Guru3D.com
  • HOME
  • NEWS
    • Channels
    • Archive
  • DOWNLOADS
    • New Downloads
    • Categories
    • Archive
  • GAME REVIEWS
  • ARTICLES
    • Rig of the Month
    • Join ROTM
    • PC Buyers Guide
    • Guru3D VGA Charts
    • Editorials
    • Dated content
  • HARDWARE REVIEWS
    • Videocards
    • Processors
    • Audio
    • Motherboards
    • Memory and Flash
    • SSD Storage
    • Chassis
    • Media Players
    • Power Supply
    • Laptop and Mobile
    • Smartphone
    • Networking
    • Keyboard Mouse
    • Cooling
    • Search articles
    • Knowledgebase
    • More Categories
  • FORUMS
  • NEWSLETTER
  • CONTACT

New Reviews
G.Skill TridentZ5 RGB DDR5 7200 CL34 2x16 GB review
ASUS TUF Gaming B760-PLUS WIFI D4 review
Netac NV7000 2 TB NVMe SSD Review
ASUS GeForce RTX 4080 Noctua OC Edition review
MSI Clutch GM51 Wireless mouse review
ASUS ROG STRIX B760-F Gaming WIFI review
Asus ROG Harpe Ace Aim Lab Edition mouse review
SteelSeries Arctis Nova Pro Headset review
Ryzen 7800X3D preview - 7950X3D One CCD Disabled
MSI VIGOR GK71 SONIC Blue keyboard review

New Downloads
Intel ARC graphics Driver Download Version: 31.0.101.4257
CrystalDiskInfo 9.0.0 Beta4 Download
AIDA64 Download Version 6.88
GeForce 531.41 WHQL driver download
AMD Radeon Software Adrenalin 23.3.2 WHQL download
GeForce 531.29 WHQL driver download
AMD Ryzen Master Utility Download 2.10.2.2367
AMD Radeon Software Adrenalin 23.3.1 WHQL download
Display Driver Uninstaller Download version 18.0.6.1
CPU-Z download v2.05


New Forum Topics
Mainstream GeForce RTX 4050 Graphics Card Launching in June 2023 Windows power plan settings explorer utility Valve to Discontinue Support for Windows 7, 8, and 8.1 on Steam Starting 2024 Msi rtx 4080 ventus 3x oc temps TEAMGROUP Unveils MP33Q M.2 PCIe SSD and T-FORCE VULCAN Z QLC SSD 4TB for High-Capacity Storage NVMe M.2 SSD Dedicated Clone Stand, with High-Speed Data Transfer of up to 1,000MB/s Thermaltake Unveils TOUGHAIR 710 Twin Tower Side Flow CPU Cooler with Two 140mm Fans and 6mm x 7 Heat Pipes JONSBO Announces DS8 Sub-LCD Series with High Resolution and Versatility in Black and White MSI Launches 24.5-Inch Gaming Monitor with 380 Hz Refresh Rate and Rapid IPS Panel HP Unveils New Sustainable Laser Printing Solutions




Guru3D.com » News » Vulnerable yet digitally signed Gigabyte driver actively being exploited - RobbinHood Randomware

Vulnerable yet digitally signed Gigabyte driver actively being exploited - RobbinHood Randomware

by Hilbert Hagedoorn on: 02/10/2020 09:12 AM | source: sophos | 8 comment(s)
Vulnerable yet digitally signed Gigabyte driver actively being exploited - RobbinHood Randomware

There is a form of ransomware exploiting a vulnerable Gigabyte driver. since the driver is digitally signed it becomes easy to install. The malware installs a second driver that disables security software, after which the encryption begins.

The signed driver, part of a now-deprecated software package published by Taiwan-based motherboard manufacturer Gigabyte, has a known vulnerability, tracked as CVE-2018-19320. The problem is a kernel driver called gdrv .sys that is prone to escalation privilege . Although the driver is no longer being used, it is still digitally approved by Versign, why this is the case is not yet known. Thanks to this certificate, the driver can still be installed, after which Windows driver signature verification can be disabled.

The vulnerability, published along with proof-of-concept code in 2018 and widely reported at the time, was disclaimed by the company, who told the researcher who tried to report the bug that “its products are not affected by the reported vulnerabilities.” The company later recanted, and has discontinued using the vulnerable driver, but it still exists, and it apparently remains a threat. Verisign, whose code signing mechanism was used to digitally sign the driver, has not revoked the signing certificate, so the Authenticode signature remains valid. In this attack scenario, the criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver into Windows. This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference. 

