Researchers recently made a startling discovery, uncovering two previously unknown endpoints with older Cortex XDR agents that were compromised while testing an AV/EDR bypass tool. This breach granted unauthorized access to the system, posing a serious threat to the security of sensitive information.
The threat actor responsible for this breach utilized a bypass tool that was likely acquired from cybercrime forums, highlighting the growing trend of threat actors utilizing underground resources to carry out attacks. This sophisticated tool allowed the threat actor to compromise the system, leading to unauthorized access and potential data exfiltration.
Further analysis of the recovered files and digital footprints shed light on the identity of one of the attackers, providing significant insights into both their personal and professional life. This crucial information helped paint a clearer picture of the threat actor behind this attack and their potential motives.
One of the key findings in the investigation was the discovery of a disabler.exe tool, derived from EDRSandBlast source code, which targeted and removed EDR hooks in user-mode and kernel-mode. By leveraging a vulnerable driver for privileged access, the threat actor was able to circumvent security measures in place, highlighting the importance of regular software updates and vulnerability assessments.
The rogue system’s “Z:\freelance” directory contained usernames that were potentially linked to cybercrime affiliates, further implicating the threat actor in malicious activities. The investigation also revealed the presence of a threat actor known as “Marti71,” who was identified through their consistent activity and posts seeking AV/EDR bypass tools on online forums.
The threat actor demonstrated a tool capable of bypassing multiple AV/EDR agents, enabling successful execution of Mimikatz. This capability was confirmed through comparisons of tool demonstration recordings found on both the rogue system and the threat actor’s shared archive, underscoring the severity of the breach and the threat actor’s technical proficiency.
In addition to sensitive financial information and PII, the recovered files contained various hacking tools, including AV/EDR bypass tools and kernel driver utilities. The presence of these tools, coupled with evidence of data exfiltration, further substantiated the threat actor’s illicit activities and advanced technical capabilities.
The investigation also uncovered materials related to code obfuscation, anti-cheat bypass, and compiler obfuscation, indicating a potential malicious intent and a high level of technical sophistication. This finding underscored the need for organizations to remain vigilant and proactive in their cybersecurity measures to defend against such malicious actors.
While the threat actor was identified as Andry, a Kazakhstani employee, their specific involvement in the attack and any potential affiliations with other threat actors remain uncertain. The investigation also linked an individual known as KernelMode to the rogue system hosting tool demonstrations, highlighting the complex and interconnected nature of cyber threats.
The recent surge in AV/EDR bypass tools poses a significant challenge for organizations seeking to safeguard their sensitive information from cyber threats. With threat actors constantly evolving and adapting their tactics, organizations must remain proactive in implementing robust cybersecurity measures to defend against such breaches.
According to Unit 42, organizations should prioritize enabling agent tampering protection and blocking indicators of compromise to mitigate the risks associated with AV/EDR bypass tools. By taking proactive steps to enhance their cybersecurity posture, organizations can better protect their sensitive data and defend against emerging cyber threats.
Overall, the discovery of these compromised endpoints and the subsequent investigation underscore the importance of robust cybersecurity measures in defending against sophisticated cyber threats. As threat actors continue to evolve and exploit vulnerabilities, organizations must remain vigilant and proactive in safeguarding their systems and data from potential breaches.