“Aikido” Vulnerability Turns EDR into Wiper Malware

14th December 2022 | Advisory, Blog “Aikido” Vulnerability Turns EDR into Wiper Malware

Wiper-malware Can Devastate Systems

December 7ths, 2022: A SafeBreach security researcher disclosed a vulnerability dubbed “Aikido,” with subsequent (Dec. 12th) proof-of-concept (POC) exploit code that can potentially turn EDR agents running on Microsoft Windows endpoints into malicious data wipers.

December 12th, 2022: CyberHoot has learned of a critical vulnerability in ConnectWise and SonicWall Capture Client  (and other EDR products listed below).  MSPs are urged to take emergency action to patch their systems ASAP.  Evidence has surfed of exploits in the wild resulting in arbitrary code execution with elevated admin privileges.

What is Wiper Malware?

“In computer security, a wiper is a class of malware intended to erase (wipe, hence the name) the hard drive of the computer it infects, maliciously deleting data and programs.” Wikipedia

Vulnerability Alert Management Process Alert Level:

Critical Advisory Alert: Immediate Action Required

Impacted Systems:

The following software solutions were identified and tested by ConnectWise.  Additional systems may be at risk.  Check your vendor advisory pages to confirm exposures and patch asap.

  • Microsoft Windows with SentinelOne agents running all versions prior to 22.2.4.558 are vulnerable.
  • SentinelOne agents are utilized in the following ConnectWise products: ConnectWise SentinelOne Control, ConnectWise SentinelOne Complete, ConnectWise MDR with SentinelOne, and ConnectWise MDR Premium with SentinelOne.
  • This exploit was also tested against Defender, Defender for Endpoint, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus and was found to be vulnerable.

Mitigation

ConnectWise
  1. Install SentinelOne agent version 22.2 SP1 (22.2.4.558) on your Windows agent endpoints.
  2. Reboot your system if SentinelOne Console shows “reboot pending”.
Microsoft Malware Protection Engine:
  1. Install version 1.1.19700.2 of defender software and reboot if prompted.
TrendMicro Apex One:
  1. Install Hotfix 23573 & Patch_b11136 of their software and reboot if prompted.

Avast & AVG Antivirus:

  1. Install version 22.10 of their Antivirus software and reboot if prompted.
VEndor Advories:

ConnectWise Advisoryhttps://www.connectwise.com/company/trust/advisoriesMicrosoft Defender Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37971Avast and AVG Advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-4173Trend Micro Advisory: https://success.trendmicro.com/dcx/s/solution/000291830?language=en_US

Additional Resources:

SonicWall Capture Client Advisoryhttps://www.sonicwall.com/support/knowledge-base/capture-client-differences-between-sonicwall-managed-and-self-managed-versions/181114002946980/Time-of-Check and Time-of-Use Definition:  https://cwe.mitre.org/data/definitions/367.htmlSonicWall Aikido Advisory: https://www.sonicwall.com/support/knowledge-base/aikido-exploit-and-its-impact-on-sonicwall-capture-client/221213114338960/BlackHat SafeBreach Announcement: Aikido Vulnerability  https://i.blackhat.com/EU-22/Wednesday-Briefings/EU-22-Yair-Aikido-Turning-EDRs-to-Malicious-Wipers.pdf

Secure your business with CyberHoot Today!!!


Sign Up Now

Latest Blogs

Stay sharp with the latest security insights

Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.

Apple Alert: Critical AirPlay Vulnerabilities Expose Millions to Cyber Threats

Apple Alert: Critical AirPlay Vulnerabilities Expose Millions to Cyber Threats

A recent discovery by cybersecurity firm Oligo Security has unveiled a series of critical vulnerabilities in...

Read more
CyberHoot Newsletter – May 2025

CyberHoot Newsletter – May 2025

Welcome to CyberHoot's May Newsletter! This month, we're spotlighting key developments in the cyber threat...

Read more
Cybersecurity Advisory: Hackers Exploit Zoom’s Remote Control Feature

Cybersecurity Advisory: Hackers Exploit Zoom’s Remote Control Feature

A newly uncovered cyberattack campaign is exploiting Zoom’s Remote Control feature to infiltrate the systems...

Read more