The vulnerabilities discovered by researchers of the SafeBreach Labs have been used to create a new-generation, undetectable wiper – Aikido Wiper – it can affect millions of workstations and servers worldwide in the future.
Aikido Wiper runs with the authorisations of an unauthorised user but is able to delete almost every file on the system, including the system files – which would make the computer completely useless. Everything happens without implementing the code, making it absolutely undetectable.
Aikido exploits a Windows feature which allows users to create links (symlinks) regardless of user account authorisations. According to the researcher, a user who does not have the required authorisations to delete system files (.sys) will not be able to delete them. However, by creating a bait directory, it was able to trick the security product into deleting the file instead of preventing it from being deleted. Similarly, it has placed a sequence of signs, which resembled the path to be deleted (e.g., C:\tempWindows32drivers vs C:\tempWindows32drivers).
The main features of the Aikido wiper:
- is completely undetectable,
- prevents the system from starting up,
- erases important data,
- runs with the authorisations of an unauthorised user,
- deletes the quarantine directory.
Of the 11 AV/EDR products tested, the following were found to be vulnerable:
- Defender
- Defender for Endpoint
- SentinelOne EDR
- TrendMicro Apex One
- Avast Antivirus
- AVG Antivirus
However, the below products are not vulnerable:
- Palo Alto XDR
- Cylance
- CrowdStrike
- McAfee
- BitDefender
Vulnerabilities were reported to all vendors between July and August 2022. It is important to note that for Microsoft Defender and Microsoft Defender for Endpoint products, the researcher failed to achieve arbitrary file removal. To patch the vulnerability, three of the vendors have issued the following CVEs: Microsoft – CVE-2022-37971, TrendMicro – CVE-2022-45797, Avast & AVG – CVE-2022-4173. The exploit has been ** patched by three software vendors who have released updated versions of their programs: Microsoft Malware Protection Engine: 1.1.19700.2, TrendMicro Apex One: Hotfix 23573 & Patch_b11136, Avast & AVG Antivirus: 22.10.
Source: