Ransomware cyber

SentinelOne

May 6, 2025 2 min read
SentinelOne

During a recent engagement, threat actors exploited a flaw in SentinelOne’s agent upgrade process to disable endpoint protection and deploy the Babuk ransomware. By running the legitimate SentinelOne installer and then forcefully terminating its msiexec.exe process after it stopped the EDR services—but before it installed the new version—attackers left devices entirely unprotected. Once the EDR agent was offline, the adversaries gained free rein to execute their ransomware payload, encrypting critical systems and data without detection. The breach resulted in widespread operational disruption, substantial remediation costs, potential data loss, and significant downtime as affected devices had to be restored from backups or rebuilt. The incident also exposed gaps in default security configurations, prompting urgent customer communications and rapid policy updates. Although SentinelOne issued mitigations and informed other major EDR vendors, impacted organizations still faced ransom negotiations, legal and regulatory scrutiny, and damage to customer trust and corporate reputation. The event underscores the critical importance of enabling Online Authorization for local agent upgrades to prevent similar bypasses and ensure the integrity of endpoint defenses.

Source: https://www.bleepingcomputer.com/news/security/new-bring-your-own-installer-edr-bypass-used-in-ransomware-attack/

TPRM report: https://scoringcyber.rankiteo.com/company/jobs

"id": "job000050625",
"linkid": "jobs",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"
{'affected_entities': [{'industry': 'Cybersecurity',
                        'name': 'SentinelOne',
                        'type': 'Corporate'}],
 'attack_vector': "Exploitation of SentinelOne's agent upgrade process",
 'customer_advisories': 'Urgent customer communications',
 'data_breach': {'data_encryption': 'Critical systems and data'},
 'description': 'Threat actors exploited a flaw in SentinelOne’s agent upgrade '
                'process to disable endpoint protection and deploy the Babuk '
                'ransomware. By running the legitimate SentinelOne installer '
                'and then forcefully terminating its msiexec.exe process after '
                'it stopped the EDR services—but before it installed the new '
                'version—attackers left devices entirely unprotected. Once the '
                'EDR agent was offline, the adversaries gained free rein to '
                'execute their ransomware payload, encrypting critical systems '
                'and data without detection. The breach resulted in widespread '
                'operational disruption, substantial remediation costs, '
                'potential data loss, and significant downtime as affected '
                'devices had to be restored from backups or rebuilt. The '
                'incident also exposed gaps in default security '
                'configurations, prompting urgent customer communications and '
                'rapid policy updates. Although SentinelOne issued mitigations '
                'and informed other major EDR vendors, impacted organizations '
                'still faced ransom negotiations, legal and regulatory '
                'scrutiny, and damage to customer trust and corporate '
                'reputation. The event underscores the critical importance of '
                'enabling Online Authorization for local agent upgrades to '
                'prevent similar bypasses and ensure the integrity of endpoint '
                'defenses.',
 'impact': {'brand_reputation_impact': 'Damage to customer trust and corporate '
                                       'reputation',
            'downtime': 'Significant downtime',
            'legal_liabilities': 'Legal and regulatory scrutiny',
            'operational_impact': 'Widespread operational disruption',
            'systems_affected': 'Critical systems and data'},
 'initial_access_broker': {'entry_point': "Exploitation of SentinelOne's agent "
                                          'upgrade process'},
 'lessons_learned': 'Enable Online Authorization for local agent upgrades to '
                    'prevent similar bypasses and ensure the integrity of '
                    'endpoint defenses.',
 'motivation': 'Financial gain, Data encryption',
 'post_incident_analysis': {'corrective_actions': 'Enable Online Authorization '
                                                  'for local agent upgrades',
                            'root_causes': "Flaw in SentinelOne's agent "
                                           'upgrade process'},
 'ransomware': {'data_encryption': 'Critical systems and data',
                'ransomware_strain': 'Babuk'},
 'recommendations': 'Enable Online Authorization for local agent upgrades',
 'response': {'communication_strategy': 'Urgent customer communications',
              'recovery_measures': 'Restored from backups or rebuilt affected '
                                   'devices',
              'remediation_measures': 'Issued mitigations, rapid policy '
                                      'updates'},
 'title': "Exploitation of SentinelOne's Agent Upgrade Process to Deploy Babuk "
          'Ransomware',
 'type': 'Ransomware',
 'vulnerability_exploited': "Flaw in SentinelOne's agent upgrade process"}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.