📰 Peretas Gunakan Alat Forensik Velociraptor untuk Meluncurkan Serangan Ransomware LockBit dan Babuk

👉 Baca artikel lengkap di sini: ahmandonk.com/2025/10/10/velociraptor-...

#babuk #cisco #talos #cve-2025-6264 #cybersecurity #dfir #lockbit #ransomware #rapid7 #storm-

SentinelOne EDR Exploit Allows Babuk Ransomware Deployment Through Installer Abuse  A newly discovered exploit has revealed a critical vulnerability in SentinelOne’s endpoint detection and response (EDR) system, allowing cybercriminals to bypass its tamper protection and deploy the Babuk ransomware. The method, identified as a “Bring Your Own Installer” technique, was uncovered by John Ailes and Tim Mashni from Aon’s Stroz Friedberg Incident Response team during a real-world ransomware case investigation.  The core issue lies in how the SentinelOne agent handles updates. When an agent is upgraded, the existing version is momentarily stopped to make way for the new one. Threat actors have figured out how to exploit this transition window by launching a legitimate SentinelOne installer and then terminating it mid-process. This action disables the EDR protection temporarily, leaving the system vulnerable long enough to install ransomware or execute malicious operations without being detected.   Unlike traditional bypasses that rely on third-party drivers or hacking tools, this method takes advantage of SentinelOne’s own software. Once the process is interrupted, the system loses its protection, allowing the attackers to act with impunity. Ailes stressed that the bypass can be triggered using both older and newer agent versions, putting even up-to-date deployments at risk if specific configuration settings are not enabled. During their investigation, the team observed how the targeted device disappeared from the SentinelOne management console shortly after the exploit was executed, signaling that the endpoint had become unmonitored.  The attack was effective across multiple versions of the software, indicating that the exploit isn’t tied to a particular release. To mitigate this risk, SentinelOne recommends activating a feature called “Online Authorization” (also referred to as Local Upgrade Authorization). This setting ensures that any attempt to upgrade, downgrade, or uninstall the agent must first be approved via the SentinelOne management console.  Although this option exists, it is not enabled by default for existing customers, largely to maintain compatibility with deployment tools like Microsoft’s System Center Configuration Manager. Since the vulnerability was disclosed, SentinelOne has taken steps to notify customers and is now enabling the protective setting by default for new installations.  The company also confirmed sharing the findings with other major EDR providers, recognizing that similar techniques could potentially impact their platforms as well. While the current exploit does not affect SentinelOne when configured correctly, the case serves as a stark reminder of the importance of security hardening, particularly in the tools meant to defend against sophisticated threats.

SentinelOne EDR Exploit Allows Babuk Ransomware Deployment Through Installer Abuse #Babuk #BabukRansomware #criticalvulnerabilities

Nieuwe groepen zoals #Clop, #RansomHub en #Babuk zorgen voor meer onduidelijkheid, vooral door niet-gemelde aanvallen. Het is essentieel dat bedrijven transparanter worden in hun meldingen om de effectiviteit van de bestrijding van ransomware te vergroten.

Screenshot von der Babuk Ransomware Website, auf der unter der Überschrift "Leaks Data" der Eintrag über den Ransomware-Angriff von Rheinmetall Defence, rheinmetall.com, zu sehen ist.

Die Babuk Ransomware Gruppe gab heute im Darknet bekannt, dass sie Rheinmetall Defence gehackt hat, hier ein Screenshot aus dem Darknet von der Babuk-Seite:

#babuk #rheinmetall #rheinmetalldefence #ransomware #cyberangriff #cyberattacke #cybersecurity

Scams from this group continue, we mark many of their claims as "Old data leak"
#babuk #babuk2

Remove EndPoint Ransomware EndPoint ransomware is a highly destructive file-locking malware belon...

www.rivitmedia.com/cyberthreats/malware/rem...

#Malware #Ransomware #Babuk #ransomware #cyber #extortion #Cyber #threat #Cybersecurity #threats #data

Event Attributes

Remove EndPoint Ransomware EndPoint ransomware is a highly destructive file-locking malware belon...

www.rivitmedia.com/cyberthreats/malware/rem...

#Malware #Ransomware #Babuk #ransomware #cyber #extortion #Cyber #threat #Cybersecurity #threats #data

Event Attributes

#babuk #babuklocker2 #ransomware #DarkWeb

#ransomware -/- Sul ritorno nelle scene del gruppo #Babuk, ci sono ancora molti dubbi (lo capiremo con i prossimi passi), su #Ransomfeed è monitorato ma verranno sterilizzate tutte le rivendicazioni massive appartenute ad altri gruppi (valutate caso per caso).

(non) etica del ransomware con le sue dinamiche.

Perché, quindi, i dati di #babuk e #babuk2 non sono veritieri? Perche quelle rivendicazioni sono state già pubblicate da altri gruppi. E perché il gruppo non è attivo da anni.

Il source code del "babuk ransomware" è stato leakato e condiviso

💰

1/2
🆕 Indipendent #Ransomware Activity Disclosure 🌐
La risposta alla domanda (di #Babuk) è: "spazzatura".
Pubblicate decine di rivendicazioni (tra cui, 2 🇮🇹) già pubblicate nel 2024 da #Ransomhub e #Meow.

Ransomware on ESXi: The Mechanization of Virtualized Attacks Ransomware on VMware ESXi surged in 2024 with $5M demands. Discover vulnerabilities and defense strategies.

ESXi 上のランサムウェア: 仮想化攻撃のメカニズム

Ransomware on ESXi: The Mechanization of Virtualized Attacks #HackerNews (Jan 13)

#ESXi #ランサムウェア #Babuk #仮想化 #サイバーセキュリティ