Hacker Hijinks: Microsoft & Kaspersky Security Flaws Leave Files Vanishing in Thin Air!

Strap in for a wild cyber ride: Researchers exploited EDR flaws in Microsoft and Kaspersky products, turning security heroes into file-deleting villains. Think malware MacGyver with a byte signature twist. Patch or not, these digital gremlins might just laugh at your cyber defenses. #RemoteDeletionChaos

Hot Take:

File deletion fun with Microsoft and Kaspersky: Because who needs files when you’ve got false positives? It’s like cybersecurity roulette, but instead of a bullet, it’s your database on the line. Patches? More like temporary band-aids on a digital hemorrhage. Kudos to SafeBreach for playing it safer than a Vegas card counter!

Key Points:

  • SafeBreach researchers reveal Microsoft Defender and Kaspersky EDR can be duped into deleting legit files by planting malware signatures.
  • These “cyber magicians” can make databases vanish by tinkering with byte signatures – no top hat required.
  • Microsoft patched it, kind of, but like a bad magic trick, the file still disappears with the right nudge.
  • Kaspersky shrugged it off as a design feature, but hints at future “improvements” to their illusionist act.
  • File deletion by EDR is the new vanishing act that could take a whole Azure cloud with it – thank goodness for stage fright!
Title: Microsoft Defender Denial of Service Vulnerability
Cve id: CVE-2023-24860
Cve state: PUBLISHED
Cve assigner short name: microsoft
Cve date updated: 12/14/2023
Cve description: Microsoft Defender Denial of Service Vulnerability

Title: Simple Author Box < 2.52 - Contributor+ Arbitrary User Information Disclosure via IDOR
Cve id: CVE-2023-3601
Cve state: PUBLISHED
Cve assigner short name: WPScan
Cve date updated: 01/16/2024
Cve description: The Simple Author Box WordPress plugin before 2.52 does not verify a user ID before outputting information about that user, leading to arbitrary user information disclosure to users with a role as low as Contributor.

Need to know more?

Disappearing Act 101

Tomer Bar and Shmuel Cohen, SafeBreach's dynamic duo, took the stage at Black Hat Asia to demonstrate how cybersecurity can be more about "Oops" than ops. They turned Microsoft Defender and Kaspersky's EDR into unwitting accomplices in a delete-fest: just sprinkle some malware byte signatures into innocent files and watch them go poof! Who knew that protecting your files could lead to a digital Bermuda Triangle?

The Art of the Byte

It's simple, really. Find a malware signature, pop it into a file like a bad Easter egg, and watch as the EDR programs go on a deleting spree. The method? As easy as registering with a suspicious byte in your username – it’s like telling the bouncer at the club your name is "Malware McVirusface" and watching the panic ensue.

Backup Plan: Actually Have One

When EDR tools play the role of overzealous Marie Kondo, the only joy that sparks is in the hearts of attackers. The researchers found that once EDR tools decide a file doesn't bring happiness, it's gone for good. The only way back is through the digital time machine known as "backups."

Patchy Solutions

After giving Microsoft a mild heart attack with their findings in January 2023, CVE-2023-24860 was born, swaddled in a patch that was supposed to keep files safe. But like a determined toddler, the researchers found new ways to trip the system. Microsoft tried again in December with CVE-2023-3601, but our intrepid heroes still managed to play peekaboo with a PowerShell command.

A Gentleman's Agreement

Microsoft, displaying the grace of a host whose party has been crashed, appreciated SafeBreach's heads-up. But according to Cohen, fixing the flaw is like trying to remodel a house when the foundation is made of Swiss cheese. Microsoft suggests some DIY home security tips, but let's face it, the flaw is as stubborn as a cat refusing to get off your keyboard.

EDR: The New Magic Trick

Turns out, Defender and Kaspersky aren't alone in their security stage fright. Earlier that same day, Cohen highlighted how Palo Alto Networks' Cortex XDR could also do the disappearing file trick. The moral of the story? Patches aren't cure-alls, and maybe, just maybe, putting all your security eggs in one byte-signature basket isn't the best idea.

Tags: byte signature detection, CVE-2023-24860, CVE-2023-3601, Kaspersky EDR, Microsoft Defender, remote file deletion, security vulnerability patching