“Aikido” Vulnerability Turns EDR into Wiper Malware

14th December 2022 | Advisory, Blog “Aikido” Vulnerability Turns EDR into Wiper Malware

Wiper-malware Can Devastate Systems

December 7ths, 2022: A SafeBreach security researcher disclosed a vulnerability dubbed “Aikido,” with subsequent (Dec. 12th) proof-of-concept (POC) exploit code that can potentially turn EDR agents running on Microsoft Windows endpoints into malicious data wipers.

December 12th, 2022: CyberHoot has learned of a critical vulnerability in ConnectWise and SonicWall Capture Client  (and other EDR products listed below).  MSPs are urged to take emergency action to patch their systems ASAP.  Evidence has surfed of exploits in the wild resulting in arbitrary code execution with elevated admin privileges.

What is Wiper Malware?

“In computer security, a wiper is a class of malware intended to erase (wipe, hence the name) the hard drive of the computer it infects, maliciously deleting data and programs.” Wikipedia

Vulnerability Alert Management Process Alert Level:

Critical Advisory Alert: Immediate Action Required

Impacted Systems:

The following software solutions were identified and tested by ConnectWise.  Additional systems may be at risk.  Check your vendor advisory pages to confirm exposures and patch asap.

  • Microsoft Windows with SentinelOne agents running all versions prior to 22.2.4.558 are vulnerable.
  • SentinelOne agents are utilized in the following ConnectWise products: ConnectWise SentinelOne Control, ConnectWise SentinelOne Complete, ConnectWise MDR with SentinelOne, and ConnectWise MDR Premium with SentinelOne.
  • This exploit was also tested against Defender, Defender for Endpoint, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus and was found to be vulnerable.

Mitigation

ConnectWise
  1. Install SentinelOne agent version 22.2 SP1 (22.2.4.558) on your Windows agent endpoints.
  2. Reboot your system if SentinelOne Console shows “reboot pending”.
Microsoft Malware Protection Engine:
  1. Install version 1.1.19700.2 of defender software and reboot if prompted.
TrendMicro Apex One:
  1. Install Hotfix 23573 & Patch_b11136 of their software and reboot if prompted.

Avast & AVG Antivirus:

  1. Install version 22.10 of their Antivirus software and reboot if prompted.
VEndor Advories:

ConnectWise Advisoryhttps://www.connectwise.com/company/trust/advisoriesMicrosoft Defender Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37971Avast and AVG Advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-4173Trend Micro Advisory: https://success.trendmicro.com/dcx/s/solution/000291830?language=en_US

Additional Resources:

SonicWall Capture Client Advisoryhttps://www.sonicwall.com/support/knowledge-base/capture-client-differences-between-sonicwall-managed-and-self-managed-versions/181114002946980/Time-of-Check and Time-of-Use Definition:  https://cwe.mitre.org/data/definitions/367.htmlSonicWall Aikido Advisory: https://www.sonicwall.com/support/knowledge-base/aikido-exploit-and-its-impact-on-sonicwall-capture-client/221213114338960/BlackHat SafeBreach Announcement: Aikido Vulnerability  https://i.blackhat.com/EU-22/Wednesday-Briefings/EU-22-Yair-Aikido-Turning-EDRs-to-Malicious-Wipers.pdf

Secure your business with CyberHoot Today!!!


Sign Up Now

Latest Blogs

Stay sharp with the latest security insights

Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.

184 Million Passwords Leaked: Is Your Digital Doppelgänger Out There?

184 Million Passwords Leaked: Is Your Digital Doppelgänger Out There?

Spoiler alert: If you’re still using “password123” or “iloveyou” for your login… it’s time for an...

Read more
CyberHoot Newsletter – June 2025

CyberHoot Newsletter – June 2025

CyberHoot June Newsletter: Stay Informed, Stay Secure Welcome to the June edition of CyberHoot’s newsletter,...

Read more
Make Phishing Training Count with HootPhish

Make Phishing Training Count with HootPhish

Stop tricking employees. Start training them. Take Control of Your Security Awareness Training with a Platform...

Read more