April 22, 2024 at 10:45AM
SafeBreach security researcher Shmuel Cohen demonstrated how endpoint detection and response (EDR) solutions, such as Palo Alto Networks’ Cortex XDR, could be manipulated into malicious offensive tools. Cohen identified weaknesses, allowing an attacker to deploy ransomware, elevate privileges, and remain undetected. Palo Alto Networks addressed these issues with automatic content updates after Cohen’s report.
Based on the meeting notes, it seems that the discussion centered around the potential repurposing of Endpoint Detection and Response (EDR) solutions as malicious offensive tools. SafeBreach security researcher Shmuel Cohen demonstrated how he dissected Palo Alto Networks’ Cortex XDR platform to identify vulnerabilities that could allow for abuse of the security tool.
Cohen’s incursion revealed several weaknesses in the Cortex XDR platform, including bypassing file anti-tampering protection, injecting malicious code into the security solution’s processes, and bypassing anti-tampering protections to load a vulnerable driver. These actions allowed for executing code with high privileges and remaining undetected.
Furthermore, Cohen’s findings highlighted potential issues in ransomware protection, process memory dumping, and bypassing anti-tampering protections to gain backdoor access with high privileges.
Cohen emphasized that attacks breaching EDR solutions could provide threat actors with powerful capabilities likely to go undetected and unblocked.
Palo Alto Networks addressed the reported issues through automatic content updates approximately 10 months ago.
The meeting notes also referred to related articles about flaws in antivirus products that could have facilitated attacks and how researchers turned antivirus software into destructive tools.
The main takeaways from these notes are the importance of closely guarding the logic behind detection processes in security products, encrypting and digitally signing content files to prevent tampering, and adding processes to allowlists or blocklists based on parameters that attackers should not be able to modify.
Overall, the meeting notes outline significant security concerns and the actions taken to address them, underscoring the critical need for robust security measures and ongoing vigilance in the face of evolving cybersecurity threats.