Get Started
Jan 3, 2023

Major Security Weakness Lets Attackers Wipe Sensitive Data

Press enter button on the keyboard computer Protective shield virus red Exclamation Warning Caution Computer in dark with word virus data wipers

The primary purpose of the SafeBreach Labs team is to identify emerging security threats and share updated information with users. On December 7, 2022, cybersecurity expert Or Yair discovered a hacking technique that utilizes the data deletion features of Endpoint detection and response (EDR) and antivirus (AV) applications, such as Microsoft, SentinelOne, and TrendMicro, to transform them into data wipers. With this method, attackers can fool antivirus software into erasing data, potentially impacting millions of endpoints in the future. Let me elaborate.

What are data wipers?

Data wipers are devices or computer programs that remove data from compromised software. The malware replaces original data with new information, making it impossible to recover deleted files.

Yair discovered multiple software flaws that allowed him to create a powerful next-generation wiper.

Yair tested out two theories that led to his discovery:

  •  What if a file-wiper didn't delete files by making these blatant API calls?
  • What if this new wiper could delete these files as a non-privileged user as well?

(SafeBreach)

Research shows that Yairs made a temporary folder. The goal was for it to be identified as malicious. Before the EDR could remove the file, he replaced it with a legit Windows file. Thanks to a junction, the software referred to the real file, confusing the software.

When he tested this idea on Windows, he noted that once the software rebooted, it began deleting all the paths of data and blindly followed the junctions the end user requested, clearing all documents and files permanently. (SafeBreach)

Why is this an issue for the security of software?

Blair states that this wiper can delete practically any file on a system and make a machine fully unbootable while operating with the permissions of an ordinary user. It does this without putting any code into the target files, making it completely undetected.

MyBrandband states, "The exploit can be used to carry out stealthy attacks and remove the need to be a privileged user to run destructive attacks. Data wiping attacks by abusing AVs and EDRs can effectively bypass a system's defenses as the file deletion features of security solutions are expected behavior and would likely be overlooked."

Overall, Blair illuminates this vital information to all secure and well-known software:

  • If a wiper performs its malicious acts through the proxy of an EDR or AV, a trusted entity on the system, it becomes considerably more harmful.
  • The existence of security measures does not guarantee an organization's security.
  • Due to their extensive authority and high trust, security controls like EDR or AV will be a favorite target for attackers.

The Infiniwiz technical team in the Chicagoland area takes a proactive approach to your cybersecurity. We set up the proper IT protocols and help you implement the employee procedures to keep your data and network safe from online hackers. However, make sure to do your part in staying alert. If you have any more questions, feel free to contact us!

Technology Insights

Best ways to support small business IT

Best ways to support small business IT

Small businesses form the backbone of our economy, contributing to job creation, innovation, and community...
Read More
Podcast: Microsoft Copilot

Podcast: Microsoft Copilot

[audio mp3="https://www.infiniwiz.com/wp-content/uploads/2024/08/Podcast-Microsoft-Copilot-New.mp3"][/audio]
Read More
What is PCI Compliance? Data Security for the Payment Card Industry

What is PCI Compliance? Data Security for the Payment Card Industry

PCI compliance is a must for any business that handles credit card payments. It’s a...
Read More
chevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram