Adventures of AV and the Leaky Sandbox
For the second year in a row, our SafeBreach Labs researchers – VP Security Research Amit Klein and CTO and co-founder Itzik Kotler presented original research at Black Hat.
This year’s research was based on an interesting premise – in a highly secure enterprise where endpoints have no direct Internet connection, could sensitive data still be exfiltrated? Our researchers demonstrated that in fact, under the right conditions, they could exfiltrate data by taking advantage of architecture flaws in some cloud-enhanced anti-virus products.
Our technique exfiltrates data inside an executable file which is created on the endpoint (by the main malware process). This executable then triggers anti-virus detection whereupon the AV agent uploads the file to the anti-virus cloud for further inspection. The anti-virus server executes this file in a sandbox, which then allows the executable to send the sensitive data to the attacker’s command and control server. Read more about the details of the research in our whitepaper.
As part of the presentation at Black Hat, the SafeBreachs Labs team has also released the tool developed to implement the exfiltration technique in our GitHub page.
If you missed this presentation and want to see it live, it will be repeated at DEFCON. Additionally, don't miss our BITS Inject session by SafeBreach researcher Dor Azouri as well.