BlackBerry Cylance tricked into failing to detect Malware [UPDATED]

12,100

UPDATE:  BlackBerry Cylance issued the following statement.

BlackBerry Cylance is aware that a bypass has been publicly disclosed by security researchers. We have verified there is an issue with CylancePROTECT which can be leveraged to bypass the anti-malware component of the product.

Our research and development teams have identified a solution and will release a hotfix automatically to all customers running current versions in the next few days.

More information will be provided as soon as it is available.


Security researchers in Australia claim to have tricked BlackBerry’s AI-based Cylance Protect into failing to detect dangerous forms of malware.

Using a “global bypass method”, involving simply taking strings from a non-malicious file and appending them to a malicious one, researchers at Skylight Cyber were able to get the system to identify malware as “goodware”.

“AI applications in security are clear and potentially useful. However AI-based products offer a new and unique attack surface,” 

“Namely, if you could truly understand how a certain model works, and the type of features it uses to reach a decision, you would have the potential to fool it consistently, creating a universal bypass.”

According to the researchers, they identified “a peculiar bias towards a specific game” after conducting an analysis of the system.

“Combining an analysis of the feature extraction process, its heavy reliance on strings, and its strong bias for this specific game, we are capable of crafting a simple and rather amusing bypass,”

They added that by appending a selected list of strings to a malicious file, they could change its score significantly to avoid detection:

“This method proved successful for 100 per cent of the top 10 Malware for May 2019, and close to 90 per cent for a larger sample of 384 malware.”

To test their method, the researchers uploaded a list of the top 10 malware, published by the Center for Internet Security. The “staggering” results show that negative scores were turned to positive, meaning some of the most dangerous forms of malware were able to escape detection.

They didn’t just run the files against the static Cylance program – they executed the malicious files on a virtual machine with Cylance PROTECT running on it, to see if it would catch the malicious files in action.

The theory was that even if the product was tricked by the strings, the malicious action of the file would still be detected by Cylance, but it wasn’t.

They concluded:

“We are always amused to see the shock on people’s faces when you tell them that the new security toy they spent millions of dollars buying and integrating can be bypassed.

“The same goes for new silver bullets, like AI-based security. We are anything but surprised with the results, and we are confident that the same type of process can be applied to other pure AI vendors to achieve similar results.”

Full technical details are available here.

Via Vice Cylance

Rapid Mobile uses cookies, tokens, and other third party scripts to recognise visitors of our sites and services, remember your settings and privacy choices, and - depending on your settings and privacy choices - enable us and some key partners to collect information about you so that we can improve our services and deliver relevant ads.

 

By continuing to use our site or clicking Agree, you agree that Rapid Mobile and our key partners may collect data and use cookies for personalised ads and other purposes, as described more fully in our privacy policy.

 

You can change your settings at any time by clicking Manage Settings or by visiting our Privacy Centre for more detailed information.

 

Privacy Settings saved!
Cookie Services

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

These cookies are necessary for the website to function and enable essential services and functonality, including identify verification, service continuity and site security. Opt out is not availabe.

Essential Session management cookies for logged in users
  • wordpress_test_cookie
  • wordpress_logged_in_
  • wordpress_sec

For perfomance reasons we use Cloudflare as a CDN network. This saves a cookie "__cfduid" to apply security settings on a per-client basis. This cookie is strictly necessary for Cloudflare's security features and cannot be turned off.
  • __cfduid

Used by Spamshield to stop spam signups
  • _wpss_h_
  • _wpss_p_

NewsWire Service
  • BIGipServerwidget2_www_http

Decline all Services
Accept all Services