Security Researcher Turns Palo Alto’s XDR Solution Into Powerful Malware

A new exploit discovered by security researcher Shmuel Cohen has exposed a concerning vulnerability in Palo Alto Networks’ extended detection and response (XDR) product Cortex. Cohen demonstrated how the powerful cybersecurity tool can be weaponized and transformed into potent malware capable of taking full control over compromised machines.

The research, presented at Black Hat Asia, details how Cohen reverse-engineered Cortex and cracked into the software, bypassing its security controls. He then repurposed its highly privileged access to deploy capabilities like reverse shells and ransomware payloads on targeted systems.

“I thought to myself: Would it be possible to turn an EDR solution itself into malware?” Cohen explained. “I’d take all these things that the XDR has and use them against the user.”

The Double-Edged Sword of XDR

XDR solutions require the highest level of system permissions and visibility to effectively monitor and detect threats across an organization’s IT infrastructure. This same capability that allows them to secure networks is also what makes them a potential risk if exploited by attackers.

“There is an inescapable devil’s bargain when it comes to using certain kinds of far-reaching security tools,” the article states. “In order for these platforms to do their jobs, they must be granted highly privileged carte blanche access.”

While Palo Alto has patched all but one of the vulnerabilities associated with this exploit, it raises concerns about potential risks in other XDR platforms with similarly broad access privileges.

Cohen’s research highlights how the extraordinary power granted to security tools for threat monitoring and response can become a double-edged sword if that capability falls into the wrong hands. Vendors must remain vigilant against these Types of attacks turning their own defenses against users.