Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label CrowdStrike. Show all posts
Microsoft
antivirus software Antivirus System CrowdStrike CrowdStrike outage Cyber Outage Cyber Security Microsoft

How an IT Team Used Windows 3.1 to Mitigate a Massive CrowdStrike Outage

 

In an unprecedented event, a single update from anti-virus company CrowdStrike caused global havoc, affecting millions of Windows computers. This incident, described as the largest outage ever, disrupted numerous services and companies worldwide. As reports of the “Blue Screen of Death” (BSOD) flooded in, Microsoft was quick to clarify that this was a “third-party issue,” placing the blame squarely on CrowdStrike’s update to its Falcon virus scanner. 

The repercussions of this update were immediate and far-reaching. Millions of computers running Windows software experienced critical failures, bringing operations to a halt. Apple and Linux users were unaffected, which only highlighted the extent of the disruption within the Windows ecosystem. CrowdStrike’s response included a fix for the issue, but this solution required manual reboots in safe mode for affected machines. This task was easier said than done, especially for organizations with numerous devices, many of which were not easily accessible. 

Interestingly, an IT team found an unconventional solution to the problem. By leveraging the long-outdated Windows 3.1 operating system, they managed to navigate the crisis effectively. The story of this team’s ingenuity quickly became a focal point amid the chaos. Their ability to use such an old operating system to circumvent the issues posed by the update provided a glimmer of hope and a unique narrative twist to the otherwise grim situation. The CrowdStrike incident underscores the vulnerability of our modern, interconnected systems. 

With so much reliance on digital infrastructure, a single flawed update can ripple outwards, causing substantial disruption. It also serves as a poignant reminder of the resilience and resourcefulness often required in IT management. While it might seem archaic, the use of Windows 3.1 in this scenario was a testament to the enduring utility of older technologies, particularly in crisis situations where conventional solutions fail.  
CrowdStrike’s official statement, which notably lacked an apology, fueled frustration among users. However, CEO George Kurtz later expressed deep regret for the impact caused, acknowledging the disruption to customers, travelers, and affected companies. This incident has inevitably led to questions about the robustness of update deployment processes, especially given the scale of this outage. The timing of the update also came under scrutiny. 

As one computer scientist noted, pushing an update on a Friday is risky. Fewer staff are typically available over the weekend to address potential issues, leading to prolonged resolution times. Many large firms, therefore, prefer to schedule updates mid-week to mitigate such risks. For those impacted, CrowdStrike provided detailed instructions on its support website for fixing the issue. 
Organizations with dedicated IT teams coordinated widespread responses to manage the situation effectively. Unlike typical outages that might resolve themselves quickly, this event required significant manual intervention, highlighting the critical importance of preparedness and robust contingency planning. In conclusion, the CrowdStrike update debacle not only disrupted global operations but also showcased the adaptability and ingenuity of IT professionals. It reinforced the critical need for careful planning and the sometimes surprising utility of legacy systems in modern IT environments. 

As the world recovers from this incident, it serves as a stark reminder of our dependence on digital tools and the importance of rigorous update management.
Read more »
Software
CrowdStrike Cyber Security Global Airlines IT system Microsoft 365 Software

Global IT Outage Disrupts Airlines, Hospitals, and Financial Institutions

 



A major IT outage has affected a wide array of global institutions, including hospitals, major banks, media outlets, and airlines. The disruption has hindered their ability to offer services, causing widespread inconvenience and operational challenges.

International airports across India, Hong Kong, the UK, and the US have reported significant issues, with numerous airlines grounding flights and experiencing delays. In the US, major airlines such as United, Delta, and American Airlines implemented a "global ground stop" on all flights, while Australian carriers Virgin and Jetstar faced delays and cancellations. According to aviation analytics firm Cirium, over 1,000 flights worldwide have been cancelled due to the outages.

At Indira Gandhi International Airport in Delhi, passengers experienced "absolute chaos," with manual processes replacing automated systems. Similar situations were reported in airports in Tokyo, Berlin, Prague, and Zurich, where operations were significantly hampered.

Emergency services and hospitals have also been severely impacted. In the US state of Alaska, officials warned that the 911 system might be unavailable, and some hospitals have had to cancel surgeries. In Australia, however, authorities confirmed that triple-0 call centres were unaffected.

Hospitals in Germany and Israel reported service disruptions, while GP services in the UK were also affected. These interruptions have raised concerns about the ability of medical facilities to provide timely care.

The media sector did not escape the impact, with many broadcast networks in Australia experiencing on-air difficulties. Sky News UK went off air for a period but has since resumed broadcasting. Retail operations were also disrupted, with supermarkets like Coles in Australia facing payment system failures, forcing the closure of self-checkout tills.

Cybersecurity firm CrowdStrike has confirmed that a defective software update for its Microsoft Windows hosts caused the outage. In a statement, CrowdStrike assured that the issue had been identified, isolated, and a fix deployed, emphasising that the incident was not a cyberattack. They advised organisations to communicate with CrowdStrike representatives through official channels to ensure proper coordination.

Earlier in the day, a Microsoft 365 service update had noted an issue impacting users' ability to access various Microsoft 365 apps and services. Microsoft later reported that most services were restored within a few hours.

The outage has highlighted the vulnerabilities of global IT systems and the widespread reliance on third-party software. A spokesperson for Australia's home affairs ministry attributed the issues to a technical problem with a third-party software platform used by the affected companies. The country's cybersecurity watchdog confirmed that there was no evidence of a malicious attack.

