All news with #sentinelone tag

🔒 AWS Security Hub Extended adds 21 curated partner solutions across nine security categories, including SentinelOne, CyberArk, Sublime, Varonis, LayerX, Native Security, and Zenity. The plan centralizes procurement, billing, and support with pay-as-you-go pricing, a single AWS bill, automatic Enterprise Discount Program eligibility, unified Level 1 support for Enterprise customers, and no long-term commitments. Findings from participating solutions are emitted in the OCSF schema and aggregated in AWS Security Hub to accelerate cross-domain detection and response.

🛡️ SentinelOne researchers describe a new SHub variant named Reaper that targets macOS users by impersonating Apple, Google, and Microsoft across a single attack chain. The campaign uses fake security alerts and a ClickFix-style workflow to trick victims into running malicious AppleScript via the applescript:// URI handler and the Script Editor, bypassing Terminal paste protections. Reaper performs environment checks, drops payloads, and establishes persistence through LaunchAgents, then harvests credentials, Keychain items, cryptocurrency wallets, and messaging data. Defenders are advised to shift toward behavior-based detection and monitor Script Editor, osascript, and suspicious LaunchAgent activity.

🔔 SentinelOne researchers disclosed a new SHub macOS infostealer variant, dubbed Reaper, that lures victims with fake app installers and uses the applescript:// URL scheme to launch a malicious AppleScript. The payload displays a bogus Apple security update, requests the macOS password, and executes a shell script that harvests browser data, crypto wallets, passwords, iCloud and Telegram artifacts, and files from Desktop and Documents. Reaper also persists via a LaunchAgent, hijacks wallet apps by replacing core files, and clears quarantine flags to evade Gatekeeper.

🔒 Symantec researchers attribute a February 2026 cyber-espionage campaign to MuddyWater (Seedworm), which spent a week inside a major South Korean electronics manufacturer's network. The attackers relied on DLL sideloading of legitimate binaries — Fortemedia's fmapp.exe and SentinelOne's sentinelmemoryscanner.exe — to load malicious DLLs containing ChromElevator. They used PowerShell (now invoked via Node.js loaders) for reconnaissance, credential theft, persistence and SOCKS5 tunneling, and exfiltrated data via sendit.sh.

🔒 Security researchers uncovered PCPJack, a credential‑theft framework that targets exposed cloud infrastructure and removes artifacts tied to TeamPCP. SentinelOne reports PCPJack worms through services to harvest credentials from Docker, Kubernetes, Redis, MongoDB, RayML and vulnerable web apps. Unlike many cloud campaigns it omits crypto‑mining and actively removes TeamPCP miner code, indicating monetization through credential theft, resale, fraud or extortion.

🔒 SentinelOne researchers led by Alex Delamotte disclosed PCPJack, a modular credential-theft framework that targets exposed cloud, container, developer, productivity, and financial services while actively removing artifacts tied to TeamPCP. The campaign boots via a shell script that prepares the host, installs Python, fetches six purpose-built Python payloads, and launches an orchestrator that exploits known CVEs and propagates in a worm-like fashion. Stolen credentials are encrypted and exfiltrated to attacker-controlled Telegram channels, and a secondary script harvests service keys from IMDS, Kubernetes service accounts, and Docker instances for a wide range of services including OpenAI and 1Password.

🧩 Researchers at SentinelOne uncovered a modular malware framework compiled in 2005 that targeted engineering modeling software by corrupting high‑precision floating‑point arithmetic. The framework uses an embedded Lua VM inside a malicious service loader (svcmgmt.exe) and includes a kernel rootkit, fast16.sys, which applies 101 pattern rules to modify infected executables. The implant appears crafted for strategic sabotage, selectively altering simulation outputs and spreading across network shares to compromise multiple workstations.

🔒 This buyer's guide explains what Endpoint Detection and Response (EDR) is, which core capabilities to expect, and which vendors and solutions are recommended. It highlights EDR features such as real-time behavioral telemetry, deep investigation tools, centralized analytics, and integrations with SIEM, SOAR, firewalls and other security controls. Vendor profiles include CrowdStrike, Microsoft, Palo Alto, SentinelOne, Sophos and Trend Micro, and four practical questions to ask vendors before purchasing are provided.

🔎 SentinelOne researchers have identified a sabotage-focused malware framework from around 2005 that predates Stuxnet by at least five years. The investigation uncovered a service binary (svcmgmt.exe) embedding a Lua 5.0 VM and a boot-start kernel driver (fast16.sys) that intercepts and patches executables at the storage layer. Fast16 acted as a wormable carrier with multiple 'wormlet' payloads, targeted Windows 2000/XP file shares using weak credentials, and included environmental checks to avoid specific security software. The framework was designed to corrupt outputs from engineering and simulation suites, and was later referenced in the Shadow Brokers leak.

