There have been high-severity security vulnerabilities disclosed in different endpoint protection and anti-virus software that could be used to compromise these programs and gain access to sensitive data.
“This wiper runs with the permissions of an unprivileged user yet has the ability to wipe almost any file on a system, including system files, and make a computer completely unbootable,”
SafeBreach Labs researcher
“It does all that without implementing code that touches the target files, making it fully undetectable.”
Yair
How Does It Work?
By default, EDR software is designed to continuously scan a machine for potentially suspicious or malicious files, and take appropriate actions, such as removing or quarantining them.
The idea behind this attack is to trick vulnerable security software into deleting legitimate programs and folders on the system and rendering the computer inoperable by using specially crafted file names.
Junction Point
A soft-linked directory is one that points to another directory instead of serving its own content directly.
Differently put, between the time the anti-virus software detects a virus and tries to remove it, the attacker creates a shortcut pointing the software at another location, like C:\ drive, so that the software thinks the virus has been removed when it hasn’t.
Rogue File
The approach did not result in a successful attack because EDRs prevented further attempts at accessing the infected files. Furthermore, if the rogue files were deleted by the end-users, the software was smart enough to recognize the deletion and prevent any future actions.
Take a look at the latest news about the technology world and how it’s progressing.
Aikido
The ultimate fix for this problem came in the form of software called Aikido, which creates a malicious file in a fake folder and doesn’t grant it any permissions, causing the EDR tools to delay the deletion until the next reboot.
If the attacker deletes the folder where the malicious executable resides, creates a junction pointing to the target folder, and reboots the system, then the malware will no longer run.
After launching macOS Ventura last year, Apple has been working hard to bring new features to the operating system. Finally Apple has released the newest version. Check the latest features and insights here.
Successful Weaponization
If successful, weaponizing the method could result in the removal of important driver software, preventing the operating systems from starting up. It can also be used to delete all user accounts, including administrative ones.
Security Products
Of the eleven security products that were tested for vulnerabilities, six were shown to be vulnerable to the zero-day attack, prompting the vendor to issue an update to fix the problem.
- CVSS Score: 7.1 – Microsoft Defender and Defender For Endpoint
- CVSS score: 7.1 – Trend Micro Apex One
- CVSS score: 8.8 – Avast and AVG Antivirus
“The wiper executes its malicious actions using the most trusted entity on the system — the EDR or AV,”
Yair
“EDRs and AVs do not prevent themselves from deleting files.”
Our experts have reviewed the latest technology so you can buy it without worrying about the quality at all. Do check them out before you decide to buy something.