As companies scramble to resolve the issues, the incident serves as a stark reminder of the critical need for robust IT infrastructure and effective crisis management strategies. The global scale of the disruption underscores the interconnected nature of modern technology and the potential for widespread impact when systems fail.

This incident will likely prompt a reevaluation of cybersecurity measures and disaster recovery plans across various sectors, emphasising the importance of resilience and preparedness in the digital age.


Read more »
Windows reboot loop
Azure outage CrowdStrike CrowdStrike outage Cyber Security Cybersecurity Incident faulty software update global IT crisis Windows Windows reboot loop

Recent IT Meltdown: CrowdStrike Update Causes Global Chaos, Predicted Hours Earlier on Reddit

 

Only a few times in history has a single piece of code instantly wreaked havoc on computer systems globally. Examples include the Slammer worm of 2003, Russia’s NotPetya cyberattack targeting Ukraine, and North Korea’s WannaCry ransomware. However, the recent digital catastrophe over the past 12 hours wasn't caused by hackers, but by the software meant to protect against them.

Two major internet infrastructure issues converged on Friday, causing widespread disruptions across airports, train systems, banks, healthcare organizations, hotels, and television stations. The trouble began on Thursday night with a widespread outage on Microsoft's cloud platform, Azure. By Friday morning, things worsened when CrowdStrike released a flawed software update, causing Windows computers to reboot repeatedly. Microsoft stated that the two failures are unrelated.

The cause of one disaster was identified: a faulty update to CrowdStrike’s Falcon monitoring product. This antivirus platform, which requires deep system access, aims to detect malware and suspicious activity. However, the update inadvertently caused the system to crash. Mikko Hyppönen of WithSecure noted that this is unprecedented in its global impact, although similar issues were more common in the past due to worms or trojans.

CrowdStrike CEO George Kurtz explained that the problem was due to a defect in the code released for Windows, leaving Mac and Linux systems unaffected. A fix has been deployed, and Kurtz apologized for the disruption. CrowdStrike’s blog revealed that the crash was caused by a configuration file update aimed at improving Falcon’s malware detection capabilities, which triggered a logic error leading to system crashes.

Security analysts initially believed the issue was due to a kernel driver update, as the file causing the crash ended in .sys, the extension for kernel drivers. Despite CrowdStrike clarifying that it wasn’t a kernel driver, the file altered the driver’s functionality, causing the crash. Matthieu Suiche of Magnet Forensics compared the risk of running security software at the kernel level to “open-heart surgery.”

Microsoft requires approval for kernel driver updates but not for configuration files. CrowdStrike is not the first to cause such crashes; similar issues have occurred with updates from Kaspersky and Windows Defender. CrowdStrike’s global market share likely contributed to the widespread impact, potentially causing a chain reaction across web infrastructure.

The outages had severe consequences worldwide. In the UK, Israel, and Germany, healthcare services and hospitals faced disruptions, while emergency services in the US experienced issues with 911 lines. TV stations, including Sky News in the UK, had to stop live broadcasts. Air travel was significantly affected, with airports using handwritten boarding passes and airlines grounding flights temporarily.

The incident highlights the fragility and interconnectedness of global digital infrastructure. Security practitioners have long anticipated such vulnerabilities. Ciaran Martin of the University of Oxford noted the event’s powerful illustration of global digital vulnerabilities.

The update’s extensive impact puzzled experts. CrowdStrike’s significant market share suggests the update triggered crashes in various parts of the web infrastructure. Hyppönen speculated that human error might have played a role in the update process.

As system administrators work to fix the issue, the larger question of preventing similar crises looms. Jake Williams of Hunter Strategy suggested that CrowdStrike’s incident might prompt demands for changes in how updates are managed, emphasizing the unsustainability of pushing updates without IT intervention.

Redditor Predicted CrowdStrike Outage Hours Before Global IT Chaos

A Reddit user, u/King_Kunta_, predicted vulnerabilities in CrowdStrike's systems just hours before the company caused a massive global IT outage. The user called CrowdStrike a "threat vector," suggesting it was susceptible to exploits that could lead to widespread damage. Initially, users dismissed the claims, but their tune changed dramatically after the outage occurred.

One commenter noted, "He tells us that CrowdStrike is a threat vector. A few hours later, every computer in the world with the CrowdStrike client installed goes blue screen. The single biggest global PC system collapse in history. Just uncanny."

Amidst the chaos, CrowdStrike's CEO George Kurtz reassured the public via X (formerly Twitter), stating, "Today was not a security or cyber incident. Our customers remain fully protected," and confirming that the issue was due to an update error, not a cyberattack.

Despite reassurances, many were left suspicious and impressed by the timing and accuracy of the Reddit post. One user aptly summed up the sentiment: "There’s no way the timing of this crazy post aligns so perfectly."
Read more »
Virus Attack
Antivirus Crowdsource Security CrowdStrike Cyber Security data security Microsoft Virus Attack

Global Outage Caused by Anti-Virus Update from Crowdstrike

 

A recent update from the anti-virus firm Crowdstrike has led to a global outage affecting millions of Windows users. The incident is being termed one of the most extensive outages ever, impacting numerous services and companies worldwide. Crowdstrike, a company many may not have heard of before, inadvertently caused this disruption with a problematic update to its Falcon virus scanner. The update led to widespread reports of the infamous Blue Screen of Death (BSOD) on computers running Windows. 

