![]() The driver was integral in terminating any security product processes it discovered. From there, the researchers observed the PowerShell script disabling the security products by using the legitimate Avast Anti-Rootkit Driver. They used a PowerShell script to download necessary tools such as AnyDesk, which allows for remote access. The remote code execution bug was initially disclosed last year by security vendor Synacktiv.īy accessing the AD, threat actors were able to create a new user account to gain administrative access inside the infected system. Ordonez and Nieto suspect the Zoho ManageEngine Active Directory SelfService Plus exploit as the initial attack vector, based on indications that actors used the known vulnerability dubbed CVE-2021-40539. with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys)," Ordonez and Nieto wrote in the blog. "This is the first sample we observed from the U.S. Though the observed tactics aligned with previous AvosLocker activity, one significant aspect of the attack did mark a first for the Trend Micro researchers. Trend Micro, as well as Palo Alto Networks, noted its emergence last year may have filled a void left by the shutdown of REvil. ![]() ![]() ![]() In both instances, attackers took advantage of previously disclosed vulnerabilities, a recurring concern for enterprises.ĪvosLocker is relatively new to the ransomware threat landscape. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |