EDR and Antivirus: Weaponizing Against Users

High-severity security vulnerabilities have been disclosed in different endpoint detection and response (EDR) and antivirus (AV) products that could be exploited to turn them into data wipers. From 11 security products that were tested, researchers found that six were vulnerable to the zero-day wiper exploit, prompting vendors to release updates:

• Defender
• Defender for Enpoint
• SentinelOne EDR
• TrendMicro Apex One
• Avast Antivrus
• AVG Antivirus

Researchers were able to weaponize and delete data from targeted systems where SentinelOne EDR solution were being by using a junction point by via the following steps:

• Creating a special path with the malicious file at C:\temp\Windows\System32\drivers\ndis.sys
• Hold its handle and force the EDR or AV to postpone the deletion until after the next reboot
• Delete the C:\temp directory
• Create a junction C:\temp → C:\
• Reboot

They noted two main events when an EDR deletes files; First, the EDR identifies a file as malicious, then deletes the file. Researchers attempted to point the EDR towards a different path to delete system data by using a window of opportunity between the two events. For example, EDR detects a malicious file at C:\users\ and flags the file or directory for deletion; in the above scenario, an attacker could essentially trick the EDR solution into deleting files at C:\ instead of C:\users\, depending on what type of directory was selected by the attacker and the targeted system could be rendered inoperable. These types of attacks are referred to as “time-of-check to time-of-use (TOCTOU) vulnerabilities.

Analyst comments:
The idea, in a nutshell, is to trick vulnerable security products into deleting legitimate files and directories on the system and render the machine inoperable by using specially crafted paths. Security controls can be a preferred target for attackers because of their high privileges and high level of trust. The researchers did not test every security product available on the market, so it's likely that additional products may or may not be susceptible to similar attacks.

 

The vulnerable products above could be leveraged by using data wipers, such as the Aikido Wiper Tool, which is currently implemented to exploit vulnerabilities in Windows Defender, Windows Defender for Endpoint, and SentinelOne EDR and is available for download on GitHub:

• hxxps[:]//github[.]com/SafeBreach-Labs/aikido_wiper

The Aikido wiper executes its malicious actions using the most trusted entity on the system, typically EDR or Antivirus software, as EDRs and AVs do not restrict themselves from deleting files. To minimize the action of creating a malicious file, the wiper creates an EICAR file instead of an actual malicious file. EDRs and AVs delete this file, and, at the same time, it is not malicious. The wiper can delete all the content of an administrator user directory. To escalate the file deletion to a wipe, the wiper runs when the computer reboots and fills up the disk to no space with random bytes a few times. The wiper has all the qualities listed above and can be effectively utilized by an unprivileged user.

 

Mitigation tips:
Initial access wasn’t specified, and it is unclear whether or not these vulnerabilities are being utilized in attacks. It is possible that specifically crafted files containing the Aikido wiper tool or variant could possibly be delivered to unsuspecting users in phishing attacks or hosted on malicious or otherwise fake websites.

 

Vulnerable security products could also be abused if an attacker has already obtained access to internal networks. So far, three vendors have issued patches to correct these TOCTOU vulnerabilities, including Microsoft Malware Protection Engine: 1.1.19700.2, TrendMicro Apex One: Hotfix 23573 & Patch_b11136. and Avast & AVG Antivirus: 22.10.