Skip to main content

Windows workstations under attack by newly discovered malware

Hp Zbook Studio G8 Ports
Hp Zbook Studio G8 Ports (Image credit: Daniel Rubino / Windows Central)

What you need to know

  • A newly discovered malware is targeting Windows workstations, industrial control systems, and data acquisition devices.
  • Threat actors utilize a known vulnerability in an ASRock-signed motherboard driver to infiltrate IT and OT systems.
  • Once an IT or OT system is successfully attacked, threat actors can laterally work through a network to target other systems.

Windows workstations are under threat from a newly discovered type of malware. According to a joint cybersecurity advisory by the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), the malware can compromise Windows-based engineering workstations. The same malware is also a threat to industrial control systems and data acquisition devices.

Since Windows-based workstations are often used by IT departments and security admins, being compromised presents a security risk to a wide range of devices. Threat actors could move laterally through a network if they gained access to systems with certain privileges.

"The actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities," explained CISA in its security advisory.

The attack takes advantage of a known exploit in an ASRock motherboard driver. If a threat actor utilizes this exploit, they can execute malicious code in the Windows kernel. Successfully doing so is the key to moving laterally within a network.

"The APT actors can use a tool that installs and exploits a known-vulnerable ASRock-signed motherboard driver, AsrDrv103.sys, exploiting CVE-2020-15368 to execute malicious code in the Windows kernel," explained CISA. "Successful deployment of this tool can allow APT actors to move laterally within an IT or OT environment and disrupt critical devices or functions."

Sean Endicott
News Writer and apps editor

Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at sean.endicott@futurenet.com (opens in new tab).

2 Comments
  • This RGB exploit was published two years ago and ASRock still have not patched it?
  • What is truly stunning is that Windows STILL auto-installs bios loaded applications during installation. Such a security hole. I have an Asus motherboard and even with a clean fdisk and all partition wipe with clean MSDN ISO install, if I don’t turn off BIOS options to not load an ASUS tool, Windows will load a manufacturer tool of unknown standing. Came as quite a shock. Now I know every BIOS update I have to turn tat option off before starting Windows. Windows should block software utilities loading automatically from the BIOS.