Key Takeaway
The Qilin ransomware group attacked organizations using the BYOVD technique. Compromising security defenses with vulnerable drivers facilitated deep system penetration and ransomware deployment. Robust security measure updates are critical.
What Happened
The Qilin ransomware group has been observed employing the Bring Your Own Vulnerable Driver (BYOVD) technique in recent attacks. This tactic has been used to neutralize security tools on targeted systems, as reported by cybersecurity firms Cisco Talos and Trend Micro. Talos researchers detailed incidents where Qilin operators leveraged this method to deploy the ransomware, targeting organizations with sophisticated evasion techniques.
These attacks primarily occurred over the past few months, as Qilin leveraged the BYOVD method to circumvent endpoint protection systems, making their ransomware payload delivery more effective. This strategy indicates a growing trend among ransomware operators to use legitimate but vulnerable software components to disable security measures and execute malicious code without detection.
Technical Details
In these incidents, Qilin actors utilized a malicious DLL file named "msimg32.dll." This DLL plays a pivotal role in the attack's execution, acting as a vehicle for further payload delivery. The use of BYOVD involves exploiting legitimate drivers that have known vulnerabilities. Once introduced, these drivers can disable security solutions, such as antivirus and EDR (Endpoint Detection and Response) software, thereby opening a path for the ransomware to deploy without hindrance.
A notable vulnerability exploited in these attacks appears to be related to CVE-2019-16098, which affects certain versions of widely deployed drivers. This vulnerability has a CVSS score of 7.8, underscoring its severity and the potential impact of exploitation. Indicators of Compromise (IOCs) related to these incidents include the presence of the "msimg32.dll" and specific network traffic patterns observed when connecting to Qilin-controlled C2 servers.
Impact
The victims of these Qilin ransomware attacks span different sectors, with operations primarily in healthcare, finance, and manufacturing. The disruption caused by these attacks includes data encryption, resulting in operational downtime and potential data breaches. The monetary demands of Qilin ransomware have reportedly ranged from several hundred thousand to millions of dollars, depending on the victim's size and the perceived value of the encrypted data.
Collateral impact includes reputational damage and potential legal implications, particularly if data protection regulations are violated. The sophistication of the attack vector also indicates a possible rise in similar exploits from other threat actors.
What To Do
- Patch and Update: Ensure all drivers and software are up-to-date and patched to mitigate vulnerabilities like CVE-2019-16098.
- Enable EDR Solutions: Deploy advanced detection systems capable of recognizing unusual driver loading behavior and unauthorized DLL injections.
- Monitor Network Traffic: Use network monitoring tools to identify anomalies in traffic, specifically those matching known IOCs related to Qilin C2 communications.
- Conduct Security Audits: Regularly perform assessments on endpoint and server configurations to identify and rectify potential security gaps.
- Implement Whitelisting: Use software whitelisting to prevent unauthorized driver installations and execution of unknown DLLs.
Organizations must prioritize updating their cybersecurity defenses to adapt to evolving ransomware tactics such as BYOVD. Continuous monitoring, regular updates, and employee awareness training are key defenses against these advanced threats.
Related:
Original Source
The Hacker News →Related Articles
Unmasking REvil: BKA Identifies Key Ransomware Figures
Germany's BKA has revealed the identities of key REvil ransomware figures, marking a significant step in disrupting organized ransomware operations. The REvil group, known for attacks on major targets like JBS and Kaseya, used vulnerabilities such as CVE-2020-0601. Security professionals should focus on patch management, MFA, and network monitoring.
Unmasking the Leader of GandCrab and REvil: A Detailed Ransomware Incident Report
Daniil Maksimovich Shchukin, the mastermind behind GandCrab and REvil, has been implicated in over 130 ransomware attacks. The impact caused significant economic damage, demanding refined defensive strategies.
Clop Ransomware Hits Major Manufacturing Firm
Manufacturer X was victimized by Clop ransomware, disrupting operations. Attackers exploited vulnerabilities in Microsoft Outlook and outdated Windows servers via phishing. Proactive security measures are vital.
Die Linke Hit by Qilin Ransomware Attack: Key Details and Recommendations
The Qilin ransomware group targeted Die Linke, a German political party, causing an IT systems outage and threatening data leaks. The attack highlights vulnerabilities in political organizations. Key recommendations include patch management, network monitoring, and enhanced employee training.