“Aikido” Vulnerability Turns EDR into Wiper Malware

December 7ths, 2022: A SafeBreach security researcher disclosed a vulnerability dubbed “Aikido,” with subsequent (Dec. 12th) proof-of-concept (POC) exploit code that can potentially turn EDR agents running on Microsoft Windows endpoints into malicious data wipers.

December 12th, 2022: CyberHoot has learned of a critical vulnerability in ConnectWise and SonicWall Capture Client  (and other EDR products listed below).  MSPs are urged to take emergency action to patch their systems ASAP.  Evidence has surfed of exploits in the wild resulting in arbitrary code execution with elevated admin privileges.

What is Wiper Malware?

“In computer security, a wiper is a class of malware intended to erase (wipe, hence the name) the hard drive of the computer it infects, maliciously deleting data and programs.” Wikipedia

Vulnerability Alert Management Process Alert Level:

Critical Advisory Alert: Immediate Action Required

Impacted Systems:

The following software solutions were identified and tested by ConnectWise.  Additional systems may be at risk.  Check your vendor advisory pages to confirm exposures and patch asap.

• Microsoft Windows with SentinelOne agents running all versions prior to 22.2.4.558 are vulnerable.
• SentinelOne agents are utilized in the following ConnectWise products: ConnectWise SentinelOne Control, ConnectWise SentinelOne Complete, ConnectWise MDR with SentinelOne, and ConnectWise MDR Premium with SentinelOne.
• This exploit was also tested against Defender, Defender for Endpoint, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus and was found to be vulnerable.

Mitigation

ConnectWise

1. Install SentinelOne agent version 22.2 SP1 (22.2.4.558) on your Windows agent endpoints.
2. Reboot your system if SentinelOne Console shows “reboot pending”.

Microsoft Malware Protection Engine:

1. Install version 1.1.19700.2 of defender software and reboot if prompted.

TrendMicro Apex One:

1. Install Hotfix 23573 & Patch_b11136 of their software and reboot if prompted.

Avast & AVG Antivirus:

1. Install version 22.10 of their Antivirus software and reboot if prompted.

VEndor Advories:

ConnectWise Advisory: https://www.connectwise.com/company/trust/advisoriesMicrosoft Defender Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37971Avast and AVG Advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-4173Trend Micro Advisory: https://success.trendmicro.com/dcx/s/solution/000291830?language=en_US

Additional Resources:

SonicWall Capture Client Advisory: https://www.sonicwall.com/support/knowledge-base/capture-client-differences-between-sonicwall-managed-and-self-managed-versions/181114002946980/Time-of-Check and Time-of-Use Definition:  https://cwe.mitre.org/data/definitions/367.htmlSonicWall Aikido Advisory: https://www.sonicwall.com/support/knowledge-base/aikido-exploit-and-its-impact-on-sonicwall-capture-client/221213114338960/BlackHat SafeBreach Announcement: Aikido Vulnerability  https://i.blackhat.com/EU-22/Wednesday-Briefings/EU-22-Yair-Aikido-Turning-EDRs-to-Malicious-Wipers.pdf

Secure your business with CyberHoot Today!!!

Sign Up Now