+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

Endpoint Detection Systems Used as Data Wipers

Endpoint detection and response (EDR) systems, and antivirus (AV) software, are used to increase the cybersecurity of a device. However, these security software solutions are now able to be exploited for their data deletion capabilities, effectively turning them into data wipers. Security researcher Or Yair at SafeBreach Labs discovered this capability alongside multiple zero-day vulnerabilities in the EDR and AV software that made this exploit possible. Widely used EDR and AV software from Microsoft, SentinelOne, TrendMicro, Avast, and AVG are affected by these vulnerabilities, so this exploit dubbed a ‘next-generation data wiper’ could potentially impact millions of endpoints worldwide. 

 

Current data wiper malware is often used in state-sponsored cyber warfare, such as recent uses against both sides in the Russian and Ukrainian war. It is an effective tool for malicious actors who do not have alternate goals such as financial gain and instead have political motivations. This is because there is no data left to hold for ransom when a data wiper is used, unlike when a file is deleted through a DeleteFile() API function in the kernel. This causes the kernel to edit the master file table (MFT) to mark the entry that points to the file content as free, but the content itself remains on the disk. When a data wiper is used, the content is physically erased from the disk, and cannot be restored.  

 

Some active data wipers such as Shamoon, CaddyWiper, DoubleZero, IsaacWiper, KillDisk, and Meteor use a deletion process in order to wipe the data, by first deleting the data through the DeleteFile() API function, but then creating a new file that reuses the same MFT entry that has just been marked free. This overwrites the deleted data content, effectively wiping the original file. In order to do this, these data wipers require high privileges as without administrator privileges they would not have the capability to delete system files, or files from a folder on an administrator’s account. Other wipers such as IsaacWiper, KillDisk, Petya wiper variant, SQLShred, StoneDrill, WhisperGate, and DriveSlayer use a different technique, known as drive-destruction. In this process, the wiper opens the drive and writes directly to it as a device, which can allow for boot-sequence structures to be overwritten. However, this technique also requires administrator privileges to operate.  

 

For a threat actor to exploit these recently discovered vulnerabilities and use this next-generation data wiper, they require no additional permissions or privileges for complete file access and to wipe all data. Using EDR and AV software as a wiper gives the attacker the ability to wipe almost any file from a device, including system files which render the machine unbootable. The use of this software as a wiper also can allow the attacker to bypass security defences on the device, as the file deletion capabilities of EDR and AV software is an expected occurrence as a part of its normal functionality, so the instance of a wipe could be missed in amongst similar expected behaviours. 

 

A common default configuration between most EDRs allows them to automatically delete files they have identified as malicious. Any unprivileged user can trigger this process, as they can create a malicious file which will automatically cause a file deletion to be performed. The security researcher was able to manipulate the EDR to point it down a different path when the file deletion was triggered, so the software believed it was deleting the malicious file on the intended path, but it had actually deleted another file of the unprivileged user’s choosing. This method is similar to improper link resolution attacks, where a filename is used to locate a file, but if the filename contains a link to another file path, then this is resolved when the search is performed, and the initial process is resolved at the new location and not with the original file.  

 

To perform a wipe using EDR and AV software, the actor must first create a malicious file that does not have permissions for Windows file-sharing mode that would allow for the modification or deletion of that file. This causes the EDR and AVs to require a reboot of the device in order to resolve the threat, where some EDRs and AVs then use the default Windows API to postpone the file deletion until after the next reboot. This is performed through the MoveFileEx function with the flag MOVEFILE_DELAY_UNTIL_REBOOT. Administrator privileges are needed for functions with this flag, as it requires the ability to add a registry entry value called PendingFileRenameOperations which is the path that will be deleted after the reboot.  

 

After the reboot, Windows will delete all paths and blindly follow junctions when doing so. Some EDR and AV software that does not use this default Windows API will also react in a similar way. This allows any unprivileged user to utilise a special file path that appears similar to the correct file path to manipulate the EDRs and AVs into deleting almost any file. In their example the security researcher attempted to delete the System32 file ndis.sys, so created a malicious file in a non-privileged file path using a folder they had access to which was C:/temp. They then held the handle of this file for force the deletion to be postponed until after the next reboot, and deleted the C:/temp directory, adding in a junction that cause C:/temp to reroute to C:/. The device was then rebooted, at which point the EDR and AV software followed this junction blindly, allowing for the deletion of the target file without the need for admin privileges. 

 

To avoid falling victim to this sort of data wiper, it is important to keep all software up to date in order to patch any vulnerabilities that could be exploited to allow for this sort of attack. Users of Microsoft Windows Defender could be vulnerable to an exploit of CVE-2022-37971, and so should ensure they are using the latest version of the Microsoft Malware Protection Engine, which is patched after version 1.1.19700.2. Trend Micro Apex One users should ensure patches for CVE-2022-45797 and CVE-2022-45798 have been applied, which is available in Apex One version SP1 CP b11136, and Apex One as a Service Hotfix Build 202211 and Agent 14.0.11840. There is also a fix for Avast and AVG Antivirus vulnerability CVE-2022-4173, which is available in version 22.10 

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.