Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/31/2021
09:10 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Weakness in EDR Tools Lets Attackers Push Malware Past Them

A technique called hooking used by most endpoint detection and response products to monitor running processes can be abused, new research shows.

A fundamental weakness in the way almost all endpoint detection and response (EDR) systems work gives attackers an opening to sneak malware past them.

Fixing the issue is not going to be easy, requiring a substantial overhaul of most current EDR systems on the market, Optiv said in a report this week.

Related Content:

XDR 101: What's the Big Deal About Extended Detection & Response?

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: What You Need to Know -- or Remember -- About Web Shells

EDR products are designed to detect and respond to suspicious behaviors and attacks on endpoint devices. Most combine signature-based malware detection with heuristic analysis, sandboxing, and other techniques to spot and block threats. The technology allows security teams to quickly isolate compromised systems and collect endpoint logs and other threat indicators to facilitate remediation.

One technique many EDR products use to detect suspicious activity and gather information for behavior-based analytics is called "hooking." Matthew Eidelberg, technical manager at Optiv, describes hooking as a technique for monitoring computer programs as they run. The hooks are placed at a System Call (syscall) interface, which allows a running process to interact with the operating system to request services, such as allocating memory, or to create a file.

"Many EDR products place these hooks at a point of program execution that users have access to so they have permissions to remove or completely bypass them," Eidelberg says.

The hooks give EDR agents on endpoint devices a way to monitor all running processes and look for any changes to those processes. The EDR agent passes data gathered via hooking to the EDR vendor's platform for further analysis.

The problem is that because the hooks are placed in user space, everything in a process' memory space when the process is created has the same permissions as the user running it.

"This means that malicious code has the same permissions as the system Dynamic Link Libraries," Eidelberg says.

As a result, attackers can modify the hooks in these system DLLs to allow malicious code to bypass the EDR product's detection and remediation mechanisms. Because of where the hooks exist, attackers could also write their own malicious system call functions into a process and have the operating system execute the functions.

"EDR products don't know that these exist or where they are located, so it makes it impossible for them to hook,'' Eidelberg said.

Optiv's research into weaknesses around EDR and memory hooks builds on previous work by other researchers. But rather than focusing on techniques that work only on individual products, the security vendor looked to see whether it could find systemic issues with hooking across all EDR products that attackers could exploit, Optiv said in its report. As part of its effort, the company developed exploits showing how it could sneak a malicious payload past products from four leading EDR product vendors.

An attacker would only need access to a remote endpoint to execute these attacks, Eidelberg noted. However, EDRs that operate in the kernel space shouldn't be as affected.

"This is because the kernel space is one area where these hooks are pretty reliable," he says. "It's hard for an attacker to do anything in the kernel given security controls around loading code."

Eidelberg says Optiv has been helping EDR vendors understand how attackers can exploit these issues in the wild. Several of them have begun to revamp their products and augment the telemetry collected via hooking to see whether they can detect tampering of system DLLs, he says. Some vendors are even moving their hooks into protected kernel space.

"All of these are great steps but will take some time to implement," he noted.

In the meantime, organizations should continue ensuring they have strong controls and detection mechanisms for preventing attackers from getting to the point where they can execute malicious code on an endpoint system in the first place, Eidelberg says.

"For an attacker to exploit this, they would need to get their malicious code onto an organization's systems and execute these actions," he says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...