Microsoft quickly clarified that the issue was due to a third-party problem, absolving itself of direct responsibility. Users of Apple and Linux systems were unaffected, which brought some relief to those communities. Crowdstrike has since released a fix for the issue, but the recovery process remains cumbersome. IT professionals have noted that each affected machine requires a manual reboot in safe mode to restore normal operations. This task is complicated by the physical accessibility of the devices, making the resolution process even more challenging. There is currently no indication that the issue was caused by malicious intent or that any data has been compromised. 

Nonetheless, this incident highlights the crucial importance of staying updated with software patches, albeit with a note of caution. The cybersecurity community continues to stress the necessity of regular updates while acknowledging the occasional risks involved. Crowdstrike’s initial response fell short of an apology, which drew significant criticism online. However, CEO George Kurtz later issued a public apology via NBC News, expressing deep regret for the disruption caused to customers, travelers, and affected companies. This gesture, while somewhat late, was an important step in addressing the public’s concerns. This episode serves as a stark reminder of our heavy reliance on remotely managed devices and the vulnerability that comes with it. 

Despite robust systems in place to catch most issues, some problems, like this one, slip through the cracks. The timing of the update, which was pushed out on a Friday, compounded the difficulties, as fewer staff are typically available over the weekend to address such crises. For Crowdstrike customers, detailed instructions for the fix are available on the company’s support website. Many companies with dedicated IT teams are likely coordinating their responses to ensure a swift resolution. 

Unlike many outages that resolve themselves quickly, this incident will take days, if not longer, to fully mend, illustrating the significant impact of a single flawed update in our interconnected digital world.
Read more »
UNC
CrowdStrike Cyber Security cybercriminals Financial Threat Google Cloud Google Mandiant Mandiant Threat Intelligence UNC

Protecting Your Business from Snowflake Platform Exploitation by UNC5537

 

A recent report from Mandiant, a subsidiary of Google Cloud, has uncovered a significant cyber threat involving the exploitation of the Snowflake platform. A financially motivated threat actor, identified as UNC5537, targeted around 165 organizations' Snowflake customer instances, aiming to steal and exfiltrate data for extortion and sale. Snowflake, a widely-used cloud data platform, enables the storage and analysis of vast amounts of data. The threat actor gained access to this data by using compromised credentials, which were obtained either through infostealer malware or purchased from other cybercriminals. 

UNC5537 is known for advertising stolen data on cybercrime forums and attempting to extort victims. The sold data can be used for various malicious purposes, including cyber espionage, competitive intelligence, and financial fraud. The joint statement from Snowflake, Mandiant, and cybersecurity firm CrowdStrike clarifies that there is no evidence of a vulnerability, misconfiguration, or breach within Snowflake’s platform itself. 

Additionally, there is no indication that current or former Snowflake employees' credentials were compromised. Instead, the attackers acquired credentials from infostealer malware campaigns that infected systems not owned by Snowflake. This allowed them to access and exfiltrate data from the affected Snowflake customer accounts. Mandiant's research revealed that UNC5537 primarily used credentials stolen by various infostealer malware families, such as Vidar, Risepro, Redline, Racoon Stealer, Lumma, and Metastealer. Many of these credentials dated back to November 2020 but remained usable. The majority of credentials exploited by UNC5537 were exposed through previous infostealer malware incidents. 

The initial compromise often occurred on contractor systems used for personal activities like gaming and downloading pirated software, which are common vectors for spreading infostealers. Once obtained, the threat actor used these credentials to access Snowflake accounts and extract valuable customer data. UNC5537 also purchased credentials from cybercriminal marketplaces, often through Initial Access Brokers who specialize in selling stolen corporate access. The underground market for infostealer-obtained credentials is robust, with large lists of stolen credentials available for free or for purchase on the dark web and other platforms. 

According to Mandiant, 10% of overall intrusions in 2023 began with stolen credentials, making it the fourth most common initial intrusion vector. To protect your business from similar threats, it is crucial to implement robust cybersecurity measures. This includes regular monitoring and updating of all systems to protect against infostealer malware, enforcing strong password policies, and ensuring that all software is kept up to date with the latest security patches. Employee training on cybersecurity best practices, especially regarding the dangers of downloading pirated software and engaging in risky online behavior, is also essential. 

Moreover, consider using multi-factor authentication (MFA) to add an extra layer of security to your accounts. Regularly audit your systems for any unusual activity or unauthorized access attempts. Engage with reputable cybersecurity firms to conduct thorough security assessments and implement advanced threat detection solutions. By staying vigilant and proactive, businesses can better protect themselves from the threats posed by cybercriminals like UNC5537 and ensure the security and integrity of their data.
Read more »
Two Factor Authentication
CrowdStrike Cyber Attacks cybercriminals Employee Data Employees IBM Identity Theft MFA phishing Two Factor Authentication

Safeguarding Your Employee Data From Identity Theft

 

In today's digital age, where data breaches and cyberattacks are increasingly common, safeguarding against identity-based attacks has become paramount for organizations worldwide. Identity-based attacks, which involve the unauthorized access to sensitive information through compromised user credentials, pose significant risks to businesses of all sizes and industries. 

As CrowdStrike reported, 80% of attacks involve identity and compromised credentials, highlighting the widespread nature of this threat. Additionally, an IBM report found that identity-related attacks are now the top vector impacting global cybercrime, with a staggering 71% yearly increase. 

