Antivirus (AV) software, including Endpoint Detection and Response (EDR) products, have been found to have high-severity security flaws that may result in successful exploitation by data wipers.
“This wiper runs with the permissions of an unprivileged user yet has the ability to wipe almost any file on a system, including system files, and make a computer completely unbootable”, SafeBreach Labs researcher Or Yair explained.
By design, EDR software continuously scans machines for potentially suspicious and malicious files and takes appropriate actions, such as deleting or quarantining them.
How Data Wipers Work
It’s important first to understand precisely what wipers are and how they function in order to comprehend the specifics of this next-generation wiper. According to Wikipedia, a wiper is a kind of malware designed to intentionally delete data and applications by wiping out the hard disc of the machine it infects. Advanced Persistent Threat (APT) organizations are increasingly using wipers as an offensive action to assist physical warfare and have made them their go-to weapon for conducting cyber warfare. The ongoing conflict between Russia and Ukraine serves as an excellent illustration; wipers have hit both sides. Wiper assaults have also recently targeted Saudi Arabia, Iran, and Israel.
Data Wiper Malware
The idea of the wiper malware is to use specially crafted paths to “trick” vulnerable AV and EDR into purging legitimate files and directories on the system. This, in turn, would render the machine inoperable and is accomplished by utilizing what’s called a “junction point” or soft link, in which a folder serves as an alias to another folder on the computer.
When the security software identifies a file as malicious and deletes it from the system, the hacker will use a junction point to direct the software to a different path, such as the C: drive.
With unprivileged permissions, this approach does not result in a wipe because EDRs prevented further access to a file that has been flagged as malicious. Furthermore, if the user deletes the rogue file, the software is smart enough to detect and stop acting on the deletion.
This changes with privileged users. The ultimate solution came from Aikido, a wiper tool that triggers privileged deletes by creating a malicious file in a decoy directory without granting permissions. This results in making the EDR postpone the delete until the next reboot.
Given this new attack, an adversary only needs to delete the rogue file’s directory, create a junction pointing to the target directory to be deleted, and reboot the system.
If the technique is successfully weaponized, it could result in the deletion of system files, such as drivers, preventing the operating system from booting. It can also be used to delete all files in the administrator user directories.
Six of the 11 security products tested were found to be vulnerable to the zero-day wiper exploit, prompting vendors to release patches to address the flaw –
- CVE-2022-37971 (CVSS score: 7.1) – Microsoft Defender and Defender for Endpoint
- CVE-2022-45797 (CVSS score: N/A) – Trend Micro Apex One
- CVE-2022-4173 (CVSS score: 8.8) – Avast and AVG Antivirus
The wiper executes its malicious actions using the system’s most trusted entity — the EDR. Neither EDRs nor antivirus software prevents them from deleting files.
Dan Duran @ Rhyno Cybersecurity
Sharing is Caring!
You are welcome to put this blog article on your website, provided you also append an active link to our website “Source: https://rhyno.io/blogs/”
For media enquiries, contact us at [email protected].
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cyber Security Awareness Training Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.