A sophisticated attack technique known as “Bring Your Own Installer” (BYOI) has been employed by threat actors to bypass SentinelOne’s tamper protection, facilitating the deployment of Babuk ransomware. This method leverages legitimate installers to execute malicious payloads, effectively evading endpoint detection and response (EDR) mechanisms. Continue reading this Cybersecurity Threat Advisory to learn how to protect your endpoint devices.
What is the threat?
The BYOI technique exploits the SentinelOne agent’s upgrade/downgrade process when “online authorization” is disabled. After gaining local administrative privileges on the target endpoint through a vulnerability or exploit, the attacker executes a legitimate SentinelOne installer of a different version. This action triggers the Windows Installer (msiexec.exe) to start the upgrade or downgrade process. During the brief period when the old SentinelOne processes are terminated and the new version’s processes have not fully initialized, the attacker forcefully terminates the msiexec.exe process using tools like the taskkill command. As a result, the endpoint is left without active SentinelOne protection. With the EDR disabled, the threat actor can execute Babuk ransomware without interference.
Why is it noteworthy?
This technique is effective because it exploits a timing-sensitive window within a legitimate process, utilizing a signed SentinelOne installer. Instead of relying on a specific vulnerability in the traditional sense, it interrupts a legitimate system operation at a critical moment. Testing has demonstrated that this bypass is successful across multiple versions of the SentinelOne agent when local upgrades and downgrades are permitted.
What is the exposure or risk?
The most immediate risk is the complete disabling of the endpoint’s primary defense mechanism, which leaves it vulnerable to various threats, including ransomware. The successful deployment of Babuk ransomware can result in data encryption and exfiltration, system downtime, and potential financial losses due to ransom demands.
What are the recommendations?
Barracuda recommends the following actions to secure your endpoints against the BYOI bypass:
- Enable “Online Authorization” for SentinelOne agent upgrades/downgrades found in the Sentinel’s Policy menu in the management console.
- Enable tamper protection logs and alert on agent stoppages.
- Maintain up-to-date backups and ensure they are stored offline or in a secure, isolated environment.
- Regularly update and patch systems to close known vulnerabilities that could be exploited.
How can Barracuda Managed XDR assist?
Barracuda Managed XDR utilizes the SentinelOne agent as its endpoint detection and response (EDR) tool. We have globally enabled Online Authorization for all accounts we manage on behalf of our partners and customers. We strongly recommend that all organizations using SentinelOne activate this feature to enhance their security.
References
For more in-depth information about the threat, please visit the following links:
- https://www.bleepingcomputer.com/news/security/new-bring-your-own-installer-edr-bypass-used-in-ransomware-attack/
- https://www.aon.com/en/insights/cyber-labs/bring-your-own-installer-bypassing-sentinelone
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.