How Organizations Can Defend Against Ransomware Exploiting EDR/XDR Technologies

Introduction

In early 2023, a user named “spyboy” promoted a tool called “Terminator” on the Russian-language forum Ramp. This software claims to be able to evade endpoint detection and response (EDR) and extended detection and response (XDR) platforms on the Windows operating system. Lumu’s 2023 Ransomware Flashcard reveals that EDR and XDR solutions, which play crucial roles in identifying and mitigating threats, are now frequently circumvented by bad actors. Understanding how ransomware and all-in-one EDR/XDR killers like Terminator operate is crucial for organizations to defend against these threats.

CPL and DLL Side-Loading

CPL files, originally created for quick access to tools in the Control Panel on Windows OS, are now being used by bad actors to hide malware software. The DLL side-loading technique allows attackers to trick an application into loading a counterfeit DLL file instead of authentic ones. By replacing a legitimate DLL with a malicious one, the attacker’s code infects the entire target system.

Code Injection

Attackers often use code injection to insert malicious code into a legitimate application or process, making it harder for EDR or EPP systems to detect. One popular technique for code injection is process hollowing, where attackers create a new process and remove the memory pages of the legitimate binary, leaving it with an empty address space.

Userland API Hooking

API hooking is a technique that allows attackers to intercept API calls between applications in order to manipulate an application’s behavior. Userland hooking is a method employed by attackers to intercept function calls made by applications to system libraries or APIs within the user space, redirecting them to their own code.

ChatGPT

BlackMamba, a recently created polymorphic keylogger, can modify code without command and control (C2) infrastructure. It leverages generative AI tools to constantly modify its code and evade detection algorithms employed by EDRs.

How to Secure Overall Cyber Resilience, Including EDR/XDR

Continuous Threat Intelligence and Analysis

Organizations should configure EDR/XDR solutions to effectively monitor critical endpoints. Additionally, using Network Detection and Response (NDR) or Network Analysis and Visibility (NAV) tools can provide insights into malicious traffic flowing through the network.

Defense-in-Depth

A defense-in-depth approach with multiple layers of security controls is essential. This includes network segmentation, firewall rules, intrusion prevention systems, and anti-malware solutions. Regular analysis of emerging threats and assessment of the current cybersecurity stack are necessary to combat new attack techniques.

Incident Response Planning

Developing a comprehensive incident response plan specifically tailored for ransomware incidents is essential. This plan should include predefined steps for isolating infected systems, containing the spread, and restoring critical data from secure backups.

Secure Cyber Resilience Beyond EDR/XDR

Ransomware operators and bad actors are constantly refining their tactics to bypass security technologies. Organizations must stay vigilant by implementing continuous threat intelligence, defense in depth, and well-prepared incident response plans. By doing so, EDR/XDR tools become more robust, and the entire cybersecurity operation is strengthened.

Keywords: Cybersecurity, EDR, XDR, exploits, defense-in-depth, threat intelligence