Cybercriminals employ various tactics to carry out identity-based attacks, targeting organizations through phishing campaigns, credential stuffing, password spraying, pass-the-hash techniques, man-in-the-middle (MitM) attacks, and more. Phishing campaigns, for example, involve the mass distribution of deceptive emails designed to trick recipients into divulging their login credentials or other sensitive information. Spear-phishing campaigns, on the other hand, are highly targeted attacks that leverage personal information to tailor phishing messages to specific individuals, increasing their likelihood of success.  

Credential stuffing attacks exploit the widespread practice of password reuse, where individuals use the same passwords across multiple accounts. Cybercriminals obtain credentials from previous data breaches or password dump sites and use automated tools to test these credentials across various websites, exploiting the vulnerabilities of users who reuse passwords. Password spraying attacks capitalize on human behavior by targeting commonly used passwords that match the complexity policies of targeted domains. 

Instead of trying multiple passwords for one user, attackers use the same common password across many different accounts, making it more difficult for organizations to detect and mitigate these attacks. Pass-the-hash techniques involve obtaining hashed versions of user passwords from compromised systems and using them to authenticate into other systems without needing to crack the actual password. This method allows attackers to move laterally within a network, accessing sensitive data and executing further attacks. MitM attacks occur when attackers intercept network connections, often by setting up malicious Wi-Fi access points. 

By doing so, attackers can monitor users' inputs, including login credentials, and steal sensitive information to gain unauthorized access to accounts and networks. To mitigate the risk of identity-based attacks, organizations must adopt a multi-layered approach to security. This includes implementing strong password policies to prevent the use of weak or easily guessable passwords and regularly auditing user accounts for vulnerabilities. 

Multi-factor authentication (MFA) should be implemented across all applications to add an extra layer of security by requiring users to provide a second form of authentication, such as a one-time password or biometric data, in addition to their passwords. Furthermore, organizations should protect against social engineering attacks, which often target service desk staff to gain unauthorized access to sensitive information. Automated solutions can help verify user identification and reduce the risk of social engineering vulnerabilities. 

 Identity-based attacks pose significant risks to organizations, but by implementing robust security measures and remaining vigilant against evolving threats, businesses can effectively mitigate these risks and safeguard their sensitive information from cybercriminals.
Read more »
Online Security
Cloudfare CrowdStrike Cyber Attacks Cybersecurity Okta Data Breach Online Security

Cloudflare Faces Cybersecurity Breach in Okta Supply-Chain Attack



Cloudflare, a prominent Internet security and DDoS protection company, recently fell victim to a cyberattack linked to the widespread Okta supply-chain campaign last fall. The breach, affecting Cloudflare's Atlassian Bitbucket, Confluence, and Jira platforms, commenced on Thanksgiving Day.

Cloudflare, in collaboration with industry and government partners, determined that a nation-state attacker aimed to gain persistent and widespread access to its global network. Working with CrowdStrike, the company found that cyber attackers initially accessed the internal wiki (Confluence) and bug database (Jira). They later established persistence on the Atlassian server and proceeded to explore potential points of entry. The assailants successfully breached Cloudflare's source code management system (Bitbucket) and an AWS instance.

The analysis revealed the attackers sought information about the configuration and management of Cloudflare's global network. They accessed various Jira tickets related to vulnerability management, secret rotation, MFA bypass, network access, and the company's response to the Okta incident. Fortunately, due to network segmentation and a zero-trust authentication approach limiting lateral movement, the attackers were largely prevented from accessing critical systems.

Despite minimal access, Cloudflare took comprehensive measures, rotating over 5,000 production credentials, segmenting test and staging systems, and conducting forensic triages on nearly 5,000 systems. The company also reimaged and rebooted every machine in its global network and all Atlassian products.

Experts emphasise the severity of supply chain attacks, highlighting the risk of non-human access being exploited by attackers to gain high-privilege access to internal systems. This breach underscores the importance of monitoring both cloud-based and on-premises solutions.

Notably, Cloudflare identified the compromise's connection to a prior Okta breach in October. Okta, an identity and access management services provider, disclosed a compromise in its customer support case management system, exposing sensitive customer data. The attackers leveraged access tokens and service account credentials obtained during the Okta compromise. All threat actor access was terminated on November 24, according to CrowdStrike.

In response, Cloudflare conducted a thorough security remediation, emphasising the need for credential rotation after a security incident. Okta confirmed its prior notification to customers about the October security incident, urging them to rotate credentials and providing indicators of compromise.

This incident draws attention to the ongoing challenges posed by sophisticated cyber threats, making it clear that the importance of continuous vigilance and proactive security measures is substantial. The collaboration between companies and security experts remains crucial in mitigating the impact of such attacks.

As cybersecurity threats continue to evolve, it is imperative for organisations to stay informed, implement robust security practices, and prioritise swift responses to potential breaches.


Read more »
Threat actors
CISA & FBI CrowdStrike cryptocurrency hack Cyber Attacks IT Companies JumpCloud Labyrinth Collima North Korea Hackers Threat actors

North Korea-Backed Hackers Breach US Tech Company to Target Crypto Firms


A North Korean state-sponsored hacking group has recently breached a US IT management company, in a bid to further target several cryptocurrency companies, cybersecurity experts confirmed on Thursday. 

The software company – JumpCloud – based in Louisville, Colorado reported its first hack late in June, where the threat actors used their company’s systems to target “fewer than 5” of their clients. 

While the IT company did not reveal the identity of its affected customers, cybersecurity firms CrowdStrike Holding and Alphabet-owned Mandiant – managing JumpCloud and its client respectively – claims that the perpetrators are known for executing heists targeting cryptocurrency. 

Moreover, two individuals that were directly connected to the issue further confirmed the claim that the JumpCloud clients affected by the cyberattack were in fact cryptocurrency companies. 

According to experts, these North Korea-backed threat actors, who once targeted firms piecemeal are now making efforts in strengthening their approach, using tactics like a “supply chain attack,” targeting companies that could provide them wider access to a number of victims at once.

However, Pyongyang’s mission to the UN did not respond to the issue. North Korea has previously denied claims of it being involved in cryptocurrency heists, despite surplus evidence claiming otherwise.

CrowdStrike has identified the threat actors as “Labyrinth Collima,” one of the popular North Korea-based operators. The group, according to Mandiant, works for North Korea’s Reconnaissance General Bureau (RGB), its primary foreign intelligence agency.

However, the U.S. cybersecurity agency CISA and the FBI did not confirm the claim. 

Labyrinth Chollima is one of North Korea’s most active hackers, claiming responsibility for some of the most notorious and disruptive cyber threats in the country. A staggering amount of funds has been compromised as a result of its cryptocurrency theft: An estimated $1.7 billion in digital currency was stolen by North Korean-affiliated entities, according to data from blockchain analytics company Chainalysis last year.

JumpCloud hack first came to light earlier this month when an email from the firm reached its customers, mentioning how their credentials would be changed “out of an abundance of caution relating to an ongoing incident.”

Adam Meyers, CrowdStrike’s Senior Vice President for Intelligence further warns against Pyongyang’s hacking squads, saying they should not be underestimated. "I don't think this is the last we'll see of North Korean supply chain attacks this year," he says.  

Read more »
Data Theft
Cloud Data CrowdStrike Cyber Frauds. Cyberattacks Cybesecurity Data Theft

Cloud Data Theft is Booming According to CrowdStrike

 

An industry-leading cybersecurity company known as CrowdStrike reported that it had seen the largest increase in adversaries in one year. This was in comparison with what it had observed in the past. There was an increase in cloud attacks by 95% according to the study, which identified 33 re-new threat actors, approximately three times as many cases from 2021 involving cloud-conscious actors as they did in 2022. 

As a result of these trends, CrowdStrike believes that it will become more common for e-currency and nation-state actors to use their tradecraft and knowledge to greatly exploit cloud environments in the future, it stated in its global threat report for 2023. 

There has been a shift among bad actors away from deactivating antivirus and firewall technologies, and away from efforts to tamper with logs. Instead, they have turned toward modifications to authentication processes and attacks on identities, according to the report. 

There has been a dramatic rise in identity theft as a result of a wide range of threats. Identifying and privileged access credentials are among the most common targets targeted by hackers. Why? On the dark web, attackers want to sell compromised information to third parties for high prices to become access brokers and make money off the stolen information. 

As attackers reinvent themselves as access brokers, CrowdStrike's report provides a sobering look at their emergence. There is a 20% increase in adversaries engaging in extortion campaigns and theft of data related to the cloud as per the report. 

A broader analysis revealed an increase of 33 new adversaries in just one year. This was the biggest increase in the number of adversaries ever! Recent telecommunications, BPO, tech, and BPO companies have been the victims of sophisticated attacks carried out by both Scattered Spider and Slippery Spider malware. 

Cloud Security is Hampered by Overcast Skies

In addition to the multitude of new and unknown threat actors that CrowdStrike's report uncovered, CrowdStrike's report also noted a surge in identity-based threats, cloud exploits, national intelligence services, and attacks that re-pointed to previously patched vulnerabilities as weapons of mass destruction.

CrowdStrikeFalcon OverWatch measures the break-through time of adversaries according to the report by determining how far a compromised host is from a second host within the victim environment or how long the adversaries have to move laterally within the victim environment to gain access to the compromised host. This report from the National Institute on Crime and Law Enforcement suggests that for interactive eCrime intrusions, the average breakthrough time has decreased from 98 minutes in 2021 to 84 minutes in 2022. 

To minimize costs and ancillary damages caused by attackers, CISOs and their teams must respond more quickly as the breach window shrinks, and as attack windows become shorter. The 1-10-60 rule is one that CrowdStrikes recommends security teams follow: detect threats within the first minute, understand them within the first 10 minutes, and respond within the first 60 minutes.

It is well known that hackers, nation-states, and cybercriminals are growing at an exponential rate around the world. 

In an announcement made by Meyers, CrowdStrike has added Syria, Turkey, and Columbia to its list of malicious host countries it has already identified. As a result of interactive intrusions, Meyers reported there was a 50% increase compared to last year. Human adversaries try to bypass the computer's and antivirus defenses, contributing to the rise in human-computer crime. 

The Microsoft company published 28 zero days and 1,200 patches; however, only two out of 28 of those patches and zero days were exploited by nation-nexus and cybercriminal adversaries, who circumvented patches and bypassed mitigations, exploiting legacy vulnerabilities such as Log4Shell and keeping up with ProxyNotShell and Follina vulnerabilities. 

Engineers and Cloud Defenders Must be Versatile 

A variety of techniques are used by attackers to inject themselves into cloud environments and move laterally once they have entered them. There’s no doubt that CrowdStrike’s data shows an increase in both the number of valid cloud accounts used for initial cloud access and the number of public-facing applications being deployed. Also, according to the company, there has been an increase in the number of actors who are attempting to discover cloud accounts as opposed to cloud infrastructures and using legitimate higher-privileged accounts when looking for cloud accounts. 

