Alert Essentials:

Threat groups are continuing to develop bypasses for endpoint protections. Perform endpoint vulnerability assessments on EDR tools and educate staff on responding to threats.

Email Team

Detailed Threat Description:

Reports were recently released that analyze ‘Bring your own installer,’ a technique for bypassing SentinelOne’s Endpoint Detection and Response (EDR) systems. Threat actors can exploit this technique to bypass EDR protection on a host by timing the termination of the agent update process when it is inadequately configured.

EDR systems are essential to modern cybersecurity strategies. They collect and analyze data from endpoints to identify suspicious activities and offer real-time threat visibility.

CISA revealed that multiple ransomware gangs are mastering EDR bypass tactics. Malware developers and cybercriminals employ various methods to create and distribute malware that can evade detection by EDR programs, allowing them to compromise systems, steal sensitive information, or launch other malicious activities.

Multiple endpoint protections have been exploited through various vulnerabilities. Initially disclosed in 2023, a flaw in CrowdStrike’s Falcon Sensor allowed attackers to suspend critical security processes, thereby enabling the undetected execution of malicious software. The company dismissed the ‘Sleeping Beauty’ technique as a mere detection gap. However, they silently implemented fixes to prevent process suspension earlier this spring.

While the SentinelOne bypass can be mitigated by enabling the ‘Online Authorization’ setting, these tactics are evolving. Therefore, it is crucial for organizations to properly configure their EDR solutions and continuously update them with the latest fixes.

The Fortified Health Security Engineering Team completed their testing of SentinelOne and implemented policy changes to mitigate this risk for clients. This mitigation ensures that no Fortified client using the SentinelOne service is at risk.

Companies should periodically conduct an endpoint vulnerability assessment to verify configuration issues and privilege abuse that could lead to a breach. An assessment involves scanning all the endpoints, prioritizing the identified vulnerabilities based on risk, and implementing remediation steps.

Impacts on Healthcare Organizations:

Endpoint protection bypasses expose hospitals to data theft and operational disruption. Medical devices and critical hospital systems could be hijacked, directly threatening patient safety and delaying care. A bypass could also allow the undetected deployment of malicious software or ransomware.

Hospitals can protect against security threats by ensuring all staff know common cyber risks and how to respond. Protecting patient data is everyone’s responsibility, and your actions help keep patients safe.

Engineering Recommendations:

  • For SentinelOne deployments, enable Online Authorization for local upgrades
  • Perform an endpoint coverage and configuration assessment
  • Deploy MFA on and restrict access across all gateways; EDR bypass still requires access
  • Perform vulnerability scanning with prioritized patch cycles
  • Apply remediation or vendor-recommended workaround actions

Specific to SentinelOne:

  • As much as possible, continue to use the S1 Management Console to upgrade agents on endpoints
  • If local changes are needed, contact our TDC to create a change window allowing the local upgrade requests to process as expected. Without this change window, the attempted upgrade will fail
  • If needing emergency changes locally, consider using the command line and the endpoint passphrase to bypass the “Online Authorization” policy

Leadership Recommendations:

  • Where applicable, Fortified has already ensured the recommended protections are in place
  • For those managing their own EDR deployment, consider contacting Fortified Health Security for consultation around this topic

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

References: