One such incident occurred in an industrial organization. The malicious file was discovered by experts at the Solar JSOC cyberattack response center. The investigation revealed that the attackers penetrated the corporate network through a vulnerability in DameWare Mini Remote Control software, used for remote administration.
Key stages of the attack:
- Exploiting a vulnerability in software that remained accessible from the external network since the pandemic.
- Placing a malicious file in the administration directory of the antivirus solution.
- Disabling the antivirus (in this case, Kaspersky Lab).
- Disabling the MiniFilter technology, which is used to monitor activity in the Windows file system.
- Replacing the antivirus's callback functions with dummy values, which deprives the protection system of the ability to detect threats.
After deactivating the protection, hackers could download any malicious programs without fear of detection.
Having received information from Solar 4RAYS, Kaspersky Lab promptly refined the self-defense mechanisms of its products and released updates. The updated versions strengthened threat detection rules and added new algorithms to protect against the loading of suspicious drivers.
Solar 4RAYS specialists note that attacks involving the disabling of protection tools are becoming increasingly common. If previously such techniques were used primarily in targeted espionage campaigns, now they are actively used by cybercriminals for destructive attacks on critical infrastructure.
Solar 4RAYS experts recommend that enterprises: Regularly check the operability of protective solutions - a disabled antivirus may be a sign of hacking. Monitor telemetry transmission - it is important to track whether systems transmit data about security events. Assess the level of infrastructure compromise - this will help detect attacks before serious consequences occur. Use layered protection - the integration of EDR, XDR, and NDR helps detect complex attacks in real time.
Attackers are improving attack methods, finding ways to bypass even the most advanced antivirus solutions. The relevance of proactive cybersecurity measures comes to the fore - without multi-level protection and constant monitoring of organizations, the risk of losses and destructive consequences increases significantly.