Aikido: Turning EDRs to malicious wipers using 0-day exploits

Wipers are becoming the go-to tool for nation-state cyber warfare in the last decade since the Shamoon attack. Wipers have been used by Russia, Iran, North Korea, and other APTs to support offensive acts. One of the most famous recent attacks was launched during the Russian invasion of Ukraine. We were curious if we could build a next-gen wiper. It would run with the permissions of an unprivileged user yet have the ability to delete any file on the system, even making the Windows OS unbootable. It would do all this without implementing code that actually deletes files by itself, making it undetectable. The wiper would also make sure that the deleted files would be unrestorable. Using the wisdom of martial arts, we understood the importance of using the power of our opponents against them in order to defeat them. Thus, we aimed to use the deletion power of EDRs to our advantage, triggering it by faking a threat. We checked the leading EDR products and attempted to confuse them between malicious files and standard files during threat mitigation processes. We managed to discover and exploit 0-day vulnerabilities in more than 50% of them, leading to the creation of our Aikido wiper, which could be effective against hundreds of millions of endpoints all around the world. In this talk we'll start by explaining the background of wiper usage, and our research goals and assumptions. Then we’ll explain how different EDR products work when they detect a threat, and how we exploited their insecure actions in our Aikido wiper. We’ll go on to present four vulnerabilities we found in Microsoft Defender Antivirus, Microsoft Defender For Endpoint, SentinelOne’s EDR, Trend Micro Apex One, Avast Antivirus and AVG Antivirus. Finally - using those vulnerabilities - we’ll demonstrate the wiping of all user data, and making the operating system unbootable.

Presented at Security Fest 2023.

About Or Yair

Or Yair (@oryair1999) is a security researcher with over 5 years of experience in cyber security. Currently a researcher in SafeBreach Labs, he started his professional career in the IDF. Most of his work focused on Platform Research, including Linux kernel components and some Android as well. For the last two years, Or has been drawn into the Windows world and currently focuses on innovative vulnerability research of the operating system's components. Or has already impacted threat mitigation by widely sharing his discoveries internationally at conferences he spoke at such as Black Hat Europe 2022, HackCon 2023 and RSAC 2023.