the decryption key, " he said. - Such incidents can have very serious consequences.
Vladimir Kuskov emphasized that users should timely and regularly update the operating system and installed software, as well as check the protection and correct configuration of all necessary components and solutions.
When using remote access, according to Valentin Polyakov, it is important to use reliable and properly configured tools, which by default are designed in such a way that virtually eliminates the possibility of hacking. It is also important to entrust the configuration of remote access to an experienced system administrator.
Переведено сервисом «Яндекс Переводчик»
