BlackBerry Cylance has prepared an update for its CylancePROTECT product to address a recently disclosed bypass method, but the company has downplayed the impact of the issue.
Australia-based cybersecurity firm Skylight reported last week that its researchers had found a way to trick Cylance’s AI-based antivirus engine into classifying malicious files as benign.
They discovered what they described as a universal bypass method that involved taking strings from a certain video game — Cylance products appeared to give special treatment to files associated with this game — and appending them to known malware.
The researchers claimed they had achieved a success rate of over 83% in tests covering 384 malicious files, including hacking tools such as Mimikatz, ProcessHacker and Meterpreter, and malware such as CoinMiner, Dridex, Emotet, Gh0stRAT, Kovter, Nanobot, Qakbot, Trickbot and Zeus.
Skylight disclosed its findings — some details were not made public to prevent abuse — without giving BlackBerry Cylance the chance to release a patch. The vendor immediately launched an investigation and by Sunday it determined that “the issue was not a universal bypass as reported, but rather a technique that allowed for one of the anti-malware components of the product to be bypassed in certain circumstances.”
“Analyzing a file with machine learning is a multi-stage process. During this process a file is first examined by a parser which extracts artifacts from the file known as features. Features can be any aspect of a file which can be interpreted or measured. These features are then passed to a mathematical algorithm for analysis,” the company explained. “This vulnerability allows the manipulation of a specific type of feature analyzed by the algorithm that in limited circumstances will cause the model to reach an incorrect conclusion.”
In response to the issue, BlackBerry Cylance has made some changes that should detect feature manipulation and tampering attempts. An update has already been made to cloud-based systems and a new agent will be rolled out to customer endpoints over the next few days.
SecurityWeek has reached out to Skylight to see if it has any comments on Cylance’s assessment.
Skylight noted that it chose Cylance for practical reasons, but believes other AI-based products are also susceptible to these types of attacks.
Related: Remote Code Execution Flaw Found in Kaspersky Products
Related: Check Point ZoneAlarm Flaw Allows Privilege Escalation
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
- Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
Latest News
- Chrome 114 Released With 18 Security Fixes
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
- Breaking Enterprise Silos and Improving Protection
- Spyware Found in Google Play Apps With Over 420 Million Downloads
- Millions of WordPress Sites Patched Against Critical Jetpack Vulnerability
- Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery
- PyPI Enforcing 2FA for All Project Maintainers to Boost Security
- Personal Information of 9 Million Individuals Stolen in MCNA Ransomware Attack
