Aug 23, 2022

SafeBreach Researcher Itay Migdal Discovers a Potential Generic Bypass in the Palo Alto Cortex XDR Anti-Ransomware Module

Defending the enterprise amid the ever-evolving threat landscape has prompted security teams to deploy numerous security controls and processes in the quest to prevent business-crippling cyberattacks. CISOs and security teams are constantly trying to maximize the impact of their security controls and proactively manage their risk and security posture. Yet, teams struggle to understand if the many controls deployed are configured correctly, which controls will prevent, detect, or completely miss an attack, and how the controls will work together against threat groups that pose a risk to the business. 

SafeBreach offers continuous security validation, powered by its breach and attack simulation (BAS) platform, designed to help organizations overcome this challenge. The platform safely executes real-world attack simulations across the cyber kill chain to validate the effectiveness of all layers of your security independently and at each stage of the attack process to strengthen cyber resiliency. One of the primary drivers behind our ability to provide relevant, comprehensive, and timely threat intelligence that emulates real attacker techniques is our SafeBreach Labs team

The SafeBreach Labs team is composed of cybersecurity experts who spend their time scouring intelligence feeds and conducting original research to provide offensive insights into the latest and most relevant threats. Their ability to vigilantly monitor for exploits and attacks allows SafeBreach to offer the industry’s largest and most comprehensive attack playbook with over 25,000 attacks and the only 24-hour SLA on incorporating the latest actionable TTPs and IOCs from US-CERT, FBI Flash, and other critical alerts. 

The SafeBreach Labs team actively contributes to the global cybersecurity community, partners with leading security control vendors to optimize and and improve their products, and openly shares their research at leading conferences like Black Hat, RSA, and DEF CON. The Labs team is also an active contributor to the MITRE ATT&CK® framework. The latest example of this original research and partnering with a security vendor is the discovery of a potentially exploitable generic bypass in the Cortex XDR agent’s Anti-Ransomware Protection module by Itay Migdal, a SafeBreach Labs researcher. 

Due to his passion for threat intelligence, malware analysis, and red teaming, Itay was able to discover that a non-admin Windows user could leverage this bypass to reduce the overall effectiveness of the Anti-Ransomware Protection module. This discovery was immediately reported to Palo Alto Networks, and they released advisory PAN-SA-2022-003 to warn and protect any customers using the Cortex XDR agents with a content update earlier than CU-610.

It is important to note that if this discovery had been made by malicious threat actors, they could have leveraged it to affect millions of Cortex XDR agents around the world. Due to this risk, we have decided not to share the technical details of this bypass at this time as a precautionary measure for unpatched XDR agents. 

Congratulations Itay Migdal and the SafeBreach Labs team for their commitment to ensuring organizational security–one exploit, TTP, and IOC at a time!

Additional SafeBreach Labs Resources: 

Get the latest
research and news