05-26, 14:20–15:00 (Europe/Stockholm), Main stage
Wipers are becoming the go-to tool for nation-state cyber warfare in the last decade since the Shamoon attack. Wipers have been used by Russia, Iran, North Korea, and other APTs to support offensive acts. One of the most famous recent attacks was launched during the Russian invasion of Ukraine.
We were curious if we could build a next-gen wiper. It would run with the permissions of an unprivileged user yet have the ability to delete any file on the system, even making the Windows OS unbootable. It would do all this without implementing code that actually deletes files by itself, making it undetectable. The wiper would also make sure that the deleted files would be unrestorable.
Using the wisdom of martial arts, we understood the importance of using the power of our opponents against them in order to defeat them. Thus, we aimed to use the deletion power of EDRs to our advantage, triggering it by faking a threat.
We checked the leading EDR products and attempted to confuse them between malicious files and standard files during threat mitigation processes. We managed to discover and exploit 0-day vulnerabilities in more than 50% of them, leading to the creation of our Aikido wiper, which could be effective against hundreds of millions of endpoints all around the world.
In this talk we'll start by explaining the background of wiper usage, and our research goals and assumptions. Then we’ll explain how different EDR products work when they detect a threat, and how we exploited their insecure actions in our Aikido wiper. We’ll go on to present four vulnerabilities we found in Microsoft Defender Antivirus, Microsoft Defender For Endpoint, SentinelOne’s EDR, Trend Micro Apex One, Avast Antivirus and AVG Antivirus. Finally - using those vulnerabilities - we’ll demonstrate the wiping of all user data, and making the operating system unbootable.
The session is about the creation process of the next-gen fully undetectable wiper malware using 0-day vulnerabilities in EDRs.
The presentation will start with the background of wiper usage. Then, focus on the EDRs’ superpower which is the ability to delete any file on the system no matter the permissions. A kind of a superpower that wipers are after. We’ll explain how different EDR products work when they detect a threat. We will show our original ideas for how we can use the power of EDRs against them in order to defeat them. Then, we’ll see how we checked the leading EDR products and attempted to confuse them between malicious files and standard files during threat mitigation processes. We had some failed attempts that will be presented, but then we will talk about how we created another window of opportunity for finding a vulnerability. We will present the 0-day vulnerabilities we discovered in Microsoft Defender Antivirus & Defender For Endpoint, SentinelOne’s XDR, Trend Micro Apex One, Avast AntiVirus, and AVG AntiVirus, leading to the creation of our Aikido wiper, which could be effective against hundreds of millions of endpoints all around the world. The Windows features that make some of these products vulnerable will be explained. The vulnerabilities can even bypass a Windows security feature that is called Controlled Folder Access, which we will talk about as well. We will present our Aikido wiper, see how it works, and see why it takes wipers to the next level. We will also share a link to its open-source repo. Lastly, we’ll demonstrate the wiping of all user data, and making the operating system unbootable.
Using the defenders’ actions to actually achieve malicious goals is pretty innovative. We believe it can inspire the crowd to choose interesting problems to solve, just like “How to be a wiper without actually wiping?”.
Takeaways:
A wiper is more dangerous if it uses an arbitrary deletion vulnerability as a proxy.
Having security controls does not mean you are secure.
*Security controls run with the highest permissions and so they might be a preferred target for attackers.
All the vulnerabilities were reported and fixed. These are the CVEs:
Microsoft: CVE-2022-37971
TrendMicro: CVE-2022-45797
Avast & AVG: CVE-2022-4173
SentinelOne did fix the vulnerability but did not issue a CVE.
We predict the usage of wipers by APTs will grow like the usage of ransomwares. This is the first public research that analyzes how could the next generation of wipers look like in the next future. We want to raise awareness to it so EDRs will be prepared for mitigating them. It demonstrates how powerful it could be since there are at least hundreds or millions of computers vulnerable to it.
Or Yair (@oryair1999) is a security researcher with over 5 years of experience in cyber security. Currently a researcher in SafeBreach Labs, he started his professional career in the IDF. Most of his work focused on Platform Research, including Linux kernel components and some Android as well. For the last two years, Or has been drawn into the Windows world and currently focuses on innovative vulnerability research of the operating system's components. Or has already impacted threat mitigation by widely sharing his discoveries internationally at conferences he spoke at such as Black Hat Europe 2022, HackCon 2023 and RSAC 2023.