{"id":30423,"date":"2025-05-21T11:00:00","date_gmt":"2025-05-21T09:00:00","guid":{"rendered":"https:\/\/www.arc-data-shield.fr\/?p=30423"},"modified":"2025-05-24T11:32:24","modified_gmt":"2025-05-24T09:32:24","slug":"ledr-de-sentinelone-ecarte-babuk-sinvite","status":"publish","type":"post","link":"https:\/\/www.arc-data-shield.fr\/en\/ledr-de-sentinelone-ecarte-babuk-sinvite\/","title":{"rendered":"SentinelOne's BDU out, Babuk in"},"content":{"rendered":"<p>AON researchers demonstrated on May 7, 2025 how a hacker, after exploiting an application flaw, bypassed the SentinelOne EDR's anti-tamper protection to uninstall the Windows agent and deploy a variant of the Babuk ransomware.<br>By exploiting the agent's unauthenticated upgrade\/downgrade, the attacker neutralized all detection, leaving the compromised server at the mercy of malicious encryption.<br>SentinelOne was quick to react: local passphrase activated by default, authentication of updates and reinforced installation authorization via its console.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"https:\/\/www.arc-data-shield.fr\/wp-content\/uploads\/2025\/05\/ChatGPT-Image-18-mai-2025-13_39_45-2.png\" alt=\"\" class=\"wp-image-30427\" style=\"width:324px;height:auto\" srcset=\"https:\/\/www.arc-data-shield.fr\/wp-content\/uploads\/2025\/05\/ChatGPT-Image-18-mai-2025-13_39_45-2.png 1024w, https:\/\/www.arc-data-shield.fr\/wp-content\/uploads\/2025\/05\/ChatGPT-Image-18-mai-2025-13_39_45-2-300x300.png 300w, https:\/\/www.arc-data-shield.fr\/wp-content\/uploads\/2025\/05\/ChatGPT-Image-18-mai-2025-13_39_45-2-150x150.png 150w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><br>But, as Stroz Friedberg warns, these patches are no substitute for a defense-in-depth strategy.<br>In the face of constantly evolving circumvention methods, regular, isolated (physically offline) backups remain the last bastion of business continuity.<\/p>\n\n\n\n<p>In addition to instant patches, investing in redundant solutions and frequently testing restoration procedures is now a must for controlling the risk of ransomware.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.lemondeinformatique.fr\/actualites\/lire-l-edr-de-sentinelone-neutralise-pour-installer-une-variante-du-ransomware-babuk-96790.html\">https:\/\/www.lemondeinformatique.fr\/actualites\/lire-l-edr-de-sentinelone-neutralise-pour-installer-une-variante-du-ransomware-babuk-96790.html<\/a><\/p>\n\n\n\n<p>Credits : <em><a href=\"http:\/\/L'EDR de SentinelOne neutralis\u00e9 pour installer une variante du ransomware Babuk\">Le Monde Informatique <\/a>\" SentinelOne's EDR neutralized to install a variant of the Babuk ransomware<\/em>\"\u00a0<\/p>","protected":false},"excerpt":{"rendered":"<p>Des chercheurs d\u2019AON ont d\u00e9montr\u00e9 le 7 mai 2025 comment un pirate, apr\u00e8s exploitation d\u2019une faille applicative, a contourn\u00e9 la protection anti-tamper de l\u2019EDR SentinelOne pour d\u00e9sinstaller l\u2019agent Windows et d\u00e9ployer une variante du ransomware Babuk.En exploitant la mise \u00e0 niveau\/ r\u00e9trogradation non authentifi\u00e9e de l\u2019agent, l\u2019attaquant a neutralis\u00e9 toute d\u00e9tection, laissant le serveur compromis [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":30424,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"off","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[20],"tags":[],"class_list":["post-30423","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-commonnews"],"_links":{"self":[{"href":"https:\/\/www.arc-data-shield.fr\/en\/wp-json\/wp\/v2\/posts\/30423","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.arc-data-shield.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.arc-data-shield.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.arc-data-shield.fr\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.arc-data-shield.fr\/en\/wp-json\/wp\/v2\/comments?post=30423"}],"version-history":[{"count":2,"href":"https:\/\/www.arc-data-shield.fr\/en\/wp-json\/wp\/v2\/posts\/30423\/revisions"}],"predecessor-version":[{"id":30436,"href":"https:\/\/www.arc-data-shield.fr\/en\/wp-json\/wp\/v2\/posts\/30423\/revisions\/30436"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.arc-data-shield.fr\/en\/wp-json\/wp\/v2\/media\/30424"}],"wp:attachment":[{"href":"https:\/\/www.arc-data-shield.fr\/en\/wp-json\/wp\/v2\/media?parent=30423"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.arc-data-shield.fr\/en\/wp-json\/wp\/v2\/categories?post=30423"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.arc-data-shield.fr\/en\/wp-json\/wp\/v2\/tags?post=30423"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}