Endpoint detection and response (EDR) systems, and antivirus (AV) software, are used to increase the cybersecurity of a device. However, these security software solutions are now able to be exploited for their data deletion capabilities, effectively turning them into data wipers. Security researcher Or Yair at SafeBreach Labs discovered this capability alongside multiple zero-day vulnerabilities in the EDR and AV software that made this exploit possible. Widely used EDR and AV software from Microsoft, SentinelOne, TrendMicro, Avast, and AVG are affected by these vulnerabilities, so this exploit dubbed a ‘next-generation data wiper’ could potentially impact millions of endpoints worldwide. 

Current data wiper malware is often used in state-sponsored cyber warfare, such as recent uses against both sides in the Russian and Ukrainian war. It is an effective tool for malicious actors who do not have alternate goals such as financial gain and instead have political motivations. This is because there is no data left to hold for ransom when a data wiper is used, unlike when a file is deleted through a DeleteFile() API function in the kernel. This causes the kernel to edit the master file table (MFT) to mark the entry that points to the file content as free, but the content itself remains on the disk. When a data wiper is used, the content is physically erased from the disk, and cannot be restored.  

Some active data wipers such as Shamoon, CaddyWiper, DoubleZero, IsaacWiper, KillDisk, and Meteor use a deletion process in order to wipe the data, by first deleting the data through the DeleteFile() API function, but then creating a new file that reuses the same MFT entry that has just been marked free. This overwrites the deleted data content, effectively wiping the original file. In order to do this, these data wipers require high privileges as without administrator privileges they would not have the capability to delete system files, or files from a folder on an administrator’s account. Other wipers such as IsaacWiper, KillDisk, Petya wiper variant, SQLShred, StoneDrill, WhisperGate, and DriveSlayer use a different technique, known as drive-destruction. In this process, the wiper opens the drive and writes directly to it as a device, which can allow for boot-sequence structures to be overwritten. However, this technique also requires administrator privileges to operate.  

For a threat actor to exploit these recently discovered vulnerabilities and use this next-generation data wiper, they require no additional permissions or privileges for complete file access and to wipe all data. Using EDR and AV software as a wiper gives the attacker the ability to wipe almost any file from a device, including system files which render the machine unbootable. The use of this software as a wiper also can allow the attacker to bypass security defences on the device, as the file deletion capabilities of EDR and AV software is an expected occurrence as a part of its normal functionality, so the instance of a wipe could be missed in amongst similar expected behaviours. 

A common default configuration between most EDRs allows them to automatically delete files they have identified as malicious. Any unprivileged user can trigger this process, as they can create a malicious file which will automatically cause a file deletion to be performed. The security researcher was able to manipulate the EDR to point it down a different path when the file deletion was triggered, so the software believed it was deleting the malicious file on the intended path, but it had actually deleted another file of the unprivileged user’s choosing. This method is similar to improper link resolution attacks, where a filename is used to locate a file, but if the filename contains a link to another file path, then this is resolved when the search is performed, and the initial process is resolved at the new location and not with the original file.  

To perform a wipe using EDR and AV software, the actor must first create a malicious file that does not have permissions for Windows file-sharing mode that would allow for the modification or deletion of that file. This causes the EDR and AVs to require a reboot of the device in order to resolve the threat, where some EDRs and AVs then use the default Windows API to postpone the file deletion until after the next reboot. This is performed through the MoveFileEx function with the flag MOVEFILE_DELAY_UNTIL_REBOOT. Administrator privileges are needed for functions with this flag, as it requires the ability to add a registry entry value called PendingFileRenameOperations which is the path that will be deleted after the reboot.  

After the reboot, Windows will delete all paths and blindly follow junctions when doing so. Some EDR and AV software that does not use this default Windows API will also react in a similar way. This allows any unprivileged user to utilise a special file path that appears similar to the correct file path to manipulate the EDRs and AVs into deleting almost any file. In their example the security researcher attempted to delete the System32 file ndis.sys, so created a malicious file in a non-privileged file path using a folder they had access to which was C:/temp. They then held the handle of this file for force the deletion to be postponed until after the next reboot, and deleted the C:/temp directory, adding in a junction that cause C:/temp to reroute to C:/. The device was then rebooted, at which point the EDR and AV software followed this junction blindly, allowing for the deletion of the target file without the need for admin privileges. 

To avoid falling victim to this sort of data wiper, it is important to keep all software up to date in order to patch any vulnerabilities that could be exploited to allow for this sort of attack. Users of Microsoft Windows Defender could be vulnerable to an exploit of CVE-2022-37971, and so should ensure they are using the latest version of the Microsoft Malware Protection Engine, which is patched after version 1.1.19700.2. Trend Micro Apex One users should ensure patches for CVE-2022-45797 and CVE-2022-45798 have been applied, which is available in Apex One version SP1 CP b11136, and Apex One as a Service Hotfix Build 202211 and Agent 14.0.11840. There is also a fix for Avast and AVG Antivirus vulnerability CVE-2022-4173, which is available in version 22.10.