Many popular antivirus software, including Microsoft, SentinelOne, TrendMicro, Avast and AVG, can be exploited for their data wiping capabilities, a leading cybersecurity researcher has claimed.
In a proof-of-concept document (opens in a new tab) called "Aikido," Or Yair, who works for cybersecurity firm SafeBreach, explained how the exploit works through what's called a verification timeout. time of use of the vulnerability (TOCTOU).
In particular, in martial arts, aikido refers to a Japanese style where the practitioner seeks to use the opponent's movement and force against himself.
How does it work?
The vulnerability can be used to facilitate a variety of cyberattacks known as "Wipers" according to Yair, which are commonly used in offensive warfare situations.
In cybersecurity, a cleaner is a class of malware intended to clean the hard drive of the computer it infects, by maliciously removing data and programs.
According to the slideshow, the exploit redirects the "superpower" endpoint detection software to "delete any file, regardless of privileges."
The entire process described involved the creation of a malicious file at “C:tempWindowsSystem32driversndis.sys”.
This is followed by holding its handle and forcing "the AV/EDR to postpone removal until the next reboot."
This is followed by deleting the “C:temp directory” and “creating a junction at C:temp –> C:”, followed by a reboot of the machine.
Only a few of the most popular antivirus brands were affected, around 50% according to Yair.
According to a slideshow prepared by the researcher, Microsoft Defender, Defender for Endpoint, SentinelOne EDR, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus are among those affected by the vulnerability.
Fortunately for some, products like Palo Alto, XDR, Cylance, CrowdStrike, McAfee, and BitDefender were unscathed.
- Interested in updating your cybersecurity tools? Check out our guide to the best malware removal tools