It was a week…

Ever had one of those weeks where every day (especially Friday) felt like a Monday? I bet you did this week.

Botched Crowdstike Update takes down the world…kinda

The massive outage caused by a botched CrowdStrike update impacted hundreds if not thousands of organizations globally. Airlines grounded flights, hospitals cancelled surgeries, financial institutions couldn’t serve customers, and even Microsoft 365 experienced a wide scale disruption. I’ll like to the coverage below.

Did mainstream media overhype this one? While it’s true the impacts were widespread, the fix was relatively simple but time consuming. But that isn’t what we heard on CNN, CBS, NBC, or Fox. We heard about the end of the world, not being able to get your money, or how hospitals and airports were completely unable to function. This caused widespread panic. Every vendor had to publish an alert about not being impacted, including my credit union. We had to add a message to our IVR, website, and socials to calm our panicked members. Our only real impact was to a portion of our mortgage origination system, which was resolved by lunch time. So why stir up all that trouble except for the rating?

What was this so huge? Too many vendors build massive, homogeneous Windows environments because it’s easy, comparatively. Most significant back-office systems are based on Microsoft technology, running on Microsoft servers. Crowdstike has obtained a similar market share due to their solid security platform and services. But having all of your eggs in a couple baskets is a huge risk. All it takes is one small mistake in just the right subsystem to bring it all down. I am a firm believer in a heterogeneous system design. Put the right vendors in the right places, but with an eye to not giving one vendor too much. The loss of control with cloud systems can be an unacceptable risk for key systems.

Huge Microsoft Outage Linked to CrowdStrike Takes Down Computers Around the World | WIRED – (Courtesy CyberWire)

Faulty CrowdStrike update causes major global IT outage, taking out banks, airlines and businesses globally | TechCrunch –

Using Intune Remediations to Fix the CrowdStrike Driver Bug – Here’s a novel way to fix your CrowdStrike issue with Intune scripts. These scripts could probably be adapted for other platforms and other issues.

A global tech outage brought many computer systems and businesses to a screeching halt. Here’s what happened | CNN Business – Blow-by-blow of the outage impacts.

Technical Details: Falcon Update for Windows Hosts | CrowdStrike – Crowdstike’s account of what happened.

CrowdStrike’s faulty update crashed 8.5 million Windows devices, says Microsoft – The Verge – Less than 1% of the global install based afflicted by this issue caused massive impacts.

And in other news…

Microsoft says its cloud services are back up after major outage | TechRadar – Microsoft experiences an Azure outage that primarily affected the US Central region overnight Friday. This impacted various services during that time. This was a separate issue from the Crowdstike outage, and Microsoft was back up in a reasonable amount of time.

Indiana county files disaster declaration following ransomware attack – Another local government grinding to a halt due to ransomware. Is it time the Fed offered subsidized security services to assist them?

Squarespace DNS hijack spree hits crypto sites – Squarespace disabled MFA on the accounts acquired from Google, which allowed attackers to hijack the domain’s DNS.

CISA broke into US federal agency, wasn’t spotted for months • The Register – (Courtesy TLDR InfoSec) How would you detect a stealthy attacker inside your network?

Cloudflare launches a tool to combat AI bots | TechCrunch – (Courtesy Daniel Miessler) It appears the basics of this tool are free to anyone with a Cloudflare account. I’ve enabled the protections on my blog to see if there are any issues with this.

Hackers use PoC exploits in attacks 22 minutes after release – (Courtesy TLDR InfoSec) This should not be a surprise to anyone. The window from PoC to wild exploitation is getting shorter, but not all patching policies are keeping up with this.

Rite Aid confirms data breach after June ransomware attack – RansomHub gang claims to have 10gb of customer data from the US pharmacy change. RiteAid has not confirmed the extent of the attack.

Reinstatement of net neutrality rules temporarily halted by appeals court – The Verge – It looks like Net Neutrality will be the first victim of the loss of the Chevron doctrine.

Vulnerabilities and Patches

Increase In The Exploitation Of Microsoft SmartScreen Vulnerability CVE-2024-21412 – Cyble – Attackers are using a multi-stage exploit to gain a foothold on machines and steal information. **get flowchart image from link to embed **

Exim vulnerability affecting 1.5M servers lets attackers attach malicious files | Ars Technica – (Courtesy TLDR InfoSec) EXIM bug allows an attacker to bypass file extension blocking, possibly allow malicious files. All but the lastest RC for Exim is affected.

