A new EDR bypass technique known as “Bring Your Own Installer” targets SentinelOne’s tamper protection, enabling ransomware attackers to disable endpoint defenses and deploy Babuk ransomware. This vulnerability exploits the agent upgrade process, creating a gap that leaves devices unprotected. SentinelOne advises customers to enable “Online Authorization” to mitigate this threat. Affected: SentinelOne
Keypoints :
- A new attack technique allows threat actors to bypass SentinelOne’s endpoint detection and response (EDR) protections.
- The attack exploits a vulnerability during the agent upgrade process, enabling attackers to terminate running EDR agents.
- SentinelOne recommends enabling the “Online Authorization” setting to prevent unauthorized changes to the agent.
- The attack was identified by Stroz Friedberg during an investigation of a ransomware incident affecting a customer.
- Threat actors can use multiple versions of the SentinelOne agent for this attack, leaving systems vulnerable even with the latest software.
- SentinelOne has shared mitigation strategies with other EDR vendors and confirmed that this specific issue does not affect Palo Alto Networks’ software.