A Malicious Copy of SentinelOne that Steals Sensitive Information

Con artists have created a malicious package on Python Package Index (PyPI), that impersonates the cybersecurity software named SentinelOne. If you have not heard of this software before, many managed service providers use it to spot threat detection where it has response features that allows them to protect IT operations of their clients.

The SentinelOne imposter package is just the most recent threat and highlights the increasing danger to software supply chains. Bad actors will employ tactics to take advantage of developer confusion, inserting malicious code into legitimate applications and development pipelines, according to a report shared with The Hacker News. To be more specific on a developer's job, they compose and test code for software websites, applications, and other computer programs. Developers employ their in-depth expertise in programming languages and frameworks to produce software that is both functional and effective.

When did this new development of the virus occur?

This virus was discovered by ReversingLabs which states that the strain was published between December 8-11. Throughout this period, it is stated that the strain was updated over 20 times consisting of different versions before it was taken down. The malicious actors ultimately updated it to improve and correct its malicious capabilities. It is stated that this virus has been downloaded over 1,000 times before its removal.

How are hackers trying to deceive developers into downloading this bogus software?

The package includes the functionality that is requested, which is making it simple to use the SentinelOne API. APIs are used to connect various software platforms and to give developers access to a service or system's capabilities for use in their own applications.

However, this download has been infected with a virus to access private information from hacked developers and steal their data from SentinelOne clients.

Researcher Karlo Zanki of ReversingLabs states, “The package appears to be a fully functional SentinelOne client but contains a malicious backdoor. The malicious functionality in the library does not execute upon installation but waits to be called on programmatically before activating — a possible effort to avoid detection. This campaign has been labeled as "SentinelSneak."

Information that can be accessed includes but is not limited to:

• Log in credentials
• Configuration data
• Host files
• SSH Keys (a type of authentication method that uses a pair of public and private keys to secure and verify access to a computer or server over a Secure Shell connection).

(Thehackernews).

While this may have been an alarming message to those who utilize this software, it is good to know that the real SentinelOne software has the proper security measures in place to make sure that hackers have no access to your private information. Through a recent interview with Hacker News, SentinelOne states that it has no connection to the virus that is impersonating the company. They also stated that their customers are secure and that they have not seen any evidence of clients being compromised due to the campaign.

Overall, it is important to bring awareness to this issue because con artists are now trying to hack software developers that may be creating the very applications that you and I use. They do it by impersonating well-known antivirus software.  Therefore, it is important to remain updated on these issues and the latest attacks produced to steal sensitive data.

The Infiniwiz technical team in the Chicagoland area takes a proactive approach to your cybersecurity. We set up the right IT protocols and help you put in place the employee procedures that will keep your data and network safe from online hackers. However, make sure to do your part in staying alert. If you have any more questions, feel free to contact us!