GitLab Sends Users Scrambling Again With New CI/CD Pipeline Takeover Vuln – (Courtesy TLDR InfoSec) A new 9.6 CVE in Gitlab pipelines. Deploy the fix ASAP.

Critical Cisco bug lets hackers add root users on SEG devices – Cisco’s secure email gateway (formerly IronPort) has a critical file processing bug. Cisco PSIRT Post

Cisco Smart Software Manager On-Prem Password Change Vulnerability – Cisco Smart Licensing on-prem application has a critical bug affecting all but the latest version.

CVE-2024-38021: Moniker RCE Vulnerability Uncovered in Microsoft Outlook – 0day RCE in Outlook on Windows clients. MSRC’s post.

Security

Exchange Online Supports Inbound SMTP DANE with DNSSEC – DNSSEC and DANE can greatly improve your email security by verification of SMTP server security in DNS. This ensures a bad actor cannot easily redirect incoming email for a domain. Combine this with full DMARC compliance for a bi-directional security upgrade.

Introducing Windows 11 checkpoint cumulative updates | Windows IT Pro Blog – (Courtesy Risky.Biz) Windows 11/2025 patching will move to a more efficient checkpoint model, changing only what needs to be changed. This will definitely speed up patching, but you will no longer be able to skip patches. This will impact golden image maintenance, new PC builds, and various other processes that rely on cumulative patches.

Password Breaking A to Z | ElcomSoft blog – A great primer on password cracking: what it does, how it works, and what hardware works best. I would recommend for any experience level as there are a ton of links to more detailed articles.

Leadership

Your Company’s Problem is Hiding in Plain Sight – High Work-In-Progress (WIP) – (Courtesy Daniel Miessler) Too many active projects results in less output. “Being too busy isn’t a badge of honor. It’s a symptom of dysfunction. It’s a sign your system optimizes for keeping people busy over keeping the work busy moving.”

I am switching to a weekly newsletter format for these posts. I spend a lot of time during the week scanning newsfeeds to find interesting and relevant information as part of my day job. I am already sharing these with my team, so why not share them with the wider infosec community?

My hope is to product at least one of these post weekly, then share it with the great community. It could be via social media or an email newsletter, or both. My goal is to drop the post and have the rest happen automatically. But for now, I’ll be happy with just a weekly post every Friday.

I hope you find this valuable! – Chris

Patelco CU Breach

Patelco CU Reported Data Breach in 2023, Affected 181,000 Members – Patelco suffered another data breach in late 2023 due to the MOVEit vulnerabilities. The Clop ransomware gang was appearantly able to gather sensative date on all 181,507 members. Members have files a class-action lawsuit related to this incident. It is unclear if this eventually lead to the June 2024 ransomware attack, but I suspect the forensic investigation will find that link.

Patelco CU Reports ‘Serious Security Incident’ – A large California credit union was crippled by ransonware over the last few weeks.

Pressure Mounts on Patelco, So Do the Class Action Lawsuits – Patelco now has several class-action lawsuits against it due to this ransomware attack.

Patelco’s Network Stabilized 8 Days After Ransomware Attack – The credit union has been able to start processing transactions again, but they still have a long way to go before they are back online for their members.

Vulnerabilities

CVE-2024-38021: Moniker RCE Vulnerability Uncovered in Microsoft Outlook – Remote code exec bug patched this week by Microsoft.

Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112) – Check Point Research – 0-day RCE on all versions of Windows leveraging URL shortcut files. This has been actively exploited for the last 18 months. Roll this patch as soon as possible, but you should also be treating URL files like executables, LNKs, shortcuts, etc. Strip them from emails and prevent users from downloading them.

New Blast-RADIUS attack breaks 30-year-old protocol used in networks everywhere | Ars Technica – TL;DR this is a RADIUS MitM attack made possible by non-standard MD5, but only if you are not using TLS/DTLS. Best mitigation is to switch to TLS/DTLS transport. I believe the purported impacts of this are overblown. An attacker needs to be inside the network to catch these under typical corporate implementations. And how many RADIUS over the internet implementations are not using TLS? My guess is not many.

RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024 – TL;DR – Cisco isn’t sure what products are affected yet, but watch this for more updates.

Critical Ghostscript flaw exploited in the wild. Patch it now! – Threat actors are actively exploiting a Ghostscript vulnerability to escape the sandbox for remote code execution.

