Observed Malicious Driver Use Associated with Akira SonicWall Campaign

Threat Report

Akira SonicWall Campaign A sophisticated cyber threat exploiting drivers for AV/EDR evasion

Threat Overview

The recent threat report published by AlienVault on August 8, 2025, highlights a significant cyber campaign involving the exploitation of common drivers to facilitate AV/EDR (Antivirus/Endpoint Detection and Response) evasion. This campaign is associated with Akira ransomware affiliates who have been observed abusing SonicWall VPNs as an initial access vector. The drivers in question, rwdrv.sys and hlpdrv.sys, are being used to disable or evade security measures through a Bring Your Own Vulnerable Driver (BYOVD) exploitation chain.

This behavior has been noted in several recent Akira ransomware incident response cases, indicating a coordinated effort by the threat actors. The campaign may be driven by an unreported zero-day vulnerability in SonicWall VPNs, making it crucial for defenders to take immediate action to protect their networks.

Detailed Analysis

The Akira SonicWall Campaign is a sophisticated cyber threat that leverages known vulnerabilities in drivers to bypass security measures. By exploiting rwdrv.sys and hlpdrv.sys, the attackers can effectively disable AV/EDR solutions, allowing them to operate undetected within compromised networks.

The use of BYOVD techniques is particularly concerning because it allows attackers to leverage legitimate drivers that are signed by trusted vendors, making detection more challenging. This method has been observed in multiple Akira ransomware incidents, suggesting a well-coordinated and persistent threat.

The campaign’s initial access vector involves the abuse of SonicWall VPNs, which may be facilitated by an unreported zero-day vulnerability. This makes it essential for organizations to harden their SonicWall VPN configurations and implement recommended mitigations to prevent exploitation.

Operational Security Measures

While the Akira affiliates have implemented sophisticated evasion techniques, there are distinctive patterns in their operations that can be used to detect and mitigate the threat. The use of specific drivers and the abuse of SonicWall VPNs provide indicators that security analysts can monitor for.

Additionally, the campaign’s reliance on a zero-day vulnerability suggests that the attackers may have limited knowledge of other potential entry points, making it crucial for defenders to focus on securing known vulnerabilities.

Recommendations for Mitigation

To mitigate the threat posed by the Akira SonicWall Campaign, organizations should consider the following recommendations:

  • Harden SonicWall VPNs: Implement strict access controls and regular updates to SonicWall VPN configurations to prevent exploitation.
  • Monitor for BYOVD Activity: Use YARA rules provided in the threat report to detect and respond to pre-ransomware activity involving vulnerable drivers.
  • Network Segmentation: Divide the network into smaller segments with strict access controls to limit lateral movement by attackers.
  • Regular Updates: Keep all systems and software up to date with the latest security patches to address known vulnerabilities.
  • Intrusion Detection Systems: Deploy IDS to monitor network traffic for signs of malicious activity, particularly related to driver exploitation.
  • Endpoint Protection: Implement robust endpoint protection solutions to detect and block malware on individual devices.
  • Security Awareness Training: Provide regular training to employees on recognizing and reporting potential security threats, including phishing simulations and best practices for password security.
  • Regular Backups: Maintain offline or separate network segment backups of critical data to ensure recovery in case of a ransomware attack.
  • Incident Response Plan: Develop and maintain an incident response plan to quickly contain, investigate, and restore affected systems during security incidents.

By implementing these measures, organizations can significantly reduce the risk of falling victim to the Akira SonicWall Campaign and other sophisticated cyber threats.

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading