SentinelSneak is not a legitimate SDK.
N2K logoDec 20, 2022

ReversingLabs researchers discuss a campaign that mimics a legitimate security firm’s software development kit.

SentinelSneak is not a legitimate SDK.

Researchers have discovered a campaign they’re calling “SentinelSneak,” a malicious Python package posing as a SentinelOne software development kit (SDK), ReversingLabs reports.

What is SentinelSneak? (Hint: it’s not SentinelOne.)

ReversingLabs says that the package, named SentinelOne (with no connection to the security firm of the same name), was first seen in the Python Package Index (PyPI) on December 11, 2022. It is described as a “fully functional SentinelOne client” that has a malicious backdoor.

What does SentinelSneak do?

SentinelSneak does not strike immediately after installation, Dark Reading reports. The function lies dormant until triggered into action by another program. It is noted that this shows the threat actors’ desire to target the software supply chain “as a way to inject compromised code into targeted systems as a beachhead for further attacks.” These further attacks likely have not yet occurred, researchers say. This is just the latest threat leveraging the PyPI repository, amongst the use by other actors of strategies like “typosquatting,” ReversingLabs researchers said in their advisory.

Industry commentary on SentinelSneak.

Jason Kent, Hacker in Residence at Cequence Security, discusses API Key harvesting from malicious SDKs:

"When asked why he robbed banks, Willie Sutton said 'cuz that’s where the money is.' When looking to find magic keys to the kingdom, for an organization, the attacker is going to look where the API Keys are. Since you can’t get API Keys from Developers just by using Charm and Personality. Like Willie, you have to employ the right weapons.

"It is possible to crawl through git repos and find API keys, we read about these sorts of attacks all the time. What if you could put some context around the API keys and harvest keys from organizations that will have specific technology deployed? Enter the world of API Key harvesting SDKs that mimic SDKs from well-known security companies. This gives us the ability to contextually harvest API keys from those that are running the technology we care about.

"Fortunately for us, this was noticed. Unfortunately, this is what we are now up against. Everything we do and every tool we use needs to be validated. Any API Key we use needs to be invalidated and regenerated every time we need it. The days of having high-privilege API keys that last forever, need to go away into the past. If someone can write code that can harvest API Keys from our own code, we need to stop allowing API Keys to last more than a few minutes."