The Pakistan Telecommunication Authority (PTA) has issued an advisory stating that the hackers are using the Aukill tool to disable Endpoint Detection and Response (EDR) software.
According to the advisory, the threat actors are utilizing a previously undocumented defense evasion tool named AuKill to disable Endpoint Detection and Response software through the Bring Your Own Vulnerable Driver (BYOVD) attack.
According to the advisory, the tool abuses an outdated version of the driver used by Microsoft Process Explorer version 16.32 to turn off Endpoint Detection and Response (EDR) processes before deploying ransomware or a backdoor on the target system.
According to the advisory, the tool uses valid but vulnerable drivers to bypass the Driver Signature Enforcement safeguard. Since the start of 2023, several ransomware strains, including Medusa Locker and LockBit, have been deployed using six different versions of the AuKill malware.
PTA has asked the departments to update the Endpoint Detection and Response (EDR) to the latest version and regularly perform security checks on the system. The Authority has suggested not to use outdated versions of any software or driver as they may contain vulnerabilities that can be exploited.