The primary purpose of the SafeBreach Labs team is to identify emerging security threats and share updated information with users. On December 7, 2022, cybersecurity expert Or Yair discovered a hacking technique that utilizes the data deletion features of Endpoint detection and response (EDR) and antivirus (AV) applications, such as Microsoft, SentinelOne, and TrendMicro, to transform them into data wipers. With this method, attackers can fool antivirus software into erasing data, potentially impacting millions of endpoints in the future. Let me elaborate.
What are data wipers?
Data wipers are devices or computer programs that remove data from compromised software. The malware replaces original data with new information, making it impossible to recover deleted files.
Yair discovered multiple software flaws that allowed him to create a powerful next-generation wiper.
Yair tested out two theories that led to his discovery:
- What if a file-wiper didn't delete files by making these blatant API calls?
- What if this new wiper could delete these files as a non-privileged user as well?
Research shows that Yairs made a temporary folder. The goal was for it to be identified as malicious. Before the EDR could remove the file, he replaced it with a legit Windows file. Thanks to a junction, the software referred to the real file, confusing the software.
When he tested this idea on Windows, he noted that once the software rebooted, it began deleting all the paths of data and blindly followed the junctions the end user requested, clearing all documents and files permanently. (SafeBreach)
Why is this an issue for the security of software?
Blair states that this wiper can delete practically any file on a system and make a machine fully unbootable while operating with the permissions of an ordinary user. It does this without putting any code into the target files, making it completely undetected.
MyBrandband states, "The exploit can be used to carry out stealthy attacks and remove the need to be a privileged user to run destructive attacks. Data wiping attacks by abusing AVs and EDRs can effectively bypass a system's defenses as the file deletion features of security solutions are expected behavior and would likely be overlooked."
Overall, Blair illuminates this vital information to all secure and well-known software:
- If a wiper performs its malicious acts through the proxy of an EDR or AV, a trusted entity on the system, it becomes considerably more harmful.
- The existence of security measures does not guarantee an organization's security.
- Due to their extensive authority and high trust, security controls like EDR or AV will be a favorite target for attackers.
The Infiniwiz technical team in the Chicagoland area takes a proactive approach to your cybersecurity. We set up the proper IT protocols and help you implement the employee procedures to keep your data and network safe from online hackers. However, make sure to do your part in staying alert. If you have any more questions, feel free to contact us!