Or Yair: Aikido: Turning EDRs to Malicious Wipers utilizing 0-day Exploits | assurance 2023

Wipers are becoming the go-to tool for nation-state cyber warfare in the last decade since the Shamoon attack. Wipers have been utilized by Russia, Iran, North Korea, and another APTs to support offensive acts. 1 of the most celebrated fresh attacks was launched during the Russian invasion of Ukraine.

We were curious if we could build a next-gen wiper. It would run with the permissions of an unprivileged user yet have the ability to delete any file on the system, even making the Windows OS unbootable. It would do all this without implementing code that actually deletes files by itself, making it undetectable. The wiper would besides make certain that the deleted files would be unrestorable.

Using the wisdom of martial arts, we understood the importance of utilizing the power of our opponents against them in order to defeat them. Thus, we aimed to usage the deletion power of EDRs to our advantage, triggering it by faking a threat.

We checked the leading EDR products and attempted to confuse them between malicious files and standard files during threat mitigation processes. We managed to discover and exploit 0-day vulnerabilities in almost 50% of them, leading to the creation of our Aikido wiper, which could be effective against hundreds of millions of endpoints all around the world.

In this talk we'll start by explaining the background of wiper usage, and our investigation goals and assumptions. Then we’ll explain how different EDR products work erstwhile they detect a threat, and how we exploited their insecure actions in our Aikido wiper. We’ll go on to present 4 vulnerabilities we found in Microsoft Defender Antivirus, Microsoft Defender For Endpoint, SentinelOne’s EDR, Trend Micro Apex One, Avast Antivirus and AVG Antivirus. yet - utilizing those vulnerabilities - we’ll show the wiping of all user data, and making the operating strategy unbootable.

https://confidence-conference.org/