To be successful in the cloud computing field, engineers need to be more versatile than ever before. For a business or enterprise to succeed, they need to be able to manage, plan, architect, monitor, and anticipate issues regarding cloud security and manage them as part of a continuous process.
Read more »
Threat Detection
2023 Global Threat Report CrowdStrike Cyber Crime Data Extortion Ransomware ransomware attacks Threat Detection

CrowdSrike: Cybercriminals Are Choosing Data Extortion Over Ransomware Attacks


CrowdStrike’s threat intelligence recently reported that cybercriminals have been learning how data extortion attacks are more profitable than ransomware attacks, leading to a drastic shift in the behavior of cyber activities throughout 2022. 

The cybersecurity vendor's "2023 Global Threat Report," which summarizes CrowdStrike's research on cybercrime (or "e-Crime") from the previous year, was released this week. The report's major sections address ongoing geopolitical disputes, cloud-related attacks, and extortion attacks without the use of software. 

One of the major findings from the CrowdStrike research is that the number of malicious actors who conducted data theft and extortion attacks without the use of ransomware increased by 20% in 2022 compared to the previous year. Data extortion is the practice of obtaining confidential information from target companies and then threatening to post the information online if the victim does not provide the ransom demanded by the attacker. 

Data extortion has frequently been a part of ransomware operations, with the fear of data exposure intended to provide additional incentive for the victim to pay the demanded ransom. However, as per the CrowdStrike findings, more attackers are now inclining toward data extortion, while abandoning the ransomware element altogether. 

Adam Meyers, head of intelligence at CrowdStrike says that “We’re seeing more and more threat actors moving away from ransomware[…]Ransomware is noisy. It attracts attention. It’s detectable. Encryption is complex.” 

According to Meyers, the rise in extortion addresses the adaptability of cyber adversaries. He further adds that while ransom payments were down slightly in 2022, both extortion and ransomware-as-a-service (RaaS) have witnessed a significant boost. 

CrowdStrike observed and noted the overall waning interest in malware. The firm reported that in 2022, up from 62% in 2021, malware-free activity accounted for 71% of its threat detections. 

"This was partly related to adversaries' prolific abuse of valid credentials to facilitate access and persistence in victim environments[…]Another contributing factor was the rate at which new vulnerabilities were disclosed and the speed with which adversaries were able to operationalize exploits," the report said. 

While also noting the improved resilience of the RaaS network, CrowdStrike stated that affiliated hackers will continue to be a major concern as they move from one network to another despite the move away from conventional ransomware deployment.  

Read more »
Vulnerabilities and Exploits
CrowdStrike Cyberattacks CyberCriminal Microsoft Phishing Attacks Vulnerabilities and Exploits

To Get Around Security, Hackers Use This Old Trick

 


An old vulnerability in Intel drivers is being exploited by cybercriminals in an attempt to gain access to networks. This is in the form of a security flaw that enables them to get around cybersecurity measures and bypass security systems.  

According to cybersecurity researchers at CrowdStrike, one of the groups tracking the attack is Scattered Spider, also known as Roasted 0ktapus and UNC3944. This group is responsible for the attack on Windows PCs. The campaign has been identified as the work of a cybercriminal group. 

As a financially motivated cybercrime operation, Scattered Spider is described by researchers as especially interested in targeting business outsourcing companies and telecom companies. Obtaining access to the mobile carrier network is the project's main objective.  

Attackers may have initially used phishing attacks using SMS messages to gain access to networks by stealing usernames and passwords. This is to get into them. Several instances have been recorded where attackers have hacked into devices and exploited this access to gain access to other credentials. The group appears to be engaged in SIM-swapping attacks as well.   

As soon as Scattered Spider has gained access to a network, it makes use of a technique called "Bring Your Own Vulnerable Driver" (BYOD), which is designed to exploit security loopholes within the Windows platform.  Microsoft tries to limit the ability of malware to gain access to systems by preventing unsigned kernel-mode drivers from being run by default, but hackers can get around this by installing a legitimately signed but malicious driver, enabling them to carry out attacks despite this. The BYOVD system allows attackers to use unsigned kernel-mode drivers to carry out attacks.   

An attacker may find a way to hack legitimately signed certificates while taking advantage of workarounds to be able to self-sign their own certificates or obtain certificates through deception. Regardless of how they were obtained, the malware may then secretly run on computers, install their own drivers, and disable the security products on them. This is so that their activity can easily be hidden.  

They do not use any malware for this purpose to operate as discreetly as possible. They instead install a large number of legitimate remote access tools that will ensure persistence on the compromised system after they have been compromised. 

There is a vulnerability in the Intel Ethernet diagnostics driver for Windows, which has been identified by CrowdStrike as one of how attackers can deliver malicious kernel drivers.

This vulnerability has been known for a long time, as the ID number suggests. If the security update that closes the vulnerability has not been applied to the system, cybercriminals will still be able to exploit it on the system.  

To combat this and other attacks involving abused signed drivers in the future, researchers urge users to patch vulnerable drivers as a priority.  

There have been several tools that have been compromised by attackers. These include Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne, as well as CrowdStrike's own Falcon security product that attackers have attempted to bypass. Researchers at CrowdStrike claim that Falcon can detect and prevent malicious activity that is being performed by cybercriminals when trying to install and run their own code.  

