BlackHat: EDR = Erase Data Remotely, By Cooking An Unforgettable (Byte) Signature Dish (July 11th)
Thursday, July 11th, 2024: 2:00 PM to 3:00 PM ET
In this talk, we will present a vulnerability (CVE-2023-24860) in a brand-new category that provides unauthenticated remote deletion of critical files such as the entire production database and causes a new level of DOS.
The vulnerability exists, in default settings, of three well-known endpoint security products we have tested and it's Fully Un-Detectable. It can be exploited both on Linux and Windows using at least ten different attack vectors and without almost any limitation.
We will explain the root cause and demo seven different attack vectors: remote deletion of entire databases, in most cases, the database service and affected data can't be easily recovered, resulting in critical DOS.
We will demo how it can help adversaries to cover their tracks and disallow full DFIR, including remote deletion of log files of the most prevalent web servers, event logs and cause a domino effect when a SIEM solution collects those infected log files to their databases. Attack vectors are not only limited against servers, but a malicious web server may also remotely trigger any Windows client to delete browser files on the endpoint.
Last but not least we will detail how an unprivileged attacker can delete entire virtual machines on the host by executing code only in guests' machines. We believe that cloud environments might be vulnerable as well.
Hosted by blackhat