Skylight Cyber recently announced they’d found a pretty major vulnerability in CylancePROTECT that allows for Malware to trick the program’s software ranking system. This vulnerability effectively allows the malware to work around any level of protection Cylance might provide, all because of a few added lines of code.
Woof, that’s some heavy stuff. Let’s break it down:
What’s the exploit?
Long story short, Skylight Cyber found that by attaching safe bits of code to known malicious software it could trick Cylance’s ranking system into allowing the malware to run.
You can read more about what they discovered on their blog (which I linked to above, but in case you missed it, here it is again: https://skylightcyber.com/2019/07/18/cylance-i-kill-you/)
What’s the fix?
Cylance has announced a three pronged solution.
- They’ve added anti-tampering controls to the parser in order to detect manipulation and prevent them from manipulating the model score
- They’ve strengthened the model to detect when certain features become proportionally overweight
- They’ve removed features in the model that were most susceptible to tampering with
Those updates have already been been pushed to the cloud-based scoring model and a new software agent will be rolled out within the next few days.
Cylance also recommends that customers:
- Follow the least privilege model; control privileged account elevation
- Ensure the latest versions of BlackBerry-Cylance-related products are installed
- Enable CylancePROTECT Memory Protection and Script Control in Block/Terminate mode
Responsible vs. Irresponsible Reporting
Ultimately, there’s no end-all-be-all super product in the world of Information Security. There just isn’t. You can’t load up on one solution and think you’re safe. These products have holes that are sometimes found right away and sometimes months or even years after launch.
Security researchers, like Skylight Cyber, go through these products with a fine-tooth comb and try to discover what vulnerabilities they might have.
Where most researchers contact a company directly and inform them of these holes, giving the publisher an opportunity to close them before the vulnerability is announced to the public, Skylight Cyber seemed to do it in reverse.
We believe that’s the wrong way to go about things, as it puts multiple people who use the product at risk.
To get a better understanding of the situation I reached out to Adi Ashkenazy, Skylight Cyber’s CEO to find out what went down on their end and if they had approached Cylance before going public with the vulnerability.
“We did not consider this to be a software vulnerability (on which we would have reported), rather a passive bypass,” Ashkenazy said when I spoke to him yesterday via LinkedIn Messenger. “In any event, to avoid harm to any of Cylance’s customers, we did not make the information required to actually create the bypass of Cylance public.”
Ashkenazy said Skylight Cyber’s ultimate goal wasn’t to tear down Cylance, but more to disprove the notion that neither Artificial Intelligence or Machine Learning are the silver bullet they’re made out to be by those in the industry.
As for why they chose Cylance? Ashkenazy said Skylight Cyber considered Cylance best in its class when it came to variety of next-gen endpoint protection products on in the market today but that he still believed Artificial Intelligence/Machine Learning wasn’t the end-all answer to everyone’s problem.
“I think they (Cylance) are generally doing a good job in terms of their product engineering and how they use ML for security purposes,” he said. “I have my doubts regarding ‘pure’ AI products, as I think they are throwing down the drain years of hard lessons learned in the fight against malware, which is why I think a hybrid approach is preferable.”
When asked if Skylight Cyber would continue their tests on on other next-gen end-point products, Ashkenazy said he was unsure.
“We focus our research on areas that we think are relevant and interesting to the industry and ourselves. Our objective was to show how the ML model itself can become part of the attack surface, and how an attacker may use that to craft a bypass. Since we were capable of showing that quite clearly, we may stop here.”
Is Cylance still safe to use? Yes. Just make sure you update your endpoints when the new version is been released. Everyone here at Security7 is waiting and willing to help you do that if/when the need arises.
We’re fans of Cylance and know these things happen. There’s no “silver-bullet” solution, like Skylight Cyber says in their blog article. They’re absolutely correct. It’s why we use a multi-layered approach here at Integris. The issue we have with the whole situation (not with either party in general) is whether or not the vulnerability was disclosed in the correct manner.
Integris reached out to Cylance for comment on this matter. They did not respond to our request in time for publishing. If they do, this story will be updated to include their input.