www.darkreading.com Open in urlscan Pro
2606:4700::6811:7863  Public Scan

Form analysis
0 forms found in the DOM

Text Content

The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches

Cloud

ICS/OT

Remote Workforce

Perimeter

Analytics
Security Monitoring

Security Monitoring
App Sec
Database Security

Database Security
Risk
Compliance

Compliance
Threat Intelligence

Endpoint
AuthenticationMobile SecurityPrivacy

AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management

Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People

Identity & Access ManagementCareers & People
Physical Security

IoT

Black Hat news
Omdia Research
Security Now
Events
Close
Back
Events
Events
 * Cybersecurity Outlook 2023 - December 13 Event
   
 * [FREE Virtual Event] The Identity Crisis
   

Webinars
 * Security Considerations for Working with Cloud Services Providers
   Dec 14, 2022

Resources
Close
Back
Resources
Reports >
Slideshows >
Tech Library >
Webinars >
White Papers >
Partner Perspectives: Microsoft
Partner Perspectives: Zscaler

Subscribe
Login
/
Register

The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches

Cloud

ICS/OT

Remote Workforce

Perimeter

Analytics
Security Monitoring

Security Monitoring
App Sec
Database Security

Database Security
Risk
Compliance

Compliance
Threat Intelligence

Endpoint
AuthenticationMobile SecurityPrivacy

AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management

Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People

Identity & Access ManagementCareers & People
Physical Security

IoT

Black Hat news
Omdia Research
Security Now
Events
Close
Back
Events
Events
 * Cybersecurity Outlook 2023 - December 13 Event
   
 * [FREE Virtual Event] The Identity Crisis
   

Webinars
 * Security Considerations for Working with Cloud Services Providers
   Dec 14, 2022

Resources
Close
Back
Resources
Reports >
Slideshows >
Tech Library >
Webinars >
White Papers >
Partner Perspectives: Microsoft
Partner Perspectives: Zscaler
The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches

Cloud

ICS/OT

Remote Workforce

Perimeter

Analytics
Security Monitoring

Security Monitoring
App Sec
Database Security

Database Security
Risk
Compliance

Compliance
Threat Intelligence

Endpoint
AuthenticationMobile SecurityPrivacy

AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management

Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People

Identity & Access ManagementCareers & People
Physical Security

IoT

Black Hat news
Omdia Research
Security Now
Events
Close
Back
Events
Events
 * Cybersecurity Outlook 2023 - December 13 Event
   
 * [FREE Virtual Event] The Identity Crisis
   

Webinars
 * Security Considerations for Working with Cloud Services Providers
   Dec 14, 2022

Resources
Close
Back
Resources
Reports >
Slideshows >
Tech Library >
Webinars >
White Papers >
Partner Perspectives: Microsoft
Partner Perspectives: Zscaler

--------------------------------------------------------------------------------

Subscribe
Login
/
Register
SEARCH
A minimum of 3 characters are required to be typed in the search bar in order to
perform a search.




Announcements
 1. 
 2. 

Event
Cybersecurity Outlook 2023 - A Dark Reading, Black Hat, Omdia December 13
Virtual Event | <GET YOUR PASS>
Report
Black Hat USA 2022 Attendee Report | Supply Chain & Cloud Security Risks Are Top
of Mind | <READ IT NOW>
PreviousNext

Vulnerabilities/Threats

4 MIN READ

News



FOR CYBERATTACKERS, POPULAR EDR TOOLS CAN TURN INTO DESTRUCTIVE DATA WIPERS

Microsoft, three others release patches to fix a vulnerability in their
respective products that enables such manipulation. Other EDR products
potentially are affected as well.
Jai Vijayan
Contributing Writer, Dark Reading
December 07, 2022
Source: ArtemisDiana via Shutterstock
PDF


Many trusted endpoint detection and response (EDR) technologies may have a
vulnerability in them that gives attackers a way to manipulate the products into
erasing virtually any data on installed systems.



Or Yair, a security researcher at SafeBreach who discovered the issue, tested 11
EDR tools from different vendors and found six — from a total of four vendors —
were vulnerable. The vulnerable products were Microsoft Windows Defender,
Windows Defender for Endpoint, TrendMicro ApexOne, Avast Antivirus, AVG
Antivirus, and SentinelOne.


FORMAL CVES AND PATCHES

Three of the vendors have assigned formal CVE numbers for the bugs and issued
patches for them prior to Yair disclosing the issue at the Black Hat Europe
conference on Wednesday, Dec 7.



At Black Hat, Yair released proof-of-concept code dubbed Aikido that he
developed to demonstrate how a wiper, with just the permissions of an
unprivileged user, could manipulate a vulnerable EDR into wiping almost any file
on the system, including system files. "We were able to exploit these
vulnerabilities in more than 50% of the EDR and AV products we tested, including
the default endpoint protection product on Windows," Yair said in a description
of his Black Hat talk. "We are lucky to have this discovered prior to real
attackers, as these tools and vulnerabilities could have done a lot of damage
falling in the wrong hands." He described the wiper as likely being effective
against hundreds of millions of endpoints running EDR versions vulnerable to the
exploit.



In comments to Dark Reading, Yair says he reported the vulnerability to the
affected vendors between July and August. "We then worked closely with them over
the next several months on the creation of a fix prior to this publication," he
says. "Three of the vendors released new versions of their software or patches
to address this vulnerability." He identifies the three vendors as Microsoft,
TrendMicro and Gen, the maker of the Avast and AVG products. "As of today, we
have not yet received confirmation from SentinelOne about whether they have
officially released a fix," he says.