Breaches & Attacks

Troy Hunt: Telegram Combolists and 361M Email Addresses – Another huge dump of usernames and passwords hit the web. Some of this data is old/reused, but some of it appears to be relatively new. Time to rotate passwords??

Microsoft Orders China Staff to Switch From Android Phones to iPhones for Work – Bloomberg – Might be petty, but this made me chuckle. Please, employees, use our biggest competitor’s product!

SysInformation Healthcare Services, LLC Provides Notice of a Data Security Event – SysInformation Healthcare Services (TX, USA) suffered a major data breach a year ago, only recently disclosed. Attackers got name, date of birth, health insurance information, medical history, and treatment information. They recommended credit monitoring. And their victims recommended compensation: SysInformation Healthcare Services Data Breach Lawsuit | ClassAction.org

AT&T Says Phone Records Of ‘Nearly All’ Customers Breached – AT&T falls victim to the Snowflake breach.

Neiman Marcus data breach: 31 million email addresses found exposed – Troy Hunt found >31mil customer email addresses on the dark web. Another Snowflake related breach.

Security

ANOM – Darknet Diaries – Another great episode discussing the ANOM crime-phones and how the FBI was actually running the show.

Visual guide to SSH tunneling and port forwarding | ITTavern.com – SSH tunneling is always a good trick to keep in your toolbox.

Cyber Scarecrow – This is an interesting concept that has been leveraged with certain malware to prevent install. It’s almost like a vaccination for your PC. I have two concerns: How will they prevent malware from detecting the software rendering it ineffective? How will they prevent false positives by security software? Hopefully more to come from this project.

GitHub – Lissy93/web-check: All-in-one OSINT tool for analysing any website – All-in-one OSINT tool for analysing any website.

Cloudflare 1.1.1.1 incident on June 27, 2024 – A Brazilian ISP attempted to blackhole 1.1.1.1, which was then published to the greater internet causing an outage for Cloudflare’s public DNS service. It’s not clear if this was intentional or an accident. My personal opinion: BGP security needs to become a priority across the globe. One rogue change shouldn’t take down a major internet service.

RockYou2024: 10 billion passwords leaked in the largest compilation of all time | Cybernews – Someone has gathered up all of the breached password dumps over the last several years to create another mega-list, but it appears the file is mostly garbage compared to RockYou2021. This Reddit thread talks more about better sources for password lists: https://www.reddit.com/r/hacking/comments/1dxb25f/whet_to_download_rockyou2024/

Overlooked Domain Name Resiliency Issues: Registrar Communications – SANS Internet Storm Center – Another weak point in the internet: registrars. Someone reported a major ISP domain for phishing, causing the registrar to stop resolving the domain. The registrar did not provide any workable resolution process which could be accessed by clients.

How do cryptocurrency drainer phishing scams work? – Great background on crypto-draining attacks and how to avoid them.

Wide World of Cyber: State directed cybercrime – Risky Business – I’ve enjoyed the thoughtful discussions on these episodes. Worth the listen.

Technology

LeonStraathof/pfsense-speedtest-widget – I recently switched to a pfSense router after missing the advanced features not found in my Eeros, but pfSense doesn’t have a built-in speedtest. This dashboard plugin fixed that. No more worrying if the results are skewed due to other hardware!

DNS Deep Diving with Serena DiPenti – YouTube – The first 10 minutes or so gives you a high level understanding of how DNS works. The rest describes common DNS attacks and how pentesters try to exploit DNS.

Interesting News

Secret meeting between Apple and TSMC reported; 2nm capacity – Courtesy Unsupervised Learning – Has Apple locked down all the 2nm chips? Does this give it market superiority? It certainly allows more power in a smaller space.

A Vast, Untapped Source of Lithium Has Just Been Found in The US : ScienceAlert – Courtesy Unsupervised Learning – It looks like the US may be closer to on-shoring our Lithium needs by extraction from fracking water.

US sues Adobe for ‘deceiving’ subscriptions that are too hard to cancel – The Verge – It’s not enough to milk your users for continued shareholder payouts, but you want to force them into a perpetual contract?

Apple is winning in financial services – Looks like Apple could be opening Apple Pay to additional “buy now, pay later” partners.

Supreme Court ruling on Chevron doctrine may upend future cybersecurity regulation | Cybersecurity Dive –

HP discontinues online-only LaserJet printers in response to backlash — Instant Ink subscription gets the boot, too | Tom’s Hardware – HP is giving up on their “instant ink” printers, but they won’t unlock those printers from the service.

