Safebreach specialist Shmuel Cohen demonstrated that EDR solutions can be exploited as tools for attacks. Cohen’s study revealed vulnerabilities in one EDR system that could potentially allow hackers to utilize the tool for malicious purposes.
Typically, EDR systems operate with high privileges to safeguard devices against various threats, such as malware. However, compromising these systems could grant attackers persistent and discreet access to their victims.
During his analysis, Cohen found that the studied EDR’s behavior could be manipulated to bypass protection against file changes. This loophole could enable attackers to run encrypting software for extortion or even load a vulnerable driver to prevent the EDR’s removal using the administrator password.
Furthermore, Cohen discovered a method to introduce harmful code into one of the EDR processes, granting the code high privileges while remaining undetected. By exploiting the ability to modify Lua and Python files, attackers could execute malicious code and gain access to the system with the highest systemic privileges.
By leveraging a vulnerable driver, Cohen was able to access and modify the system’s core, giving him the ability to alter the control password in the EDR. This meant attackers could potentially use any password or block the program’s removal if it became disconnected from the control server.
The study highlights how attacks on EDR solutions can offer attackers significant capabilities that may go unnoticed. Cohen stresses that security products should safeguard detection processes, encrypt and sign content files with digital signatures to prevent alterations, and add processes to lists based on unchangeable parameters to thwart attackers.
In response to Cohen’s findings, Palo Alto Networks updated their protective mechanisms and advised users to ensure the currency of their systems. Cohen openly shared his research to raise awareness about such threats and bolster security measures within organizations.