December 7ths, 2022: A SafeBreach security researcher disclosed a vulnerability dubbed “Aikido,” with subsequent (Dec. 12th) proof-of-concept (POC) exploit code that can potentially turn EDR agents running on Microsoft Windows endpoints into malicious data wipers.
December 12th, 2022: CyberHoot has learned of a critical vulnerability in ConnectWise and SonicWall Capture Client (and other EDR products listed below). MSPs are urged to take emergency action to patch their systems ASAP. Evidence has surfed of exploits in the wild resulting in arbitrary code execution with elevated admin privileges.
What is Wiper Malware?
“In computer security, a wiper is a class of malware intended to erase (wipe, hence the name) the hard drive of the computer it infects, maliciously deleting data and programs.” Wikipedia
Vulnerability Alert Management Process Alert Level:
Critical Advisory Alert: Immediate Action Required
Impacted Systems:
The following software solutions were identified and tested by ConnectWise. Additional systems may be at risk. Check your vendor advisory pages to confirm exposures and patch asap.
- Microsoft Windows with SentinelOne agents running all versions prior to 22.2.4.558 are vulnerable.
- SentinelOne agents are utilized in the following ConnectWise products: ConnectWise SentinelOne Control, ConnectWise SentinelOne Complete, ConnectWise MDR with SentinelOne, and ConnectWise MDR Premium with SentinelOne.
- This exploit was also tested against Defender, Defender for Endpoint, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus and was found to be vulnerable.
Mitigation
ConnectWise
- Install SentinelOne agent version 22.2 SP1 (22.2.4.558) on your Windows agent endpoints.
- Reboot your system if SentinelOne Console shows “reboot pending”.
Microsoft Malware Protection Engine:
- Install version 1.1.19700.2 of defender software and reboot if prompted.
TrendMicro Apex One:
- Install Hotfix 23573 & Patch_b11136 of their software and reboot if prompted.
Avast & AVG Antivirus:
- Install version 22.10 of their Antivirus software and reboot if prompted.
VEndor Advories:
ConnectWise Advisory: https://www.connectwise.com/company/trust/advisories
Microsoft Defender Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37971
Avast and AVG Advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-4173
Trend Micro Advisory: https://success.trendmicro.com/dcx/s/solution/000291830?language=en_US
Additional Resources:
SonicWall Capture Client Advisory: https://www.sonicwall.com/support/knowledge-base/capture-client-differences-between-sonicwall-managed-and-self-managed-versions/181114002946980/
Time-of-Check and Time-of-Use Definition: https://cwe.mitre.org/data/definitions/367.html
SonicWall Aikido Advisory: https://www.sonicwall.com/support/knowledge-base/aikido-exploit-and-its-impact-on-sonicwall-capture-client/221213114338960/
BlackHat SafeBreach Announcement: Aikido Vulnerability https://i.blackhat.com/EU-22/Wednesday-Briefings/EU-22-Yair-Aikido-Turning-EDRs-to-Malicious-Wipers.pdf