It sounds like a plot hook for a sci-fi thriller: Attackers take over security safeguards and then use the compromised guardians to break into facilities and engage in theft, sabotage or both. But according to some security researchers, this isn’t just a fictional Hollywood scenario. Popular antivirus software used by thousands of enterprises and millions of individual users is potentially vulnerable to attack.

Because these attacks take control of software intended for security protection, the attackers can bypass other protective measures, covering their tracks. They can even use the security tools to do further damage such as infecting other systems. Unlike many threat vectors, these attacks do not depend on end user shortcomings.

Antivirus Software Draws Intelligence Agency Interest

The good news, according to Lucian Constantin at InfoWorld, is that there is no direct evidence — so far — that antivirus solutions have been used in attacks. If such attacks have taken place, they were small in scale and avoided detection. But security researchers warned that such strikes are possible.

Both the U.S. National Security Agency (NSA) and British intelligence agencies are known to have examined popular commercial antivirus software packages to look for ways they could break into systems protected by these packages, The Intercept reported. It stands to reason that other international intelligence agencies, some with reputed ties to cybercrime groups, are also actively examining antivirus software for potential vulnerabilities.

The major cybersecurity firms that market these tools are well aware of the potential risks to and from their products. “Attacks on security researchers and security vendors could be a future trend in information security,” Vyacheslav Zakorzhevsky of Kaspersky Lab told InfoWorld. “However, we do not believe these will be widespread attacks.”

Sed Quis Custodiet Ipsos Custodes?

But who will guard the guards themselves? As this Latin proverb suggests, the security challenges of safeguarding protective systems are not new. In fact, they are inherent in the nature of security measures.

Security guards need passkeys, which means that one way for the bad guys to get hold of those keys is to steal them from a guard. In the same way, security software needs to have access to high-level permissions. In fact, most of the familiar Hollywood tricks for getting past the guards have their cyber equivalents, from simply taking out a guard (disabling the software) to dressing up in a guard uniform and issuing fake instructions (abusing the software’s system permissions).

This basic challenge is inherent to antivirus protections; because this software must examine a wide variety of incoming data and file types, and have multiple internal security components, the solutions have a large attack surface. They can be attacked in many ways at many points.

Protecting Against Attacks

Some security researchers questioned whether the whole idea of security based on endpoint protection, which is what antivirus software provides, is obsolete in the modern world of richly interconnected systems. Others may claim that much security software development is flawed because tools are not adequately sandboxed, or protected against unwanted outside interactions.

But it is not clear that sandboxing is practical for complex security packages. They might end up with so much self-protection that it would grind everything to a halt, making them unusable.

Other security researchers argued that antivirus software is just one layer of protection and perhaps more important to individuals and small businesses than to enterprises that have the resources — including human resources — to deploy other types of protective measures. For nearly all users, installing software updates and patches is the single most important security measure.

The fact is that antivirus software is indeed one layer of protection, not a complete security solution in itself. The security risks it poses are not peculiar to those tools but are inherent in any security system powerful enough to protect you. Effective security comes from being proactive, building in multiple levels of protection from the ground up and taking nothing for granted.

More from Software Vulnerabilities

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…

Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1

Command & Control (C2) frameworks are a very sensitive component of Red Team operations. Often, a Red Team will be in a highly privileged position on a target’s network, and a compromise of the C2 framework could lead to a compromise of both the red team operator’s system and control over beacons established on a target’s systems. As such, vulnerabilities in C2 frameworks are high priority targets for threat actors and Counterintelligence (CI) operations. On September 20, 2022, HelpSystems published…

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory. SCM systems are used in the majority of organizations to manage source code and integrate with other systems within the…

X-Force Research Update: Top 10 Cybersecurity Vulnerabilities of 2021

From 2020 to 2021, there was a 33% increase in the number of reported incidents caused by vulnerability exploitation, according to the 2022 X-Force Threat Intelligence Index. A large percentage of these exploited vulnerabilities were newly discovered; in fact, four out of the top five vulnerabilities in 2021 were newer vulnerabilities. Vulnerability exploitation was the second most common initial infection vector observed by IBM Security X-Force in 2021, falling closely behind phishing. Cybercriminals are finding new ways of bypassing security…