Antivirus and EDR solutions tricked into acting as data wipers

Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,264
Content source
https://www.bleepingcomputer.com/news/security/antivirus-and-edr-solutions-tricked-into-acting-as-data-wipers/
A security researcher has found a way to exploit the data deletion capabilities of widely used endpoint detection and response (EDR) and antivirus (AV) software from Microsoft, SentinelOne, TrendMicro, Avast, and AVG to turn them into data wipers.

Wipers are a special type of destructive malware that purposely erases or corrupts data on compromised systems and attempts to make it so that victims cannot recover the data.

SafeBreach researcher Or Yair came up with the idea to exploit existing security tools on a targeted system to make the attacks more stealthy and remove the need for a threat actor to be a privileged user to conduct destructive attacks.

Also, abusing EDRs and AVs for data wiping is a good way to bypass security defenses as the file deletion capabilities of security solutions are expected behavior and would likely be missed.
Click to expand...
Impact and response

Yair tested the exploit against 11 security tools and found that Microsoft Defender, Defender for Endpoint, SentinelOne EDR, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus were all vulnerable.

Security solutions that were not exploitable include Palo Alto, Cylance, CrowdStrike, McAfee, and BitDefender, which the analyst also tested.

Aikido features exploits for vulnerabilities found in Microsoft Defender, Defender for Endpoint, and SentinelOne EDR because they were the easiest to implement on the wiper tool.

Yair reported the flaws to all vulnerable vendors between July and August 2022, and they have all released fixes by now.

The vulnerability IDs assigned by the vendors for this issue are CVE-2022-37971 (Microsoft), CVE-2022-45797 (Trend Micro), and CVE-2022-4173 (Avast and AVG).

The fixed versions are:
  • Microsoft Malware Protection Engine: 1.1.19700.2 or later
  • TrendMicro Apex One: Hotfix 23573 & Patch_b11136 or later
  • Avast & AVG Antivirus: 22.10 or later
All users of the above products are recommended to apply the security updates as soon as possible to mitigate the severe risk of having their files wiped by malware mimicking the Aikido wiper functionality.
Click to expand...
www.bleepingcomputer.com

Antivirus and EDR solutions tricked into acting as data wipers

A security researcher has found a way to exploit the data deletion capabilities of widely used endpoint detection and response (EDR) and antivirus (AV) software from Microsoft, SentinelOne, TrendMicro, Avast, and AVG to turn them into data wipers.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • +Reputation
Reactions: mellowtones242, CyberTech, silversurfer and 7 others
You must log in or register to reply here.

Similar threads

Adrian Ścibor
    • Like
    • +Reputation
    • Applause
AVLab.pl Protection effectiveness of EDR solutions against Internet threats
Replies
10
Views
1,110
Security Statistics and Reports
Moonhorse
Moonhorse
Adrian Ścibor
    • Like
    • +Reputation
    • Hundred Points
EDR-XDR solutions overview - visibility of attacks in telemetry based on offensive fileless attacks
Replies
3
Views
502
Security Statistics and Reports
Adrian Ścibor
Adrian Ścibor
upnorth
    • Like
    • +Reputation
    • Thanks
Security News New ‘Pool Party’ Process Injection Techniques Undetected by EDR Solutions
Replies
0
Views
1,346
Security News
upnorth
upnorth

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top