Hello and welcome to the Tuesday, April 25th,

2023 edition of the Sands and at Storm Ther's Stormcast. My name is Johannes Ulrich,

and today I'm recording from San Francisco, California.

Today is a bit of a patch Tuesday kind of episode with patches from a number of vendors,

but before we jump to patches, let's catch up on an issue I didn't cover last week. Softos and others are reporting

about the use of Aukil by Ransomware Gangs. Aukil uses the bring your own vulnerable driver technique

to disable endpoint protection agents. The driver in use by Aukil is an older known vulnerable

driver from Process Explorer. Process Explorer, of course, comes from Sys Internal. It's part of Microsoft,

so it's a valid signed, which is part of what makes this driver so interesting. The issue that

this driver is vulnerable to has been known until 2021.

It has been patched since then, but of course this old driver is still signed, it's still

valid, so it can still be loaded in operating systems, and with that it can be used for

privilege escalation.

This particular driver apparently was also used in the open source tool, a backstap.

Aukil is sort of based on backstap, and it uses then the privileges it gets from this driver

to disable endpoint protection agents.

And by the way, patching here is not really going to help you

because the attacker essentially installing this out-of-date driver for you.

So even if you are patched, you're still vulnerable to this privilege escalation attack.

More details about this particular attack

and how it's now being used to disparate ransomware can be found in Sophos' blog. So with that,

let's talk about vulnerabilities and exploits in early March. Two vulnerabilities were patched for paper cut.

...