Thread by @lcasdev on Thread Reader App – Thread Reader App – Google has given their own API’s preference to detailed performance telemetry regardless of user choice, but not other vendors. This impacts all Chromium based browsers. This is a clear violator anti-trust laws.

What I’ve been doing

Coding: I’ve actually been coding after almost 15 years! We needed to rewrite a custom URL handler to automatically open a member account based on incoming phone number. I’m surprised how fast I picked up VB.Net as I stopped developing just as .NET came on the scene. I forgot how fun it can be! I was able to repurpose a custom screen-pop application for our call center to work with a new contact center solution. My next trick is building powershell routines to keep the user and contact lists updated as the app doesn’t support SCIM user creation.

Cord cutting My wife recently left her positon, so we’ve been trying to downsize our discretionary expenses. Entertainment is a bit part of that expense, so I’ve taken the leap and dropped internet TV in favor of using an HDHomeRun box with the Plex Live TV services. I still need to experiment with how to best record TV shows, but the live TV works well enough. Bandwidth is the biggest issue with antenna placement the next. I’m still experimenting with these. I’ve also jumped on a few deals for older DVD’s and BlueRays to build up a legal movie collection. I’m still working on a solution for sports.

pfSense I’ve come into a few extra hand-me-down PCs, so I’m going to try again to setup a pfSense firewall. My main concerns right now is not getting the full throughput on my fiber connectivity, so I need to run some tests first. More on this as I experiment more.

Writing

Patch Tuesday updates for all! – Unstable Path – It’s patch week…like every other week.

Reading & Listening

Technology

CIO who dropped VMware 18 months ago now very pleased • The Register – Yet another story about how Broadcom is shooting itself in the foot and driving vmWare into the ground.

Security

LastPass Employee Targeted With Deepfake Calls – SecurityWeek – “In our case, an employee received a series of calls, texts, and at least one voicemail featuring an audio deepfake from a threat actor impersonating our CEO via WhatsApp,” LastPass says.

Special Edition: Chris Krebs, Alex Stamos and Patrick Gray – Risky Business – Excellent discussion on supply chain sovereignty! I highly recommend infosec nerds take a listen to a new spin on an old issue.

How it Works – Knocknoc – Interesting tech that I heard about on Risky.biz. Allows you to open ports and access services behind SSO that don’t typically support it.

iOS 17.5 bug undeleted sensitive photos—even on devices you no longer own – The Mac Security Blog – Oops Apple! One of the better descriptions of this issue. And another reminder to think twice before you click that pic.

Windows 11 to Deprecate NTLM, Add AI-Powered App Controls and Security Defenses – MS is putting some needed fixes into Windows 11 security.

Financial

U.S. Economy FAQ: Rising Insurance Prices, Stuck Inflation, and More – The Ringer – This discussion of what’s driving inflation rates contains a great explanation on how inflation is tied to the national debt.

Powershell

Invoke-WebRequest or Invoke-RestMethod? – Truesec – Simple answer – Invoke-WebRequest gives you the complete unfiltered results, where Invoke-RestMethod returns just the results in a custom PSObject.

How to use Invoke RestMethod in PowerShell — LazyAdmin – Great summary on how to use the Invoke-RestMethod in Powershell, including new features in Powershell v7.

Science

Britain says it is developing a radio-wave weapon that can take out a swarm of drones for just $0.12 a shot – This would be far more effective than trying to shoot down a drone.

Quantum networks are closer to reality – The Verge – Amazon is dabbling in quantum networking? I’m not sure what this gets us that current fiber technology doesn’t. My vision for quantum networking is instant communication across any distance, similar to Three Body Problem sophons or Eve Online’s fluid routers.

Ancient viral DNA in the human genome linked to major psychiatric disorders – Could viral DNA explain why humans develop these mental illnesses which appear to go against evolution?

Blogging

How and why to make a /now page on your site | Derek Sivers – If you have a blog, create a /now page and let folks know what you are up to!

sites with a /now page – A collection of /now pages.

Tools

ThomasKur/M365Documentation: Automatic Microsoft 365 Documentation to simplify the life of admins and consultants. – This project is a life saver for documenting your Intune configurations.

jordanbaird/Ice: Powerful menu bar manager for macOS – Awesome little tool to collapse your Mac menu bar icons to only display what you actually need until you need them.