EDR and Antivirus: Weaponizing Against Users
High-severity security vulnerabilities have been disclosed in different endpoint detection and response (EDR) and antivirus (AV) products that could be exploited to turn them into data wipers. From 11 security products that were tested, researchers found that six were vulnerable to the zero-day wiper exploit, prompting vendors to release updates:
- Defender
- Defender for Enpoint
- SentinelOne EDR
- TrendMicro Apex One
- Avast Antivrus
- AVG Antivirus
- Creating a special path with the malicious file at C:\temp\Windows\System32\drivers\ndis.sys
- Hold its handle and force the EDR or AV to postpone the deletion until after the next reboot
- Delete the C:\temp directory
- Create a junction C:\temp → C:\
- Reboot
Analyst comments:
The idea, in a nutshell, is to trick vulnerable security products into deleting legitimate files and directories on the system and render the machine inoperable by using specially crafted paths. Security controls can be a preferred target for attackers because of their high privileges and high level of trust. The researchers did not test every security product available on the market, so it's likely that additional products may or may not be susceptible to similar attacks.
The idea, in a nutshell, is to trick vulnerable security products into deleting legitimate files and directories on the system and render the machine inoperable by using specially crafted paths. Security controls can be a preferred target for attackers because of their high privileges and high level of trust. The researchers did not test every security product available on the market, so it's likely that additional products may or may not be susceptible to similar attacks.
The vulnerable products above could be leveraged by using data wipers, such as the Aikido Wiper Tool, which is currently implemented to exploit vulnerabilities in Windows Defender, Windows Defender for Endpoint, and SentinelOne EDR and is available for download on GitHub:
- hxxps[:]//github[.]com/SafeBreach-Labs/aikido_wiper
Mitigation tips:
Initial access wasn’t specified, and it is unclear whether or not these vulnerabilities are being utilized in attacks. It is possible that specifically crafted files containing the Aikido wiper tool or variant could possibly be delivered to unsuspecting users in phishing attacks or hosted on malicious or otherwise fake websites.
Initial access wasn’t specified, and it is unclear whether or not these vulnerabilities are being utilized in attacks. It is possible that specifically crafted files containing the Aikido wiper tool or variant could possibly be delivered to unsuspecting users in phishing attacks or hosted on malicious or otherwise fake websites.
Vulnerable security products could also be abused if an attacker has already obtained access to internal networks. So far, three vendors have issued patches to correct these TOCTOU vulnerabilities, including Microsoft Malware Protection Engine: 1.1.19700.2, TrendMicro Apex One: Hotfix 23573 & Patch_b11136. and Avast & AVG Antivirus: 22.10.
Related Reading: