Keylogger in Hewlett-Packard Audio Driver

Keylogger in Hewlett-Packard Audio Driver

A couple of days ago it was announced that certain HP audio drivers contain a keylogger. No one knows how or why. Then on Friday last week, I had a technical meeting with a new 1E customer and I mentioned this vulnerability to them (because they had mostly standardized on HP desktops and laptops).

They were not aware of this keylogger either and promptly asked their security team if they were aware of it. They weren’t. However, they did say they would request inventory data from the ConfigMgr team to see if they had any of the affected HP devices with the specified driver versions. They estimated that the overall process of collecting the data would take ConfigMgr about 2-3 days, but in all likelihood, it would probably take much longer. I asked them if there was a way that this could be sped up as 2-3 days (or possibly a week) is a long time, particularly when you have a security risk that needs to be investigated quickly. I even asked them if they wanted to do it faster. Their response was, “We should have remediated against this vulnerability yesterday or better still, the day before yesterday!”

Therefore, it was not just the fact they could not react faster, but that they were not able to get visibility of the potential risk fast enough either. On top of that, both the End-User Client team (EUC) and the Security team were working in silos. The EUC passed the information onto the Security team and they responded with an action, but then the EUC team had to pass that information back to the Security team to figure out how they should proceed.

I interrupted their ongoing conversation about what should be done and asked them if I could show them how they can investigate and remediate against this vulnerability now, using Tachyon, which they had just licensed from 1E.

The process I showed them is simple. With Tachyon’s out-of-the-box experience, the IT Admin can ask – in real time – “Which computers have the keylogger files MicTray64.exe or MicTray.exe, regardless of where they are located on the machine”? In just a few seconds, Tachyon Explorer shows the response from all the affected devices from across their entire estate – which came to a total of just over 800 computers. I then showed them how to run a follow-up action to delete these files. At this point Tachyon’s impactful changes approval workflow kicks in, which by default requires a second person to approve any updates on the endpoints.

We then performed a similar process to remove the keylogger collection file MicTray.log. Again, this process took us less than a minute to perform including the live query against their estate and performing the follow-up action.

Lastly, and for completeness, we decided to delete the Scheduled Task that starts the MicTray key logging software on computer start-up. Again, this took us less than a minute to accomplish with Tachyon.

The EUC team were amazed at how quickly we had been able to resolve this issue.   The security team were equally impressed.  This entire process of finding out which devices were affected and deleting the executable program, the log files and disabling the service had only taken about 4-5 minutes.  You would think that would have been the end of our discussion, but they wanted to know how they would cope when “the vendor” was not around to run the show. Specifically, they wanted to know how their offshore service desk staff could perform this task.

Now, this is the clever part of Tachyon – it allows you to abstract these complex tasks into a single instruction that any IT team member can use.

Our set of instructions for resolving this incident is easily converted into a series of steps into a Tachyon Product Pack.   So now all that an IT support team member needs to do to fix this problem in the future is type three or more characters from this newly created instruction:

[“Remove and disable the HP audio driver with a key logger and any associated log files”]

When it appears in Tachyon Explorer, you simply select it and set it to run.

We can also easily share this Product Pack with other Tachyon users, via the Tachyon Community, through the Tachyon Exchange. In fact, I did not even need to write the instructions for this vulnerability as someone else had already submitted this Product Pack to the Tachyon Exchange*, and it was available to me through the Tachyon Community. The Tachyon community really helps other Tachyon customers respond to these types of zero-day vulnerabilities faster than ever before.

One last point worth noting is that because Tachyon also connects to endpoints outside of your corporate network, any devices used by remote workers, regardless of which OS they are running, are still accessible to Tachyon.  It really is the fastest platform to query and control all endpoints.

*The Tachyon Exchange is where the community can find Tachyon Product Packs and share their own Tachyon Instructions with other 1E community members. It was designed to support the easy exchange of Product Packs with other Tachyon Community members.

Watch this short video that shows in detail how Tachyon can make the changes you need to make across all your endpoints in seconds.

 

 

Share this post

Share this post on your favourite social media platform.

Find this article useful?

If so please click here