  

Known Affected Software Configurations

 cpe:2.3:a:gigabyte:aorus_graphics_engine:*:*:*:*:*:*:*:*
     Show Matching CPE(s) 
Up to (including)
1.33
 cpe:2.3:a:gigabyte:app_center:*:*:*:*:*:*:*:*
     Show Matching CPE(s) 
Up to (including)
1.05.21
 cpe:2.3:a:gigabyte:oc_guru_ii:2.08:*:*:*:*:*:*:*
     Show Matching CPE(s) 
 cpe:2.3:a:gigabyte:xtreme_gaming_engine:*:*:*:*:*:*:*:*
     Show Matching CPE(s) 
Up to (including)
1.25

The vulnerability is active throughout the entire software suite

 

It is the first time we have observed ransomware shipping a trusted, signed (yet vulnerable) third party driver to patch the Windows kernel in-memory, load their own unsigned malicious driver, and take out security applications from kernel space. The ransomware that was being installed in both instances calls itself RobbinHood.

Gigabyte earlier on Gigabyte claimed its products were not affected.

Read more on sophos.



Vulnerable yet digitally signed Gigabyte driver actively being exploited - RobbinHood Randomware Vulnerable yet digitally signed Gigabyte driver actively being exploited - RobbinHood Randomware




« Overclocker gets AMD Threadripper 3990X Running 5.3 GHZ on all 64-core (LN2) · Vulnerable yet digitally signed Gigabyte driver actively being exploited - RobbinHood Randomware · Grab for free: Sims 4 Standard Edition is free on Origin »

Related Stories

New CacheOut Speculative Execution Vulnerability Hits Intel Processors - 01/28/2020 04:34 PM
Intel is not spared when it comes to the number of vulnerabilities that keep hitting their processors. The latest one is CacheOut, a new speculative execution attack that is capable of leaking data fr...

Microsoft patches crypt32.dll vulnerability that allows certificate spoofing - 01/15/2020 09:39 AM
Yesterday we shared news about a big potential vulnerability with a Microsoft Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic mes...

Rumor: Microsoft might share information on extremely critical vulnerability later today - 01/14/2020 03:53 PM
It's tagged as a rumor, but you can rest assured it'll become a fact. Keep an eye out on your Tuesday patches, and apply them. According to Krebs On Security, Microsoft is about to release an extre...

Intel will be addressing 77 security vulnerabilities this month - 11/13/2019 02:53 PM
Followed by the news of the Zombieload v2 attack news today, Intel yesterday posted a security blog, in which they state to close 77 vulnerabilities in November....

Epic Games Store Vulnerability, Borderlands 3 DRM Concerns - 11/05/2019 08:59 AM
A new vulnerability was spotted in the Epic Games Store system. Willian Worrall of CCN said that this security allows users to work around the system’s security to access a game without owning it....


2 pages 1 2


Astyanax
Senior Member



Posts: 15387
Joined: 2018-03-21

#5758949 Posted on: 02/10/2020 10:26 AM
Yep, i absolutely saw this coming.

This file has been used to hack EAC and Battle eye protected games for months

386SX
Senior Member



Posts: 1797
Joined: 2017-06-26

#5758950 Posted on: 02/10/2020 10:26 AM
Verisign should put the cert on their blacklist ... the driver will get invalid, but so does the ransomware which relys on this driver to infect.

Just another example of "I dont think this will raise any issues".

skimike
Junior Member



Posts: 2
Joined: 2020-02-10

#5759090 Posted on: 02/10/2020 07:02 PM
Verisign should put the cert on their blacklist ... the driver will get invalid, but so does the ransomware which relys on this driver to infect.

Just another example of "I dont think this will raise any issues".

Verisign hasn't been a CA since 2010 when it sold the CA portion of its business to Symantec and is thus not responsible for this certificate in any way. The burden is on the certificate owner (Gigabyte) to revoke the certificate. If a CA randomly revoked certificates that they signed but did not own, they would not be a CA for very long.

386SX
Senior Member



Posts: 1797
Joined: 2017-06-26

#5759115 Posted on: 02/10/2020 09:00 PM
Verizon ... you're right about them. I somehow had the name in my mind but completely forgot this story ... :)

GlennB
Senior Member



Posts: 260
Joined: 2009-12-12

#5759128 Posted on: 02/10/2020 10:05 PM
Yep, i absolutely saw this coming.

This file has been used to hack EAC and Battle eye protected games for months

And i was under the impression Bluehole finally fixed the anti-cheat in PUBG :rolleyes:

2 pages 1 2


Post New Comment
Click here to post a comment for this news story on the message forum.


Guru3D.com © 2023