SentinelOne

During a recent engagement, threat actors exploited a flaw in SentinelOne’s agent upgrade process to disable endpoint protection and deploy the Babuk ransomware. By running the legitimate SentinelOne installer and then forcefully terminating its msiexec.exe process after it stopped the EDR services—but before it installed the new version—attackers left devices entirely unprotected. Once the EDR agent was offline, the adversaries gained free rein to execute their ransomware payload, encrypting critical systems and data without detection. The breach resulted in widespread operational disruption, substantial remediation costs, potential data loss, and significant downtime as affected devices had to be restored from backups or rebuilt. The incident also exposed gaps in default security configurations, prompting urgent customer communications and rapid policy updates. Although SentinelOne issued mitigations and informed other major EDR vendors, impacted organizations still faced ransom negotiations, legal and regulatory scrutiny, and damage to customer trust and corporate reputation. The event underscores the critical importance of enabling Online Authorization for local agent upgrades to prevent similar bypasses and ensure the integrity of endpoint defenses.

Source: https://www.bleepingcomputer.com/news/security/new-bring-your-own-installer-edr-bypass-used-in-ransomware-attack/

"id": "job000050625",
"linkid": "jobs",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"