Or Yair of SafeBreach Labs recently discovered multiple security Zero-Day vulnerabilities that could be exploited by the threat actors to create next-generation wipers by converting the endpoint detection & response and antivirus products.
At the BlackHat Europe cybersecurity conference, the technical team presented the identified flaws that led to the EDR and AV exploits.
The researcher was able to exploit the flaws discovered to delete arbitrary files and directories on the system as well as render the machine inoperable as a consequence.
Next-Generation Wiper Tool
Aikido is the wiper tool that has been developed by the Or Yair of SafeBreach Labs, and the purpose of this wiper is to defeat the opponent by using their own power against them.
As a consequence, this wiper can be run without being given privileges. In addition, it is also capable of wiping almost every file on a computer, including the system files, in order to make it completely unbootable and unusable.
EDRs are responsible for deleting malicious files in two main ways, depending on the following contexts:-
- Time of threat identification
- Time of threat deletion
As soon as a malicious file is detected and the user attempts to delete it, the Aikido wiper takes advantage of a moment of opportunity.
This wiper makes use of a feature in Windows allowing users to create junction point links (symlinks) regardless of the privileges of the users’ accounts, which is abused by this wiper.
A user who does not have the required permissions to delete system files (.sys) will not be able to delete those files according to Yair. By creating a decoy directory, he was able to trick the security product to delete the file instead of preventing it from being deleted.
Likewise, he placed a string inside the group that resembled the path intended for deletion, for example, as follows:-
- C:\temp\Windows\System32\drivers vs C:\Windows\System32\drivers
Qualities of the Aikido Wiper
Here below we have mentioned all the general qualities of the Aikido Wiper:-
- Fully Undetectable
- Makes the System Unbootable
- Wipes Important Data
- Runs as an Unprivileged User
- Deletes the Quarantine Directory
Product analysis and response from the vendor
It was found that six out of 11 security products tested by Or Yair were vulnerable to this exploit. In short, over 50% of the products in this category that is tested are vulnerable.
Here below we have mentioned the vulnerable ones:-
- Defender
- Defender for Endpoint
- SentinelOne EDR
- TrendMicro Apex One
- Avast Antivirus
- AVG Antivirus
Here below we have mentioned the products that are not vulnerable:-
- Palo Alto XDR
- Cylance
- CrowdStrike
- McAfee
- BitDefender
Between the months of July and August of this year, all the vulnerabilities have been reported to all the vendors that have been affected. There was no arbitrary file deletion achieved by the researcher in the case of Microsoft Defender and Microsoft Defender for Endpoint products.
In order to cope with the vulnerabilities, three of the vendors have issued the following CVEs:-
- Microsoft: CVE-2022-37971
- TrendMicro: CVE-2022-45797
- Avast & AVG: CVE-2022-4173
This exploit was also addressed by three of the software vendors by releasing updated versions of their software to address it:-
- Microsoft Malware Protection Engine: 1.1.19700.2
- TrendMicro Apex One: Hotfix 23573 & Patch_b11136
- Avast & AVG Antivirus: 22.10
This type of vulnerability should be proactively tested by all EDR and antivirus vendors to ensure that their products are protected from similar attacks in the future.
For organizations using EDR and AV products, the researcher strongly recommends that they consult with their vendors for updates and patches immediately.
Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book
