Despite that, the code-signing certificate is still there, which means that Windows continues to recognize the program as secure.Įven if the vendor responds to this and fixes this major flaw, its old versions will still remain on the internet, and thus, will remain a threat. Cloudflare Support Hate August 25, 2022Īccording to Trend Micro, Genshin Impact developers were informed about the vulnerabilities in the game module as early as 2020. It load straight away on Windows 11 with TPM and all that, the problem has been ignored. If you're a business and you run MDE or the like, I recommend blocking this hash, it's the vulnerable driver.ĥ09628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6 In the end, the attacker was able to completely kill the computer’s antivirus software and transfer the ransomware payload.Īfter some hiccups, the adversaries were able to fully load the driver and the ransomware onto a network share with the goal of mass deployment, meaning they could affect more workstations connected to the same network.
After dropping “avg.msi” onto the desktop of the affected computer, four files were transferred and executed. One of these files was an executable called “kill_svc.exe” and it was used to install the Genshin Impact driver. With that out of the way, the threat actors were able to connect to the domain controller and implant malicious files onto the machine. These are free and open-source tools from Impacket that anyone could get their hands on if they wanted to. The hackers used “secretsdump,” which helped them snatch admin credentials, and “wmiexec,” which executed their commands remotely through Windows’ own Management Instrumentation tool. A kernel generally has full control over everything that happens in your system, so for threat actors to be able to access it is disastrous. While it’s unclear how the hackers are initially able to gain access to their target, once they’re in, they’re able to use the Genshin Impact driver in order to access the computer’s kernel. Researchers have found proof of threat actors using this vulnerability to conduct ransomware attacks since July 2022.
0 kommentar(er)
