Today's cybersecurity headlines are brought to you by ThreatPerspective
| Follow @EthHackingNews |
| Follow @EthHackingNews |
In a significant discovery, researchers have identified a new "Bring Your Own Installer" (BYOI) technique that allows attackers to bypass the anti-tamper protections of popular Endpoint Detection and Response (EDR) software. This vulnerability in SentinelOne EDR leaves endpoints completely unprotected, making it easier for attackers to deploy malware and gain unauthorized access to sensitive data.
In a recent discovery made by cybersecurity firm Stroz Friedberg, researchers have identified a new "Bring Your Own Installer" (BYOI) technique that allows attackers to bypass the anti-tamper protections of popular Endpoint Detection and Response (EDR) software. The BYOI technique exploits a flaw in the upgrade process of SentinelOne EDR, leaving endpoints completely unprotected and paving the way for malware deployment.
The incident was uncovered while investigating an attack where a threat actor gained local administrative access and bypassed the anti-tamper code without using any malicious driver files. Forensic analysis showed rapid version changes, installer file use, and event log entries tied to EDR tampering, indicating that the attackers had successfully exploited the vulnerability in the SentinelOne upgrade process.
According to Stroz Friedberg, the bypass was possible due to disabled local upgrade/downgrade authorization, which allowed attackers to interrupt the upgrade process at a critical juncture, leaving the system vulnerable to malware deployment. The researchers confirmed that this technique could be applied to any version of SentinelOne EDR software.
The vulnerability in question is related to how SentinelOne handles its own upgrades and maintenance. Windows uses its built-in msiexec.exe to install new versions of applications like SentinelOne, but the application itself can sometimes override or interfere with these updates. In this case, attackers used admin rights to kill the Windows installer process mid-upgrade, leaving the system hanging without any protection.
The implications of this discovery are significant, as many organizations rely on EDR software for their endpoint security needs. By exploiting vulnerabilities in popular EDR software like SentinelOne, attackers can gain unauthorized access to sensitive data and wreak havoc on an organization's systems.
Stroz Friedberg has alerted SentinelOne, the company behind EDR software, about this vulnerability, and they have promptly responded with guidance for mitigating the issue. However, it is essential that users of EDR software take proactive steps to protect themselves from such attacks.
Organizations can use online resources and security best practices to stay informed about emerging vulnerabilities like BYOI techniques. By staying vigilant and taking necessary precautions, they can reduce their exposure to such threats and maintain the integrity of their systems.
| Follow @EthHackingNews |