Researchers from SafeBreach discovered flaws in Microsoft and Kaspersky security products that can potentially allow the remote deletion of files. Though both the OEM emerged fixing the issue, it could still be an issue.
They explained that Microsoft Defender and Kaspersky’s Endpoint Detection and Response can be made to detect false positive indicators of malicious files and then to delete them. Both EDR solution use byte signatures unique sequences of bytes in file headers to detect malware.
The ultimate goal was to confuse EDR by implanting malware signatures into legit files and make them think its malicious. To achieve this, they first found a byte signature associated with malware on the platform VirusTotal, then inserted it into a database – by doing things like creating a new user with a name that includes the signature.
The EDR program then deemed the database to store the signature to be infected by malware. If it deletes the infected files, it will do the same on databases or virtual machines and be deleted remotely.
The researchers point out that such access is easy: registering as a new user on a website and using a name that contains a byte signature could see an EDR perceive a database as dangerous and the file deletion by EDR was irreversible from within the security tools restoring data meant reverting to backups.
The implications of this scenario are unknown because the researchers were scared of some of the potential outcomes associated with testing vulnerabilities.
SafeBreach therefore reported its findings to Microsoft in January 2023, and in April of that year, CVE-2023-24860 and a patch were issued. But Kaspersky did not release a fix at that time. The security vendor claimed the issue was not a security vulnerability because the product’s behavior is more driven by design.
The researchers tested Kaspersky’s product, and the mitigations seemed to work but were not guaranteed that the patches were bypassed.
To further test the Microsoft fix, the duo went out and found a different byte signature and were able to bypass Redmond’s patch. In August 2023, SafeBreach again reported its findings to Microsoft, which again acknowledged their work with the December release of CVE-2023-36010.
At present, finding further bypasses became harder. The patch implemented a whitelist, but the researchers were able to circumvent that with a PowerShell command to ignore exceptions.
The flaw is so rooted inside Defender that removing it entirely would require the product to be redesigned. The remote deletion vulnerabilities are especially difficult to fix when the security controls rely on byte signature detection.
Defender and Kaspersky are not the only ones having difficulty with EDR as an offensive tool. Researchers focused on Palo Alto Networks Cortex XDR and bypassed significant security features of the anti-malware product.
This research was documented by the researchers Tomer Bar and Shmuel Cohen.
