Intel Core i5 11400F processor review
Corsair Vengeance RGB Pro SL 3600 MHz 32GB review
ASRock Z590 Extreme review
Gigabyte Radeon RX 6700 XT Gaming OC review
Corsair K70 RGB TKL keyboard review
Corsair RM650x (2021) power supply review
be quiet! Silent Loop 2 280mm review
Corsair K55 RGB PRO XT keyboard review
Guru3D Rig of the Month - March 2021
Intel Core i9-11900K processor review
Vulnerable yet digitally signed Gigabyte driver actively being exploited - RobbinHood Randomware
There is a form of ransomware exploiting a vulnerable Gigabyte driver. since the driver is digitally signed it becomes easy to install. The malware installs a second driver that disables security software, after which the encryption begins.
The signed driver, part of a now-deprecated software package published by Taiwan-based motherboard manufacturer Gigabyte, has a known vulnerability, tracked as CVE-2018-19320. The problem is a kernel driver called gdrv .sys that is prone to escalation privilege . Although the driver is no longer being used, it is still digitally approved by Versign, why this is the case is not yet known. Thanks to this certificate, the driver can still be installed, after which Windows driver signature verification can be disabled.
The vulnerability, published along with proof-of-concept code in 2018 and widely reported at the time, was disclaimed by the company, who told the researcher who tried to report the bug that “its products are not affected by the reported vulnerabilities.” The company later recanted, and has discontinued using the vulnerable driver, but it still exists, and it apparently remains a threat. Verisign, whose code signing mechanism was used to digitally sign the driver, has not revoked the signing certificate, so the Authenticode signature remains valid. In this attack scenario, the criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver into Windows. This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference.
Known Affected Software Configurations
| cpe:2.3:a:gigabyte:aorus_graphics_engine:*:*:*:*:*:*:*:* Show Matching CPE(s) |
Up to (including) 1.33 |
|
| cpe:2.3:a:gigabyte:app_center:*:*:*:*:*:*:*:* Show Matching CPE(s) |
Up to (including) 1.05.21 |
|
| cpe:2.3:a:gigabyte:oc_guru_ii:2.08:*:*:*:*:*:*:* Show Matching CPE(s) |
||
| cpe:2.3:a:gigabyte:xtreme_gaming_engine:*:*:*:*:*:*:*:* Show Matching CPE(s) |
Up to (including) 1.25 |
|
The vulnerability is active throughout the entire software suite
It is the first time we have observed ransomware shipping a trusted, signed (yet vulnerable) third party driver to patch the Windows kernel in-memory, load their own unsigned malicious driver, and take out security applications from kernel space. The ransomware that was being installed in both instances calls itself RobbinHood.
Gigabyte earlier on Gigabyte claimed its products were not affected.
Read more on sophos.
New CacheOut Speculative Execution Vulnerability Hits Intel Processors - 01/28/2020 04:34 PM
Intel is not spared when it comes to the number of vulnerabilities that keep hitting their processors. The latest one is CacheOut, a new speculative execution attack that is capable of leaking data fr...
Microsoft patches crypt32.dll vulnerability that allows certificate spoofing - 01/15/2020 09:39 AM
Yesterday we shared news about a big potential vulnerability with a Microsoft Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic mes...
Rumor: Microsoft might share information on extremely critical vulnerability later today - 01/14/2020 03:53 PM
It's tagged as a rumor, but you can rest assured it'll become a fact. Keep an eye out on your Tuesday patches, and apply them. According to Krebs On Security, Microsoft is about to release an extre...
Intel will be addressing 77 security vulnerabilities this month - 11/13/2019 02:53 PM
Followed by the news of the Zombieload v2 attack news today, Intel yesterday posted a security blog, in which they state to close 77 vulnerabilities in November....
Epic Games Store Vulnerability, Borderlands 3 DRM Concerns - 11/05/2019 08:59 AM
A new vulnerability was spotted in the Epic Games Store system. Willian Worrall of CCN said that this security allows users to work around the system’s security to access a game without owning it....
Ihtiandr
Junior Member
Posts: 6
Joined: 2015-07-31
Junior Member
Posts: 6
Joined: 2015-07-31
#5759166 Posted on: 02/11/2020 01:53 AM
I am sorry, but wasn't the xtreme engine updated to 1.26 in early 2019?
I am sorry, but wasn't the xtreme engine updated to 1.26 in early 2019?
rl66
Senior Member
Posts: 2829
Joined: 2007-05-31
Senior Member
Posts: 2829
Joined: 2007-05-31
#5759204 Posted on: 02/11/2020 06:13 AM
it's remind a scene from monty python's graal comedy "hoooo i told you, i told you but you don't listened"...
*edit* i found it
And about Battleyes, it is that the problem IS Battleyes...
On each game when you remove it to play in local (i know it's bad... but legal if you own the game) you solve most bugs, astonishing to offer a protection like that in 2020!!!
it's remind a scene from monty python's graal comedy "hoooo i told you, i told you but you don't listened"...
*edit* i found it
And about Battleyes, it is that the problem IS Battleyes...
On each game when you remove it to play in local (i know it's bad... but legal if you own the game) you solve most bugs, astonishing to offer a protection like that in 2020!!!
Click here to post a comment for this news story on the message forum.
Unregistered
A toll is a toll, and a roll is a roll. If we don't take no tolls then we don't eat no rolls.