Threat Coverage | Product

Aug 8, 2023

Original Attacks: SafeBreach Labs Discovers Previously Unknown Attack Methods

Researchers at SafeBreach Labs have recently discovered several novel attack methods which can circumvent common security controls and execute some jaw-dropping malicious actions including:

  • Encrypting files without executing code on the targeted endpoint
  • Hacking Windows Defender and Defender 365 to remotely “own” a Windows agent or server
  • Remotely deleting entire databases from fully patched servers

SafeBreach threat researchers have successfully executed and verified each of these attack methods, however none have been used in the wild at this point. That’s particularly good news for SafeBreach customers as each of the attacks are currently available in our Hacker’s Playbook in a new category called Original Threats.  Original Threats enable our users to proactively test their security controls and take appropriate remediative steps before an exploit has been weaponized, rather than run the risk of becoming a victim of a future zero-day attack.  

Novel Attacks Have Profound Implications

We’ve organized the novel attacks around three core exploits which we’ve named Defender-Pretender, DoubleDrive, and Erase Data Remotely.  Below is a brief summary and the malicious actions each is capable of executing. 

Defender-Pretender

Defender-Pretender is an open-source tool created by SafeBreach Labs as a proof of concept. It neutralizes the Windows Defender endpoint detection and response (EDR) agent and allows any malicious code to run fully undetected and makes Defender delete admin’s data. SafeBreach Labs researchers were also able to delete OS and driver files (resulting in a fully unrecoverable OS),  and change the Windows Defender behavior by modifying its detection and mitigation logic.

DoubleDrive

DoubleDrive is a fully undetectable cloud-based ransomware which does not require a malicious executable to be present on the endpoints in order to encrypt files.  It uses MS OneDrive to encrypt local files outside of OneDrive’s directory and bypasses common defensive capabilities such as decoy file detection, Microsoft’s Controlled Folder Access and OneDrive’s ransomware detection. 

DoubleDrive can execute common malicious actions including shadow copy deletion, and can wipe OneDrive files’ 500 previous versions and empty OneDrive’s recycle bin, making file recovery impossible. In addition, it can run with any privileges and went undetected by any of the EDRs our researchers tested it against.

Erase Data Remotely

Erase Data Remotely (EDR) is the EDR you don’t want! It is a vulnerability in a brand-new category which enables unauthenticated remote deletion of critical files such as an entire production database and causes a new level of DOS. The vulnerability exists, in default settings, of three well-known endpoint security products we have tested and it’s fully undetectable. It can be exploited both on Linux and Windows using at least ten different attack vectors and without almost any limitation.

It also helps adversaries to cover their tracks by enabling remote deletion of log files of the most prevalent web servers and can cause a domino effect when a SIEM solution collects those infected log files to their databases. Attack vectors are not only limited against servers, but a malicious web server may also remotely trigger any Windows client to delete browser files on the endpoint.

Hack Yourself with SafeBreach Original Attacks

SafeBreach customers can find each of these novel attack methods in the SafeBreach Hacker’s Playbook tagged as Original Threats. Original Attacks, which are exclusively available from SafeBreach, enable customers to leverage our proprietary research findings such as those laid out above, and proactively test their security products for vulnerabilities before malicious groups exploit them. 

All Security Controls are Imperfect

Security technology vendors understand the importance of addressing security vulnerabilities, and most work tirelessly to strengthen their products. While security patches are commonplace, no technology is perfect, and new attack vectors may appear where none existed previously as adversaries become smarter and more creative in their methods.  SafeBreach’s Original Attacks highlight that even the most fortified tools can still be susceptible to skilled adversaries and more must be done to enable enterprises to take a more proactive stance and anticipate the attacks that are yet to come.

Why Run SafeBreach Original Attacks? 

  • Identify and remediate security gaps before APT groups exploit them
  • Ensure software updates or patches issued by vendors been properly deployed
  • Test for weaknesses in your security controls
  • Protect your enterprise from novel malicious actions with the potential to jeopardize your data and tarnish your reputation

What is SafeBreach Labs?

Original Attacks are created as a result of continuous threat research conducted through SafeBreach Labs, the research arm of SafeBreach.  SafeBreach Labs is comprised of some of the world’s top security researchers who constantly look for new attack methods – before adversaries discover them. Once the team discovers and verifies a relevant method, they add it to the SafeBreach attack simulation playbook and make it available to all SafeBreach customers. The Labs team also shares this research at leading conferences such as Black Hat, RSA and DEFCON, in order to ensure that the security community at large knows what it’s up against.

Researchers from SafeBreach Labs will be presenting their findings on these attack methods in a series of talks August 9-10 at BlackHat 2023 in Las Vegas.  See here for details on this and all of SafeBreach’s activity at BlackHat.

Learn More

To find out more about how SafeBreach’s Original Threats can help validate your security controls against novel attack methods before they are weaponized, we invite you to schedule a demo.

Get the latest
research and news