Vulnerability in an old Gigabyte driver: Blocks antivirus and installs ransomware

Sophos security researchers have identified two different hacker attacks that share the same technique and which suggests the presence of the same hand behind the scenes. It would be a hacker group that exploits a vulnerability present in an old Gigabyte motherboard driver to unhinge the defenses of antivirus and antimalware and install the RobbinHood ransomware, normally used in attacks aimed at selected high-value targets so that it can operate undisturbed.

In the analysis, Sophos accurately describes the technique that unfolds in several steps:

• The group gains access to the victim’s network.
• Install the GDRV.SYS driver (legitimate, but failed).
• Install a compromised driver called RBNL.SYS.

This technique, Sophos warns, works on Windows 7, Windows 8 and Windows 10. The security company places the responsibility of this situation on Gigabyte and Verisign: the technique is successful precisely because of how the vulnerability was handled inside the Gigabyte driver.

The driver is part of a software package, now discontinued, dating back to 2018 and bearing the vulnerability identified by the code CVE-2018-19320. When the vulnerability was identified and communicated privately to Gigabyte, the Taiwanese company decided not to recognize the problem and, without issuing a corrective patch, stated that its products were not affected by any vulnerabilities.

The company’s refusal to recognize the problem led researchers who identified the vulnerability to openly publish their findings along with with an example, the so-called proof-of-concept code, to take advantage of the weak point. The publication of this information thus offered attackers a starting point for exploiting the vulnerability present in the Gigabyte driver.

Unconsciousness of security researchers? No, it is the common practice that is followed in these cases: the data subject is contacted privately to communicate the problem, and if this niche, information is disclosed to force the data subject to work on a solution.

But even in this case, Gigabyte has irresponsibly pulled straight. In essence, even with the pressure of having to solve the situation, Gigabyte has decided to abandon the use of the driver without releasing any patch.

And this is where the ” guilt contest ” takes place with Verisign, who was supposed to revoke the driver’s certificate. ” Verisign, whose signature mechanism was used to digitally sign the driver, has not revoked the certificate, and the Authenticode signature remains valid ” stressed Sophos, explaining why it is still possible today to load drivers in Windows deprecated and affected by known vulnerabilities. The driver is still in circulation and remains a threat.

It is not surprising if this technique will be exploited and personalized by other singles or hacker groups to include it in their offensive arsenal. In any case, RobbinHood is not the only ransomware that uses tricks to disable or circumvent security products. Others are, for example, Snatch, which restarts the PC in Safe Mode to disable the antivirus from the beginning, and Nemty, which stops the antivirus process using the task kill utility.

Updated systems, properly protected, and free of known vulnerabilities can also succumb to this problem. So what can be done to prevent? Since the first step of the attack is to be able to gain access to the network where the target system is located, it is imperative to take all the necessary precautions to prevent the attackers from succeeding in this aim.

And here, the ” usual ” security best practices apply multi-factor authentication, complex passwords, limitation of access rights, and to prevent problems resulting from a ransomware infection; the advice is to make regular backups and store them properly, preferably in a system disconnected from the rest of the network.