Awesome
AVPWN
List of real-world threats against endpoint protection software - For future reference. The list is based on public information and thus is obviously incomplete.
The list should include:
- Non-public 0-day exploits at the time of reference
- Public incidents where attackers exploited endpoint protection software
- Supporting public evidence should be provided for all records
The list doesn't include:
- Exploits intentionally disclosed to the vendor in any way (including full uncoordinated disclosure)
- Detection bypasses, because I don't want to fill up the storage space of GitHub
- Attacks or exploits against perimeter products, because I'm lazy
The List
Immortal exploits
The following list contains exploits of "immortal" vulnerabilities - ones that for some reason can't be fixed by the vendor.
[1] Abuse of legitimate functionality, admin->kernel is not a security boundary
Honorable mentions
- As of November 2016. Zerodium (a prominent vulnerability broker) is offering up to $40.000 for Antivirus LPE/RCE
- In 2017. the price for AV LPE exploits dropped to $10.000 (presumably because of the easy accessibility to such exploits).
- In 2014. Kaspersky reported that the Careto malware was attempting to exploit a vulnerability in their products "to make the malware 'invisible' in the system". The targeted vulnerability was fixed in 2008.
- In 2015. Kaspersky reported a compromise of their own systems. According to the report "neither [Kaspersky's] products nor services have been compromised", and attackers were after information about "ongoing investigations [...] detection methods and analysis capabilities". In 2017 NYT reported that Kaspersky was compromised by the Israeli intelligence that found that Russian services were using the companies infrastructure/products to "scour the world for U.S. secrets".
- In 2013. Bit9, a security firm mostly known for it's white-list based endpoint protection product, was hacked and code-signing certificates with private keys were stolen. With these, attackers were able to sign malware with Bit9's code-signing certificate. The signed malware was used to bypass Bit9 protection on the client.
- In May 2019. Advanced Inteligence LLC claimed that Fxmsp - a threat actor they've been monitoring for some time - compromised four antivirus companies including Symantec, Trend Micro, and McAfee. Fxmsp was said to sell access to the source code and internal networks on the darknet. Advanced Intelligence LLC was registered right before the announcement in Delaware.
- Moshen Dragon abuses multiple AV executables for DLL sideloading to hide itself. While this is not considered a vulnerability in the affected AV software, Trend Micro deployed some countermeasures.