🔎 SentinelOne researchers have disclosed fast16, a Lua-based cyber‑sabotage framework compiled in 2005 that predates Stuxnet. The implant embeds a Lua 5.0 VM and encrypted bytecode inside a carrier binary svcmgmt.exe and pairs with a kernel driver that patches executables to corrupt high‑precision calculations. fast16 targets legacy Windows 2000/XP environments and engineering simulation tools, and its discovery revises the timeline of state-backed cyber sabotage.

🔐 The SentinelOne Annual Threat Report for 2026 warns that attackers are executing identity-based compromises at industrial scale, abusing legitimate enterprise accounts and identity systems. These intrusions often bypass or subvert MFA — including through readily available MFA-bypass kits and coercive push attacks — leaving traditional defenses blind. The report also highlights fake-persona recruitment campaigns, including deepfake-enabled interviews, and warns of administrative account takeovers that can disable MFA organization-wide.

🔒 Cloudflare One now integrates continuous User Risk Scores into its ZTNA policies, letting admins factor recent user behaviors into access decisions. The SASE risk engine ingests internal telemetry from Cloudflare Access and Gateway, plus third-party signals via integrations (e.g., CrowdStrike, SentinelOne), and deterministically maps configured behaviors to low/medium/high risk levels. Administrators can apply risk-based selectors in Access policies to restrict, require stronger MFA, or revoke access dynamically, with manual reset and signal-sharing back to IdPs.

🔒 SmarterTools confirmed that the Warlock ransomware group breached its network after exploiting an authentication-bypass flaw in a single, unpatched SmarterMail VM (CVE-2026-23760) on January 29, allowing attackers to reset admin passwords and obtain full privileges. The intrusion led to compromise of 12 Windows servers in the company’s office network and a secondary data center used for testing and hosting, while the company’s Linux infrastructure was not affected. Security tooling, including SentinelOne, blocked the final encryption payload, impacted systems were isolated, and data was restored from backups; SmarterTools urges administrators to upgrade to Build 9511 or later.

🔍 A joint investigation by SentinelOne SentinelLABS and Censys identified 175,000 publicly reachable Ollama hosts across 130 countries, spanning cloud and residential networks. Nearly half of observed instances advertise tool-calling capabilities that can execute code, access APIs, and interact with external systems, significantly raising the threat profile. Researchers warn these unmanaged LLM deployments lack standard authentication and monitoring, enabling active LLMjacking campaigns and resale of illicit access.

🔒SentinelOne reported a one-day spear-phishing campaign on October 8 that targeted aid organisations and Ukrainian regional administrations. The operation, named PhantomCaptcha, delivered a WebSocket RAT hosted on Russian-owned infrastructure and used weaponized PDFs and a fake Cloudflare CAPTCHA to trick victims into executing PowerShell. The multi-stage chain enabled data exfiltration, persistent remote access and potential deployment of additional malware.

🔍Three major cybersecurity vendors — Microsoft, SentinelOne and Palo Alto Networks — have declined to participate in the 2025 MITRE Engenuity ATT&CK Evaluations: Enterprise, citing a need to prioritize product development and innovation. Their exits, after strong 2024 performances, have sparked debate over the tests' scope and whether they encourage PR-driven preparation. MITRE says it will revive a vendor forum for 2026 to improve engagement.

🔎 Our colleague Joseliyo Sánchez, together with SentinelOne researcher Aleksandar Milenkoski, will present a hands-on workshop at Labscon on automating large-scale threat hunting using the VirusTotal Enterprise API. Attendees will employ Python and Google Colab to process massive datasets, track APT behaviors, and apply LLMs to enhance analysis, query building, and visualizations. The session targets CTI analysts, threat hunters, incident responders, SOC analysts, and security researchers. A follow-up blog post will publish example exercises and materials for further learning.

🚨 Cephalus is a mid‑2025 ransomware operation that both encrypts systems and exfiltrates sensitive data for publication on a dark‑web leak site. The group commonly gains initial access via Remote Desktop Protocol (RDP) accounts lacking multi‑factor authentication and uses a DLL sideloading chain that abuses SentinelOne's SentinelBrowserNativeHost.exe to load a malicious DLL and execute the payload. Infected files are renamed with the .sss extension, Volume Shadow Copies are deleted, and Windows Defender is disabled. Organisations should prioritise MFA, timely patching, secure offline backups, network segmentation and staff training to reduce risk.

🔒 The Hacker News summarizes SentinelOne’s positioning after Gartner named it a Leader in the 2025 Magic Quadrant for Endpoint Protection Platforms for the fifth consecutive year. The piece spotlights the Singularity Platform as an AI-first solution—featuring an AI analyst and unified EDR, CNAPP, Hyperautomation, and AI SIEM—asserting FedRAMP High authorization and single-console control. Customer-reported outcomes cited include 63% faster detection, 55% reduced MTTR, and a reported 338% three-year ROI. Product capabilities emphasized include Purple AI natural-language threat hunting, one-click rollback, Storyline correlation, OCSF integration, and alignment with MITRE ATT&CK and NIST 800-207.