"For Cyberattackers, Popular EDR Tools Can Turn into Destructive Data Wipers"

Many trusted Endpoint Detection and Response (EDR) technologies may contain a flaw that allows attackers to cause products to erase almost all data on installed systems. Or Yair, a SafeBreach security researcher who discovered the flaw, tested 11 EDR tools from various vendors and discovered that six of them, from a total of four vendors, were vulnerable. Microsoft Windows Defender, Windows Defender for Endpoint, TrendMicro ApexOne, Avast Antivirus, AVG Antivirus, and SentinelOne were all vulnerable. Prior to Yair disclosing the issue at the Black Hat Europe conference on December 7, three of the vendors assigned formal CVE numbers to the bugs and issued patches for them. Yair published proof-of-concept (POC) code dubbed Aikido that he created to demonstrate how a wiper could manipulate a vulnerable EDR into wiping almost any file on the system, including system files, with only the permissions of an unprivileged user. He estimated that the wiper would be effective against hundreds of millions of endpoints running vulnerable EDR versions. The vulnerability is related to how some EDR tools delete malicious files. There are two critical events in the deletion process. There is a time when the EDR flags a file as malicious and another time when the file is actually deleted, which may require a system reboot. According to Yair, between these two events, an attacker can use what are known as NTFS junction points to direct the EDR to delete a different file than the one that it identified as malicious. NTFS junction points are similar to symbolic links, which are shortcut files to other folders and files on a system, except that the junctions are used to connect directories on different local volumes on a system. This article continues to discuss the vulnerability that could manipulate EDR products into becoming data wipers.  

Dark Reading reports "For Cyberattackers, Popular EDR Tools Can Turn into Destructive Data Wipers"