A newly pioneered technique could render endpoint detection and response (EDR) platforms “blind” by unhooking the user-facing mode of the Windows kernel (NTDLL) from hardware breakpoints. This potentially gives malicious actors the ability to execute any function from within NTDLL and deliver it, without the EDR knowing it, researchers warned.
The Cymulate Offensive Research Group, which discovered what it calls the “Blindside” technique, noted in a report released Dec. 19 that the injected commands could be used to perform any number of unexpected, unwanted, or malicious operations on a target system.
Blindside creates an unhooked process. This means the hooks (which allow one application to monitor another) used by EDR platforms to identify if behaviors are malicious will not be present in the unhooked process.
Because many EDR solutions rely entirely or heavily on hooks to track behaviors and malicious activities, they would be unable to track the behaviors of the process launched with Blindside, the researchers explained.
Mike DeNapoli, director of technical messaging at Cymulate, notes that there are other methods to block hooks, but they depend heavily on cooperation from the operating system. Not so with Blindside.
“Blindside leverages hardware operations and can work in circumstances where other methods fail,” he explains.
DeNapoli also points out that the use of hardware breakpoints for malicious outcomes is not entirely new, explaining that researchers knew various forms of breakpoints can be used to obfuscate against detection within x86 architectures. However, Blindside has a slightly different approach.
“Previous threat methodologies and techniques have focused on the virtualization of a process, or the use of syscalls to accomplish their goal,” he says. “Blindside adds the use of specific debugging breakpoints to force a process to launch without hooks, which is what makes it a new technique.”
Discovering New Techniques Improves Protection
DeNapoli says discovering new attack vectors allows EDR vendors and their customers to stay ahead of the game on defense.
“When investigating techniques, the Cymulate Offensive Research Team will sometimes discover ideas that could be used to create new techniques,” he explains, adding that the justification for going public with the results is bringing greater awareness of these potential attack techniques and methods to EDR vendors and the public — before they are discovered by threat actors and used for malicious purposes.
“EDR solutions use multiple methodologies to monitor applications and processes for circumstances where they perform malicious actions,” DeNapoli says. “This idea of behavior-based detection has become the primary and most popular method of anti-malware operations. This makes bypass and compromise of this form of anti-malware operation a major concern of organizations and service providers alike.”
John Bambenek, principal threat hunter at Netenrich, agrees that the good news is that this tactic was discovered in advance of an attack and shared with the broader community.
“That way, they can develop mitigations, some of which were in the research itself,” he says. “This research identifies the problem and a path forward.”
He adds that attackers are constantly developing techniques and looking for holes to bypass our security tools. Earlier this month, vulnerabilities were found in EDR tools from different vendors — among them Microsoft, Trend Micro, and Avast — that give attackers a way to manipulate the products into erasing virtually any data on installed systems.
And another threat group was recently observed using the Microsoft-signed drivers as part of a toolkit designed to terminate antivirus and EDR processes.
“Either we find them first and develop mitigations or we want for the attackers to find them and deal with breaches,” Bambenek says.
Updating Defense Postures
DeNapoli explains that next-gen EDR platforms will likely evolve away from relying so much on the hooking process.
“Several EDR vendors that Cymulate tested the technique against had already begun to use more than just hooking methods to track behaviors, and more are sure to do so as additional techniques to avoid hooking are brought to the public light,” he says.
Working with an organization’s EDR vendor and/or service provider and keeping the system and the configuration of the tools within their infrastructure updated and validated as per vendor/provider recommendations, is a critical step in staying ahead of threat actors, DeNapoli adds.
“Because EDR solutions are only one layer of defenses, and because modern cybersecurity solutions can be complex, it is vital that organizations also regularly validate their security controls,” he says.
Bambenek cautions that many organizations believe their job is done when they get EDR deployed everywhere and, while important, it is only one piece of the puzzle.
“Security, unfortunately, will require constant investment, because the attackers are certainly investing in their own R&D,” he explains. “Primarily, the work here is on EDR vendors to look at other means to detect the use of these techniques.”