Contents:
In the wake of SafeBreach’s Aikido Wiperware vulnerability announcement back in early December, many have begun to suspect the possibility of pseudo-ransomware making a comeback. Despite being a Proof-of-Concept (P.O.C), the vulnerability earmarked Aikido Wiperware, opens up new Insider Threat opportunities, alongside specific TTPs (i.e. Tactics, Techniques, and Procedures) that could potentially lead to even more far-reaching, post-data-exfiltration consequences.
What Is (the) Aikido Wiperware?
The newly discovered vulnerability belongs to the pseudo-ransomware class, inheriting most of the core attributes and viral mechanisms of ransomware. However, the major distinction between the two malware classes lies in the scope itself – ransomware relies on extortion and victim intimidation (i.e., data destruction in non-compliance cases or going public with the data), while pseudo-ransomware follows no goal other than wanton destruction.
In the case at hand, the aptly dubbed Aikido Wiperware takes advantages of the standard security safeguards curated by EDR solutions for the purpose of deleting system files or critical documents. According to the original report and Heimdal®’s investigation, this type of security event can be triggered under non-privileged conditions (i.e., the threat actor does not require admin or system-type privileges to stage the attack).
In spite of the vulnerability’s effectives, it has one major caveat – proximity. The threat actor must physically interact with the victim’s machine to trigger this event. Python scripts are available in clear-web repositories, but data shows that automating the task (i.e., creating a job-like automation flow) is not feasible at this point in time, since the Python-written scripts leverage specific dependencies and libraries that need to be installed in a separate session. Considering these factors, we can exclude network as a feasible attack surface.
Aikido Wiperware relies on a two-pronged approach – taking advantage of the EDR’s TOCTOU (i.e., Time-of-Check to Time-of-Use) flow and creating junctions.
Upon accessing the victim’s endpoint, the threat actor proceeds to identify the target (system) file. In SafeBreach’s POC, ndis.sys was the objective. To trigger the Aikido exploit, the operations reacted below must be performed.
- Obtain or craft a malicious file.
- Create a special path using the malicious file C:\temp\Windows\System32\drivers\ndis.sys\
- Maintain process handle and force-postpone malicious file deletion after next machine reboot.
- Manually delete the C:\temp directory.
- Manually create a junction at: C:\temp to C:\
- Reboot when prompted.
- Upon system reboot, the target folder will be deleted, along with the target file.
Heimdal®’s attempt at replicating the security event considered system files other than those employed by the original P.O.C in to determine the exploit’s state of singularity. Our evaluation proved that Aikido do can be triggered under any conditions, provided that the approach mirrors the one above.
Countermeasure and Mitigations
Our internal investigation has concluded that customers using Heimdal® EDR solutions are unaffected by the Aikido Wiperware exploit.
In all instances, the Next-Generation Antivirus & MDM solution ended the kill chain by severing the TOCTOU flow. Moving forward, Heimdal® recommends that all customers and partners enforced Real-Time Protection under Endpoint Protection in the Unified Threat Platform. This countermeasure ensures that the malicious files used to stage the exploit are deleted prior to endpoint scanning cycle.
In addition, we recommend applying any available security patches. Microsoft has assigned the vulnerability ID “CVE-2022-37971” to this and has patched the issue in the latest Microsoft Malware Protection Engine version 1.1.19700.2.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.