Yair describes the vulnerability as having to do with how some EDR tools delete
malicious files. "There are two crucial events in this process of deletion," he
says. "There is the time the EDR detects a file as malicious and the time when
the file is actually deleted," which sometimes can require a system reboot. Yair
says he discovered that between these two events an attacker has the opportunity
to use what are known as NTFS junction points to direct the EDR to delete a
different file than the one that it identified as malicious.



NTFS junctions points are similar to so-called symbolic links, which are
shortcut files to folders and files located elsewhere on a system, except that
junctions are used to link directories on different local volumes on a system.


TRIGGERING THE ISSUE

Yair says that to trigger the issue on vulnerable systems he first created a
malicious file — using the permissions of an unprivileged user — so the EDR
would detect and attempt to delete the file. He then found a way to force the
EDR to postpone deletion until after reboot, by keeping the malicious file open.
His next step was to create a C:\TEMP\ directory on the system, make it a
junction to a different directory, and rig things so that when the EDR product
attempted to delete the malicious file — after reboot — it followed a path to a
different file altogether. Yair found he could use the same trick to delete
multiple files in different places on a computer by creating one directory
shortcut and putting specially crafted paths to targeted files within it, for
the EDR product to follow.

Yair says that with some of the tested EDR products, he was not able to do
arbitrary file deletion but was able to delete entire folders instead.

The vulnerability affects EDR tools that postpone deletion of malicious files
till after a system reboots. In these instances, the EDR product stores the path
to the malicious file in some location — that varies by vendor — and uses the
path to delete the file after rebooting. Yair says some EDR products don't check
if the path to the malicious file leads to the same place after reboot, giving
attackers a way to stick a sudden shortcut in the middle of the path. Such
vulnerabilities fall into a class known as Time of Check Time of Use (TOCTOU)
vulnerabilities, he notes.

Yair says that in most cases, organizations can recover deleted files. So,
getting an EDR to delete files on a system by itself, while bad, isn't the worst
case. "A deletion is not exactly a wipe," Yair says. To achieve that, Yair
designed Aikido so it would overwrite files it had deleted, making them
unrecoverable as well.

He says the exploit he developed is an example of an adversary using an
opponent's strength against them — just as with the Aikido martial art. Security
products, such as EDR tools have super-user rights on systems, and an adversary
that is able to abuse them can execute attacks in a virtually undetectable
manner. He likens the approach to an adversary turning Israel's famed Iron Dome
missile defense system into an attack vector instead.

Black HatBlack Hat News
Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities,
data breach information, and emerging trends. Delivered daily or weekly right to
your email inbox.
Subscribe

More Insights
White Papers
 * 
   How Machine Learning, AI & Deep Learning Improve Cybersecurity
 * 
   Ransomware Is On The Rise

More White Papers
Webinars
 * 
   Security Considerations for Working with Cloud Services Providers

More Webinars
Reports
 * 
   How Machine Learning, AI & Deep Learning Improve Cybersecurity
 * 
   Implementing Zero Trust In Your Enterprise: How to Get Started

More Reports

Editors' Choice
SOC Turns to Homegrown Machine Learning to Catch Cyber Intruders
Robert Lemos, Contributing Writer, Dark Reading
Where Advanced Cyberattackers Are Heading Next: Disruptive Hits, New Tech
Robert Lemos, Contributing Writer, Dark Reading
One Year After Log4Shell, Most Firms Are Still Exposed to Attack
Jai Vijayan, Contributing Writer, Dark Reading
Is MFA the Vegetable of Cybersecurity?
Andrea Fisher, Security Specialist, Microsoft
Webinars
 * Security Considerations for Working with Cloud Services Providers

More Webinars
Reports
 * How Machine Learning, AI & Deep Learning Improve Cybersecurity
 * Implementing Zero Trust In Your Enterprise: How to Get Started
 * The Rise of the No-Code Economy
 * 2021 Digital Transformation Report
 * Increased Cooperation Between Access Brokers, Ransomware Operators Reviewed

More Reports

White Papers
 * How Machine Learning, AI & Deep Learning Improve Cybersecurity
 * Ransomware Is On The Rise
 * State of Ransomware Readiness: Facing the Reality Gap
 * How Hybrid Work Fuels Ransomware Attacks
 * Implementing Zero Trust In Your Enterprise: How to Get Started

More White Papers
Events
 * Cybersecurity Outlook 2023 - December 13 Event
 * [FREE Virtual Event] The Identity Crisis

More Events
More Insights
White Papers
 * 
   How Machine Learning, AI & Deep Learning Improve Cybersecurity
 * 
   Ransomware Is On The Rise

More White Papers
Webinars
 * 
   Security Considerations for Working with Cloud Services Providers

More Webinars
Reports
 * 
   How Machine Learning, AI & Deep Learning Improve Cybersecurity
 * 
   Implementing Zero Trust In Your Enterprise: How to Get Started

More Reports

DISCOVER MORE FROM INFORMA TECH

 * Interop
 * InformationWeek
 * Network Computing
 * ITPro Today

 * Data Center Knowledge
 * Black Hat
 * Omdia

WORKING WITH US

 * About Us
 * Advertise
 * Reprints

FOLLOW DARK READING ON SOCIAL

 * 
 * 
 * 
 * 
 * 


 * Home
 * Cookies
 * Privacy
 * Terms



Copyright © 2022 Informa PLC Informa UK Limited is a company registered in
England and Wales with company number 1072954 whose registered office is 5
Howick Place, London, SW1P 1WG.

This site uses cookies to provide you with the best user experience possible. By
using Dark Reading, you accept our use of cookies.

Accept