A couple of months ago I wrote a post about antivirus as attack surface. The benefits for an attacker going after an antivirus being that they bypass a security mechanism and typically gain administrative privileges on the machine. Well, recently a new exploit tool came out and it’s targeting McAfee ePO.
The tool allows an attacker on the local network to add rogue systems to an enterprise ePO server, steal domain credentials if they are cached within ePO, upload files to the ePO server, and execute commands on the ePO server as well as any systems managed by ePO.
Basically, if someone gets onto your network they can control any systems under the protection of the ePolicy Orchestrator. For enterprise this is a huge deal as you can have hundreds of systems under the ePO “protection” and therefor a compromise of the ePO means the attacker controls the workforce.
With antivirus software injecting itself into all sorts of processes, allowing remote endpoint management, and more, it makes for very tempting attack surface. In an enterprise environment where you’re dealing with so-called ‘APT’ this is exactly the type of attack that would be used. Full compromise of the majority of systems, allowing for a massive amount of credentials to be stolen, more successful phishing attacks, etc. It is not hard to imagine an entire network being controlled in relatively little time with this type of attack.
This is just one example of an attack on security software, it will definitely not be the last we see.