A security researcher discovered a way for endpoint detection and reaction (EDR), and antivirus software (AV) to delete data from widely-used products such as Microsoft, TrendMicro TrendMicro and Avast. This turned them into data wipers.
Wipers is a type of malicious malware which aims to erase or corrupt data from compromised systems.
Or Yair, a SafeBreach researcher came up with an idea to use existing security tools to stealthily attack targeted systems. This would eliminate the requirement for a threat actor or privileged user to carry out destructive attacks.
It is possible to use AVs or EDRs for data wiping, which can be used to bypass security protections. Security solutions have file deletion capabilities that are normal and will likely not be observed.
The (wrongly) trigger of the deletion
EDR security software and antivirus scans a computer for malware files and attempts to delete or quarantine them.
With real-time protection, files are automatically scanned when they are created to detect malicious intent and, if necessary, removed/quarantined.
An EDR can delete a malicious file in two steps. In his report, Yair explained that the EDR first identifies a malicious file and then deletes it.
If I could make a connection between the two events using a junction I may be able point EDR to a different route. These vulnerabilities are known as time-of check to time-of use (TOCTOU).
Yair’s idea was to create a C:tempWindowsSystem32drivers folder and store the Mimikatz program in the folder as ndis.sys.
Mimikatz was detected by all EDR platforms including Microsoft Defender. The plan was to make it malicious upon creation. The researcher would delete C:Temp and then create a Windows Junction, from C:Temp into C:Windows, but before EDR can delete it.
The hope was that the EDR would attempt to delete the ndis.sys file, which due to the junction, is now pointing to the legitimate C:Windowssystem32driversndis.sys file.
However, this didn’t work as some EDRs blocked further access, even deletion, to files after they were detected malicious. Other cases saw EDRs detect the removal of malicious files and the software rejected the request for wiping.
It was possible to make the file malicious, keep its handle open and to not specify what processes can write/delete it. This would prevent EDRs or AVs from detecting it.
The researcher was alerted and given no right to delete the file. Security tools forced him to authorize a reboot of the system to release the handle.
The file deletion command, in this case, is written under the PendingFileRenameOperations Registry registry value, which will cause it to be deleted during the reboot.
Windows will delete files with this value but “blindly”, following junctions, when it is done.
“But the surprising thing about Windows default feature is that Windows, once rebooted, starts deleting all paths and blindly following junctions,” said Yair.
Yair can therefore delete files from directories he doesn’t own modification rights by following the five-step procedure.
- Create a special path with the malicious file at C:tempWindowsSystem32driversndis.sys
- Grab its handle, and the EDR/AV will force you to delay the deletion of the file until the next reboot
- Remove the directory C:temp
- Make a C:temp-C: junction
- When prompted, reboot.
This exploit can also be used to access a Windows ransomware protection function called Controlled Folder Access. Untreated processes are prevented from altering or deleting files within any folder in the Protected Folders List. This feature doesn’t prevent an EDR/AV from deleting files, however, as they are the most trusted entities on a system. – .
An analyst used the exploit to create an untethered wiper called “Aikido Wiper” that can be used by unprivileged users for wiping data from admin directories and even making the system inoperable.
Response and impact
Yair ran the exploit on 11 security tools, finding that Microsoft Defender and Defender for Endpoint were vulnerable. TrendMicro Apex, SentinelOne EDR and SentinelOne EDR are all affected. Avast Antivirus and AVG Antivirus also proved to be susceptible.
Palo Alto Security Solutions, CrowdStrike and McAfee were all not exploitable. The analyst also tested BitDefender.
Because they are the most easy to use on the wiper, Aikido exploits vulnerabilities in SentinelOne EDR, Defender for Endpoint and Microsoft Defender.
Yair reported these flaws between July 2022 and August 2022 to all vendors, which have since all issued fixes.
Vendors have assigned the following vulnerability IDs for this issue: CVE-2022-37971, CVE-202022-45797 (Trend Micro), CVE-2022-41797 (Avast/AVG).
These are the fixed versions:
- Microsoft Malware Protection Engine: Version 1.1.19700.2 and later
- TrendMicro Apex 1: Patch_b11136 & Hotfix 2353 or Later
- Avast & AVG Antivirus: 22.10 or later
To reduce the risk of malware replicating the Aikido wiper functionality, all users should apply security updates immediately.