Even with the advancement of corporate cybersecurity systems, criminals have found ways to circumvent some types of protections
As hacker attacks have become more destructive and widespread, a powerful tool from companies like CrowdStrike Holdings and Microsoft has become an ally of the cybersecurity industry.
Called “endpoint detection and response” (EDR) software, the technology is designed to detect early signs of malicious activity on laptops, servers and other devices — “endpoints” in a computer network — and block them before intruders can steal data or crash machines.
But experts say hackers have developed workarounds for some forms of the technology, allowing them to bypass products that have become the gold standard for protecting critical systems.
Over the past two years, for example, Mandiant, which is part of Alphabet’s Google Cloud division, has investigated 84 breaches in which EDR or other endpoint security software was tampered with or disabled, said Tyler McLellan, the company’s principal threat analyst. .
The findings represent the latest evolution of a decades-old cat-and-mouse game as hackers adapt their techniques to circumvent the newest cybersecurity protections, according to Mark Curphey, who has held senior roles at McAfee and Microsoft and now is a cybersecurity entrepreneur in the UK.
“Hacking security protection tools is nothing new,” he said, adding that “the prize, if successful, is access to all systems using them, by definition systems worth protecting.”
Investigators from several cybersecurity firms said the number of attacks in which EDR is disabled or bypassed is small but growing, and hackers are finding ever more ingenious ways to circumvent stronger protections provided by the tool.
Microsoft disclosed in a December blog post that hackers tricked the company into applying its seal of authenticity to the malware, which was used to disable the company’s EDR and other security tools on victims’ networks.
Microsoft has suspended the accounts of third-party developers involved in the attack and said the company is “working on long-term solutions to address these deceptive practices and prevent future impacts to customers.”
In February, Arctic Wolf Networks detailed a case investigated late last year where hackers from the Lorenz ransomware group were initially blocked by the victim’s EDR.
The hackers regrouped and deployed a free digital forensics tool that allowed them to access computers’ memory directly and successfully deploy their ransomware, bypassing EDR, the company said. Arctic Wolf did not identify the victim or the affected EDR.
And in April, Sophos disclosed new malware that the UK company discovered was used to disable EDR tools from Microsoft, Sophos itself, and several other companies before deploying Lockbit and Medusa Locker ransomware.
“Bypassing EDR and disabling security software is clearly a tactic on the rise,” said Christopher Budd, senior manager, threat research. “Due to the nature of this type of attack, it is particularly difficult to detect as it targets the very tools that detect and prevent cyberattacks.”
The market for EDR and other new endpoint security technologies grew 27% to reach $8.6 billion globally last year, led by CrowdStrike and Microsoft, according to IDC.
Adam Meyers, senior vice president of intelligence at CrowdStrike, said the growing number of attacks against EDR software shows that hackers “have evolved”. Many of the attacks tracked by CrowdStrike — against its products and those offered by competitors — involve client system misconfigurations or deep vulnerabilities in software or firmware, signs that hackers now need to work harder to break into target networks, he explained.
“We’re trying to go deeper and deeper and closer and closer to the hardware, and the closer you get to the hardware, the harder it is to stop an attack,” Meyers said.