It has been warned previously by Microsoft that attacks are increasingly targeting legitimate drivers in the ecosystem and infecting computers through their vulnerabilities. Despite Microsoft's efforts to prevent abuse, this attack technique is still successfully used today. 

Scattered Spider seems to be targeting a specific set of industries with this campaign. In contrast, CrowdStrike recommends that security professionals in every industry develop a strategy to ensure the security of their networks against attack, irrespective of their industry type. As an example, this can be achieved by applying the old security patch that has been installed.  

Microsoft also provides advice on how you can help harden services by blocking drivers according to the recommended rules. As with any software or hardware, removing drivers from a device may lead to the malfunctioning of the device or software, and, in some cases, a blue screen of death. A vulnerable driver blocklist cannot guarantee that all drivers found to have vulnerabilities will be identified and eliminated from the list.  
Read more »
Spear Phishing Campaign
CrowdStrike Cyber Phishing malware Malware Attack Phishing Campaign RATs Spear Phishing Campaign

Callback Malware Campaign Imitates CrowdStrike and Other Big Cybersecurity Organizations


About the Attack

Earlier this month, CrowdStrike Intelligence found a callback phishing campaign copying big cybersecurity companies, including CrowdStrike. The phishing emails say that the receiver's (e-mail) company has been compromised and that the victim should contact the given phone number. The campaign incorporates similar social-engineering techniques that were used in the recent callback campaigns like WIZARD SPIDER'S 2021 Bazaar all campaign. 

The campaign is likely to include common genuine remote administration tools (RATs) for access in initial stage, off the shelf penetration testing tools for lateral movement, and execution of ransomware or extorting data. The callback campaign incorporates emails that look like it originates from big security companies, the message says that the security company found a potential issue in the receiver's network. As we have noticed in the earlier campaigns, the threat actor gives the recipient a phone number to call. 

In the past, callback campaign operators have tried to convince victims to install commercial RAT software to get an early foothold on the network. "For example, CrowdStrike Intelligence identified a similar callback campaign in March 2022 in which threat actors installed AteraRMM followed by Cobalt Strike to assist with lateral movement and deploy additional malware," says CrowdStrike. 

Current Situation 

Currently, CrowdStrike intelligence can't confirm the version in use, the callback operators will most probably use ransomware to monetize their operations. "This assessment is made with moderate confidence, as 2021 BazarCall campaigns would eventually lead to Conti ransomware — though this ransomware-as-a-service (RaaS) recently ceased operations. This is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches," says CrowdStrike.

Read more »
Microsoft Exchange Server
China CrowdStrike Email Fraud IISS Malicious Module malware Microsoft Exchange Server

On Microsoft Exchange Servers, a New IceApple Exploit Toolkit was Launched

 

Security analysts discovered a new post-exploitation framework that could enable Microsoft Exchange servers to be compromised. This framework, known as IceApple, was created by threat actors who wanted to preserve a low profile while launching long-term attacks to assist reconnaissance and data exfiltration. 

"As of May 2022, IceApple is under active development, with 18 modules seen in operation across several enterprise contexts," CrowdStrike reported. The complex virus was identified in various victim networks and in geographically separate areas, which were detected in late 2021. Victims come from a variety of fields, including technology, academia, and government.

IceApple is unique for being an in-memory framework, implying a threat actor's desire to keep a low forensic footprint and avoid detection, which bears all the signs of a long-term algorithmic mission by creating files that appear to come from Microsoft's IIS web server. While most of the malware has been found on Microsoft Exchange servers, IceApple can function under any Internet Information Services (IIS) web app, making it a dangerous threat.

IceApple activity, as per CrowdStrike researchers, could be linked to nation-state attacks. Although IceApple has not been linked to any single threat actor, many believe it was developed by China. 

The actual number of victims of the attack has not been determined by CrowdStrike, but they do not rule out the possibility that the threat will expand in the following weeks. In this regard, the experts suggested updating any apps used by public and commercial businesses to strengthen the system's protection against this framework. 

The malware can locate and erase files and directories, write data, collect credentials, search Active Directory, and transfer sensitive data due to the framework's various components. These components' build timestamps date back to May 2021.
Read more »
United States
APT31 China CrowdStrike Cyber Attacks RAT Russia United States

Widespread Cyber Espionage Attacks Use New Chinese Spyware

 

According to new research, a threat actor believed to be of Chinese origin was linked to a series of ten attacks from January to July 2021 that involved the deployment of a remote access trojan (RAT) on infected computers and targeted Mongolia, Russia, Belarus, Canada, and the United States. The breaches have been linked to APT31 (FireEye), an advanced persistent threat that has been dubbed Zirconium (Microsoft), Judgement Panda (CrowdStrike), and Bronze Vinewood (Secureworks) by the cybersecurity community. 

BRONZE VINEWOOD has hidden malicious activity within legal network traffic by using prominent social media and code repository sites. Previous BRONZE VINEWOOD campaigns leveraging DLL search-order hijacking to distribute the HanaLoader downloader malware and other malicious payloads have also been uncovered by Secureworks Counter Threat Unit (CTU) researchers. 

According to researchers, the group is thought to be a Chinese state-sponsored cyberespionage actor attempting to acquire intelligence to aid the Chinese government and state-owned firms. 

In the attacks, a new malware dropper was utilized, which included a downloader for next-stage encrypted payloads from a remote command-and-control server, as well as the ability to decode and execute the malware. The malicious code can download further malware, putting vulnerable victims at risk even more, as well as perform file operations, exfiltrate sensitive data, and even remove itself from the compromised machine. 

