This issue does not represent a product vulnerability risk to customers using Cortex XDR agent. The ransomware is detected and blocked by Cortex XDR agent 7.7 and later versions with CU-240 (released November, 2021) and later content updates. The security permissions and protections of the installed Cortex XDR agent prevent it.
When the Cortex XDR agent is installed on Windows and the Cortex XDR Dump Service Tool process is running from the installation path, it is not possible to side-load DLLs with this technique. Rorschach ransomware uses a copy of this tool and this technique to evade detection on systems that do not have sufficient endpoint protection. When removed from its installation directory, the Cortex XDR Dump Service Tool (cydump.exe), which is included with Cortex XDR agent on Windows, can be used to load untrusted dynamic link libraries (DLLs) with a technique known as DLL side-loading. The Palo Alto Networks Product Security Assurance team is aware of an article that details a strain of ransomware dubbed “Rorschach.”
0 kommentar(er)
