Hi everyone,
in a recent analysis of a ransomware attack, where BitLocker was used to encrypt the disk, I found that the company was using Sophos.
In the folder C:\10577-Sophos\AutoUpdate\data\warehouse, I found some files with XML extension that contain executable code and activate BitLocker, using a command like the following from disk A: to Z:
manage-bde -on F: -rp 599368-358941-467368-368093-397672-261921-132506-522577 -sk C:\ -s
I'm not really into Sophos management and administration, but I read that the folder warehouse can be use as a cache for the update installations.
Is it possible that the attackers abuse this Sophos functionality to execute remote command activating BitLocker on the remote host?
Regards,
Matteo.
This thread was automatically locked due to age.