Positive Technologies researchers Denis Kuvshinov and Daniil Koloskov discovered the self-delete command fascinating since it employed a bat file to wipe all of the registry keys and files created as a result of running the command. 

The malware's similarities to a trojan known as DropboxAES RAT, which was used by the same threat group last year and relied on Dropbox for command-and-control (C2) communications, are also worth noting, with numerous overlaps found in the techniques and mechanisms used to inject the attack code, achieve persistence, and delete the espionage tool.

Despite the fact that BRONZE VINEWOOD calls the software DropboxAES RAT, CTU researchers discovered that it does not use the Advanced Encryption Standard (AES). Instead, it uses the ChaCha20 stream cypher to encrypt and decrypt data. When encrypting data, older versions of the malware may have used AES encryption. 

"The revealed similarities with earlier versions of malicious samples described by researchers, such as in 2020, suggest that the group is expanding the geography of its interests to countries where its growing activity can be detected, Russia in particular," the researchers concluded.
Read more »
Spirit Spider
CrowdStrike malware Ransomware Spirit Spider

Sprite Spider Emerging as One of The Most Destructive Ransomware Threat Actors

 

Recently, two CrowdStrike cybersecurity leads during a Cyber Threat Intelligence Summit at the SANS  Senior Security Researcher Sergei Frankoff, and Senior Intelligence Analyst Eric Loui, shared detailed information on the ‘Spirit Spider’, an emerging leading ransomware actor. Like other ransomware attacks, the malicious crew behind Sprite Spider attacks has rapidly increased in terms of sophistication and damage capabilities since 2015. At present, Sprite Spider has become one of the most dangerous ransomware malicious actors of 2021. 

Although, this ransomware ‘Sprite Spider’, did not come as a surprise for many world-leading IT firms, like other organized ransomware groups which are filled with threat actors who are often fruitfully employed by nation-state cybercriminals. 

The journey of Sprite Spider


To have come so far to make headlines, it must have gotten started somewhere, but when and where? It was back in 2015 when the ransomware was employed as a banking Trojan called Shifu, and then in 2017, a malware loader called Vatet. The gang had deployed a remote access Trojan called PyXie, in 2018, and in 2019, the attackers’ deployed ransomware called DEFRAY777. 

Crowdstrike researchers linked Shifu, Wyatt, and Pixi to the DEFRAY777 ransomware attacks. At this point they realized that all the activities from these components were linked to a single-malicious group, operating stealthily behind the scenes. 

The threat actors can often avoid detection mainly because the malicious code is secretly hidden in open-source projects such as Notepad++, which technically is invisible and hence visibly harmless. The only thing the Sprite Spider writes to disk is ‘Vatet’, which makes it even more difficult for the intelligence to identify it during an attack. 

“I think we’ve seen a number of nation-states engage in these types of attacks to generate revenue, specifically North Korea,” CrowdStrike’s senior vice president of intelligence Adam Meyers tells CSO. He added that “Iran and China are also getting in on the ransomware game. It’s not necessarily the nation-state that is conducting the attack, but [the cybercriminals] are using the skills they learned [by working for nation-state attackers] to make a little extra money on the side. The individuals engaged by the nation-state are conducting ransomware attacks on a moonlight shift.” 

Mark Weatherford, chief strategy officer at the National Cybersecurity Center and a former DHS cybersecurity official in the Obama administration, said “I think it will take an international effort to address the growing ransomware scourge. Until there is more of an international policy discussion, I think we’re going to see these things grow. What we need is an international combined effort from nations around the world to say that this is no longer acceptable.” He tells CSO.
Read more »
Russian Hacker
Chinese Hackers CrowdStrike North Korean Hackers Russian Hacker

Russian Hacking Trouble for the Cyber World



According to data analysis by computer security company CrowdStrike, Russian hacking attack team spares only 19 minutes to the victim to respond to the attack. The next fastest group were North-Koreans who took two hours to jump to the next server to spread the attack,the third on the list comes Chinese attackers who on average gives four hours to the victim to foil their target attack.

Statistically the calculated time is coined as  “dubbed time“ and is the time attacker takes to jump from one network to another to spread the attack. Introducing the concept, CrowdStrike wrote in its report “shows how much time defenders have on average to detect an initial intrusion, investigate it and eject the attacker before sensitive data can be stolen or destroyed.”

According to the author, Pete Singer, the new analysis is eye-opening, "These stats are driven by a whole variety of factors, among them the skills and capability, the relative risk each is making in their likelihood of getting caught and the consequences. No matter how you look at it, an average of 18 minutes is quite amazing given the scale."

The Russians hackers have attacked many defense and military establishments throughout Europe and NATO since last year. Russian hackers were alleged to attack PyeongChang Winter Olympic Games in 2018.

Chris Krebs, DHS Cybersecurity and Infrastructure Security Agency Director, told defenseone.com recently, “We are doubling down on election security in advance of the 2020 election. Despite what some of the reporting might be, election security and countering foreign influence efforts aren’t going anywhere.”

According to a research from Arizona state University, researchers revealed that the exploiting a known vulnerability depended greatly on the country of the attacker.For Instance, the researchers looked at the Dark Web chat rooms , If attackers were discussing  vulnerabilities in National Database and If the hackers discussing the bug were Chinese, the chances to exploit the vulnerability in question was nine percent, But if the conversation was between Russians, then the probability of exploiting vulnerability is forty percent.

Read more »
Subscribe to: Posts (Atom)