A novel cyberattack technique named “Bring Your Own Installer” has been identified, exploiting vulnerabilities within SentinelOne’s Endpoint Detection and Response (EDR) product. Uncovered by Stroz Friedberg, part of Aon, this method bypasses the EDR’s anti-tamper features during system upgrades or downgrades. By exploiting misconfigured settings, attackers gain local admin access, allowing them to deploy Babuk ransomware effectively.
Researchers discovered that during the SentinelOne installation process, a critical flaw allows the termination of processes for 55 seconds, creating a window for attackers. Using local administrative rights, criminals can disrupt the upgrade process, enabling them to turn off the EDR and introduce malware into the system. This vulnerability provides significant risk by leaving systems unprotected at a crucial moment.
In response, SentinelOne has issued an advisory and updated its software to include a Local Upgrade Authorization toggle, restricting local upgrades and downgrades by default for new customers. They shared this solution with other EDR vendors, promoting widespread protection against similar threats. Initial tests by Stroz Friedberg have shown this new feature effectively counteracts the bypass tactic.
This incident underscores the evolving nature of cyber threats and the critical need for timely system updates and configurations. SentinelOne’s collaborative approach highlights industry efforts to address shared risks, emphasizing the importance of continuous vigilance and adaptation in cybersecurity.
