InfoSec News – July 20th 2024

It was a week…

Ever had one of those weeks where every day (especially Friday) felt like a Monday? I bet you did this week.

Botched Crowdstike Update takes down the world…kinda

The massive outage caused by a botched CrowdStrike update impacted hundreds if not thousands of organizations globally. Airlines grounded flights, hospitals cancelled surgeries, financial institutions couldn’t serve customers, and even Microsoft 365 experienced a wide scale disruption. I’ll like to the coverage below.

Did mainstream media overhype this one? While it’s true the impacts were widespread, the fix was relatively simple but time consuming. But that isn’t what we heard on CNN, CBS, NBC, or Fox. We heard about the end of the world, not being able to get your money, or how hospitals and airports were completely unable to function. This caused widespread panic. Every vendor had to publish an alert about not being impacted, including my credit union. We had to add a message to our IVR, website, and socials to calm our panicked members. Our only real impact was to a portion of our mortgage origination system, which was resolved by lunch time. So why stir up all that trouble except for the rating?

What was this so huge? Too many vendors build massive, homogeneous Windows environments because it’s easy, comparatively. Most significant back-office systems are based on Microsoft technology, running on Microsoft servers. Crowdstike has obtained a similar market share due to their solid security platform and services. But having all of your eggs in a couple baskets is a huge risk. All it takes is one small mistake in just the right subsystem to bring it all down. I am a firm believer in a heterogeneous system design. Put the right vendors in the right places, but with an eye to not giving one vendor too much. The loss of control with cloud systems can be an unacceptable risk for key systems.

Huge Microsoft Outage Linked to CrowdStrike Takes Down Computers Around the World | WIRED – (Courtesy CyberWire)

Faulty CrowdStrike update causes major global IT outage, taking out banks, airlines and businesses globally | TechCrunch

Using Intune Remediations to Fix the CrowdStrike Driver Bug – Here’s a novel way to fix your CrowdStrike issue with Intune scripts. These scripts could probably be adapted for other platforms and other issues.

A global tech outage brought many computer systems and businesses to a screeching halt. Here’s what happened | CNN Business – Blow-by-blow of the outage impacts.

Technical Details: Falcon Update for Windows Hosts | CrowdStrike – Crowdstike’s account of what happened.

CrowdStrike’s faulty update crashed 8.5 million Windows devices, says Microsoft – The Verge – Less than 1% of the global install based afflicted by this issue caused massive impacts.

And in other news…

Microsoft says its cloud services are back up after major outage | TechRadar – Microsoft experiences an Azure outage that primarily affected the US Central region overnight Friday. This impacted various services during that time. This was a separate issue from the Crowdstike outage, and Microsoft was back up in a reasonable amount of time.

Indiana county files disaster declaration following ransomware attack – Another local government grinding to a halt due to ransomware. Is it time the Fed offered subsidized security services to assist them?

Squarespace DNS hijack spree hits crypto sites – Squarespace disabled MFA on the accounts acquired from Google, which allowed attackers to hijack the domain’s DNS.

CISA broke into US federal agency, wasn’t spotted for months • The Register – (Courtesy TLDR InfoSec) How would you detect a stealthy attacker inside your network?

Cloudflare launches a tool to combat AI bots | TechCrunch – (Courtesy Daniel Miessler) It appears the basics of this tool are free to anyone with a Cloudflare account. I’ve enabled the protections on my blog to see if there are any issues with this.

Hackers use PoC exploits in attacks 22 minutes after release – (Courtesy TLDR InfoSec) This should not be a surprise to anyone. The window from PoC to wild exploitation is getting shorter, but not all patching policies are keeping up with this.

Rite Aid confirms data breach after June ransomware attack – RansomHub gang claims to have 10gb of customer data from the US pharmacy change. RiteAid has not confirmed the extent of the attack.

Reinstatement of net neutrality rules temporarily halted by appeals court – The Verge – It looks like Net Neutrality will be the first victim of the loss of the Chevron doctrine.

Vulnerabilities and Patches

Increase In The Exploitation Of Microsoft SmartScreen Vulnerability CVE-2024-21412 – Cyble – Attackers are using a multi-stage exploit to gain a foothold on machines and steal information. **get flowchart image from link to embed **

Exim vulnerability affecting 1.5M servers lets attackers attach malicious files | Ars Technica – (Courtesy TLDR InfoSec) EXIM bug allows an attacker to bypass file extension blocking, possibly allow malicious files. All but the lastest RC for Exim is affected.

GitLab Sends Users Scrambling Again With New CI/CD Pipeline Takeover Vuln – (Courtesy TLDR InfoSec) A new 9.6 CVE in Gitlab pipelines. Deploy the fix ASAP.

Critical Cisco bug lets hackers add root users on SEG devices – Cisco’s secure email gateway (formerly IronPort) has a critical file processing bug. Cisco PSIRT Post

Cisco Smart Software Manager On-Prem Password Change Vulnerability – Cisco Smart Licensing on-prem application has a critical bug affecting all but the latest version.

CVE-2024-38021: Moniker RCE Vulnerability Uncovered in Microsoft Outlook – 0day RCE in Outlook on Windows clients. MSRC’s post.

Security

Exchange Online Supports Inbound SMTP DANE with DNSSEC – DNSSEC and DANE can greatly improve your email security by verification of SMTP server security in DNS. This ensures a bad actor cannot easily redirect incoming email for a domain. Combine this with full DMARC compliance for a bi-directional security upgrade.

Introducing Windows 11 checkpoint cumulative updates | Windows IT Pro Blog – (Courtesy Risky.Biz) Windows 11/2025 patching will move to a more efficient checkpoint model, changing only what needs to be changed. This will definitely speed up patching, but you will no longer be able to skip patches. This will impact golden image maintenance, new PC builds, and various other processes that rely on cumulative patches.

Password Breaking A to Z | ElcomSoft blog – A great primer on password cracking: what it does, how it works, and what hardware works best. I would recommend for any experience level as there are a ton of links to more detailed articles.

Leadership

Your Company’s Problem is Hiding in Plain Sight – High Work-In-Progress (WIP) – (Courtesy Daniel Miessler) Too many active projects results in less output. “Being too busy isn’t a badge of honor. It’s a symptom of dysfunction. It’s a sign your system optimizes for keeping people busy over keeping the work busy moving.”

Leave a Reply