EDR and AV could be turned into powerful next-generation wipers


What happens when the program which you installed to keep your system protected, turns into a powerful undetected wiper? Recently SafeBreach presented this research at Blackhat Europe where Or Yair, Security Researcher from SafeBreach Labs disclosed multiple zero-day vulnerabilities that turn EDR and AV tools into next-generation wipers which could impact millions of endpoints worldwide.
"This wiper runs with the permissions of an unprivileged user yet can wipe almost any file on a system, including system files, and make a computer completely unbootable. It does all that without implementing code that touches the target files, making it fully undetectable. I first presented this research in a presentation at BlackHat Europe today. This is a summary of the presentation." Or Yair wrote.
Or Yair explained that previous technology that is used in CaddyWiper, DoubleZero, IsaacWiper, etc used file overwriting to wipe the data but it requires administrative privileges when it comes to deleting system files or the files which need administrative permission to open it but current day wiper like KillDisk, Petya wiper, WisperGate, and DriveSlayer uses drive-destruction technique so it can overwrite the boot-sequence that belong to NTFS and file content but it also needs higher permission to wipe out completely.
The author finds the opportunity between the 'Time of threat identification and 'Time of threat deletion' which is called TOCTOU (time-to-check to time-to-use) vulnerability. During the research, auther find a vulnerability in Defender, Defender for Endpoint, SentinelOne EDR, Trendmicro Apex One, Avast Antivirus, AVG Antivirus with the CVE-2022-37971, CVE-2022-45797 and CVE-2022-4173. author report all these vulnerabilities to the affected vendors.

Overview of the Aikido Wiper Tool

The Aikido iperTool is implemented with exploits for the vulnerabilities found in SentinelOne’s EDR, Microsoft Defender, and Microsoft Defender for Endpoint. The exploits for these products were the most consistent and easiest to implement in a wiper, which is why I chose them.

General Qualities of the Aikido Wiper:

Fully Undetectable

The wiper executes its malicious actions using the most trusted entity on the system—the EDR or AV. EDRs and AVs do not prevent themselves from deleting files.

NOTE: In order to minimize the action of creating a malicious file, the wiper creates an EICAR file instead of a real malicious file. This file is deleted by EDRs and AVs and, at the same time, is not really malicious.

Makes the System Unbootable

The wiper is able to delete system files like drivers and, as a result, can prevent the operating system from being able to boot.

Wipes Important Data

The wiper is able to delete all the content of an administrator user directory. That is just an example of the importance of the data that the wiper is able to delete.

NOTE: In order to escalate the file deletion to a wipe, the wiper runs when the computer reboots and fills up the disk to no space with random bytes a few times. Doing that ensures that any data from deleted files that was left on the disk is overwritten and wiped.

Runs as an Unprivileged User

The wiper has all the qualities listed above and still runs as an unprivileged user.

Deletes the Quarantine Directory

The wiper can manipulate an EDR or AV to delete the quarantine directory too. If the target files are quarantined, they can still be deleted.

No comments:

Schneider Electric Confirms Data Theft in Developer Platform Hack

  Schneider Electric, a leading French multinational in energy and automation solutions, has confirmed that a cybersecurity incident involvi...