Spyboy’s Endpoint Protection Terminator: Unfolding Future Risks for Cybersecurity Community
12Jul
Recently, the IS community was rocked by news about a new tool that could easily bypass Endpoint Protection systems and disable more than twenty cybersecurity solutions, including such giants as McAfee and CrowdStrike. Someone called Spyboy on the Russian cybercriminal membership forum was asking $3000 for the tool (the first 5 lucky customers were promised to get it at half price). The price offered was far less than the potential damage the tool could cause if used in an "authorized pentest":
Using BYOVD (Bring Your Own Vulnerable Driver) approach, this tool is claimed to have the functionality to disable security solutions using kernel privileges.
Further unfolding of events added spice to the very fact of the existence of such a toolkit. This intriguing tool suddenly appeared in free access on the GitHub platform. The repository can be found at the link: https://github.com/ZeroMemoryEx/Terminator. Therefore we can only guess if a threat actorSpyboy still has a chance to sell his software if anyone can download the code for free. Let’s take it as one of the professional risks.
The Crowdstrike team has tested this thread and announced that CrowdStike Falcon EDR is able to discover bread actors' activity and block their actions*. You can watch the demo of how the Advanced AI of the Falcon Platform can eliminate the Spyboy attack at Crowdstrike’s official YouTube channel**.
But what is really concerning: utilities with similar functionality appear more and more regularly in the public domain, giving a significant advantage to the attacker. Companies using even the most expensive AV/EDR/XDR products and their associated "subscriptions" can no longer entirely rely on this type of IS system to detect attacks inside the perimeter.
In this case, the role of other tools capable of detecting the presence/promotion of an attacker in the Company's infrastructure, such as Deception-class systems, increases significantly.
In addition to direct attack detection, Deception systems distract an attacker from the real hosts/services on the network, thereby giving more time for the IS/SOC team to analyze and react.
We want to remind you that Labyrinth Deception Platform has strong and recently improved integration with Crowdstrike, which protects users from different threats, providing a multifaceted cyber defense system that can stop the most sophisticated attacks.
The main conclusion from the fact that AV/EDR/XDR circumvention tools have emerged: you cannot rely only on one class of IS solution, and you should always use a combination of different types of IS tools that complement each other to ensure that your system is well protected and highly resistant to attacks.