{"id":20794,"date":"2022-12-13T11:22:07","date_gmt":"2022-12-13T19:22:07","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/12\/13\/news-14527\/"},"modified":"2022-12-13T11:22:07","modified_gmt":"2022-12-13T19:22:07","slug":"news-14527","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/12\/13\/news-14527\/","title":{"rendered":"Sophos Endpoint Tamper Protection Thwarts a Sophisticated Ransomware Attack"},"content":{"rendered":"

Credit to Author: Sally Adam| Date: Tue, 13 Dec 2022 18:13:11 +0000<\/strong><\/p>\n

\n

Tamper Protection is one of those powerful but lesser-known protection capabilities that works away quietly in the background. It prevents adversaries from turning off defenses in Sophos Intercept X Endpoint<\/a>, our market leading EDR solution, so they can deploy their payloads.<\/p>\n

Recently, Tamper Protection was thrust into the spotlight when it was key to Sophos identifying and thwarting a novel ransomware attack<\/a> in which the attackers used a malicious driver signed with a legitimate Windows Hardware Compatibility Publisher digital certificate from Microsoft. The driver specifically targets processes used by major endpoint detection and response (EDR) software packages and we have strong confidence that it is associated with the attack group behind Cuba ransomware.<\/p>\n

Creating a malicious driver from scratch and getting it signed by a legitimate authority is very difficult, but it\u2019s also incredibly effective because the driver can essentially carry out any processes without question.<\/p>\n

Virtually all EDR software is vulnerable to this new driver but, fortunately, the Tamper Protection capability in Sophos Endpoint ensured that the adversary\u2019s attempt to disable our protection failed. This enabled other protection technologies in Sophos Endpoint to successfully halt the ransomware attack. Sophos Rapid Response<\/a>, our incident response experts, stepped in to successfully neutralize the incident, and the investigation triggered a comprehensive collaboration between Sophos and Microsoft to take action and address the threat.<\/p>\n

The importance of layered protection<\/h2>\n

With cybersecurity there is no silver bullet, no single protection capability that will stop every threat. Each attack combines a different set of tactics, techniques, and procedures (TTPs), and as a result there is no \u2018one size fits all\u2019 protection solution. What works against one attack, will not always work against the next one.<\/p>\n

To optimize your defenses you need layered protection: multiple sophisticated security capabilities with each playing its part in defending against advanced attacks. Sophos Endpoint is packed with these layers of protection, including:<\/p>\n