The hottest infosec news for July 2024
Hello everyone! We are publishing our traditional digest of key information security news of the past month. The main event of July was undoubtedly the CrowdStrike incident, which led to one of the largest system failures worldwide in history.
Last month brought other records, too. The largest payout after a ransomware attack, a vulnerability compromising Secure Boot on millions of devices since 2012, and Russia's world leadership in the number of databases posted on the darknet. In July, Kaspersky Lab left the US market, and the infamous FIN7 was actively making its way back to the cybercrime scene. Read about this and other interesting infosec news from a very hot summer month below!
CrowdStrike Shuts Down the World
The key event of July was undoubtedly the CrowdStrike incident. On Friday, July 19, a massive wave of crashes on Windows devices occurred around the world. Computers were massively issuing BSoDs and going into recovery loops. The count was in the millions of devices, with a fix in the form of manual startup in safe mode.
The failures affected the USA, Great Britain, India, Australia and other countries. Flights and broadcasts were suspended and rescheduled, payment terminals fell off, entire companies and government organizations, hospitals, supermarkets and airports stopped working. And from the very first hours, information appeared that security personnel were to blame for the incident. The cause of the failure was a defective update of the Falcon Sensor EDR solution from CrowdStrike, an American provider of information security services.
The software was installed at hundreds of Fortune 500 companies, serving large businesses and critical infrastructure. And on July 19, it suddenly became a single point of failure of massive proportions, bricking millions of devices from America to the Middle East and Southeast Asia. Australia and New Zealand were hit the hardest — the faulty update caught them in the middle of the workday, so the crash of hundreds of thousands of devices and entire systems became a national disaster for the countries. However, both the US and England were also seriously affected by the incident, as many systems and servers were online in the middle of the night when the update went into production.
The unique incident, which by some estimates led to the largest global outage in history, immediately gave rise to conspiracy theories that were successfully cut off by Hanlon's razor. The leading assumption in the wake of the crisis, ironically named Y2K24, was insufficient testing and an automation error. In addition, it quickly became It revealedthat the problem came down to the fact that a crooked configuration file bypassed WHQL and installed the boot-start driver from CrowdStrike. In general, one small file created a perfect storm at the end of the sprint.
Following the long weekend with CrowdStrike, which gave thousands of admins PTSD, the interim results were coming. According to Microsoft, the incident affected 8.5 million devices, or less than 1%, running Windows. It doesn't sound serious, if you forget that it was mainly large businesses and critical infrastructure. Plus, it's unclear how they counted virtual machines.
Five days later, CrowdStrike published a preliminary report in the wake of the incident, and the prize for resourcefulness actually went to those who suggested that the faulty update had not been sufficiently tested and that the automation had failed.
The update that brought down the systems only passed automatic testing and was not checked locally on devices, which would have immediately revealed the problem. And then, due to a bug, the content validator missed the crooked update in production. No additional checks were carried out, since after recent tests and deployment of such updates, no problems arose.
As for the update content, it was about detecting malicious named pipes in C2 frameworks. Researchers assumed that it was about new Cobalt Strike features released a couple of days before the disaster. In other words, the company was in a hurry to release an update for fresh threats and hoped for luck. Following the results, CrowdStrike promised to introduce additional testing, including local testing. Alas, it was a bit late.
From the first days after the incident, there was an expected surge in cybercrime. Thus, the company itself reported on a previously unknown infostealer called Daolpu. The attackers distributed it with a copy of the Microsoft recovery manual and a malicious macro.
There were also some curious cases. On the domain with the telling name “fix-crowdstrike-apocalypse” there was a scam with a fix at a reasonable price: half a million euros for a binary and a million for the source code. It is unclear who this was intended for, given CrowdStrike’s target user in the form of enterprises with solid information security departments. But cybercriminals see business opportunities and confidently move towards their goal. As do CrowdStrike’s competitors: for example, report SentinelOne first gave an excerpt from the incident. Then explained in detail why their product is better: the code is more stable, the processes are well-established, and updates are rolled out professionally, not on Fridays with great difficulty. And then they remembered about the scammers. The laws of the market dictate priorities – half of the Fortune 500 is at stake in search of alternatives.
In turn, CrowdStrike did not stop showing miracles of management. Then came crisis management. What does a decent company do in the wake of a large-scale failure? Demonstrate complete transparency in processes and write out large discounts on its products to restore its reputation. What does CrowdStrike do? First of all, send partners $10 UberEats gift cards.
Yes, we caused the biggest IT meltdown in history, here's ten bucks, buy yourself a coffee and leave me alone. Moreover, some of the cards didn't work: the lucky recipients reported that CrowdStrike was recalling them. Either the QR codes were reusable, or UberEats reacted this way to the mass registration of cards that seemed suspicious, but the company ultimately failed to cope with even this, getting a PR scandal squared. Apparently, CrowdStrike is outsourcing crisis management to the same parts of South Asia as QA, known for its love of gift cards.
And the bottom line is that this incident is turning into an instructive story of “How one small file buried a multi-billion dollar company.” Investors have predictably joined the numerous lawsuits against CrowdStrike: the almost 40% drop in shares cost them serious financial losses.
According to the lawsuit, the company deceived investors regarding the quality of the software, its reliability, and the adequacy of testing. According to some estimates, the defective update cost the business $5.4 billion, with estimates of at least $10 billion also being made. So there are plenty of people willing to compensate for the losses: Delta Airlines, which lost half a billion on cancelled flights, is counting on compensation from both CrowdStrike and Microsoft.
And although it is unlikely that the latter will be sued for someone else's crooked software, the Falcon Sensor incident will probably remain in the memory of the general public as “Windows crashed and everything broke.” CrowdStrike, however, unlocked the bad ending, and potential bankruptcy looms on the horizon. The kernel module and automatic testing – what could go wrong?
PKfail or fail from all key manufacturers
Following the CrowdStrike incident, there was a hot news about the compromise of Secure Boot on more than 500 models from almost all major manufacturers. The problem comes down to two separate cases.
In the first case, in December 2022, the platform key that signed 215 devices was compromised. Someone working with manufacturers in the States left the key in a public repository under a 4-digit password. It is unknown how long it hung there, but in January 2023 it was already visible in attacks. In the second case, more than 300 models were signed with vulnerable keys. 21 keys come with the strings “DO NOT SHIP” and “DO NOT TRUST”.
How the test keys got into production at half a dozen manufacturers is unknown. None of the companies answered this question directly, all got off with a vague corporate statement: some devices have already received fixes, some have long since ended support, so the companies are not responsible for them, and so on. At the same time, the error is critical, and Secure Boot is potentially compromised on millions of devices released from May 2012 to June 2024. Which essentially makes it one of the longest-running attacks of its kind.
Russia Sets Record for Number of Leaks
In July we were faced with disappointing news: Russia has become a world leader in one aspect of infosecurity. But there is a nuance. We are the leader in the number of company databases leaked to the darknet. 10% of the ads secured us first place, followed by the US with 8% and China with 6%. At the same time, 88% of the authors of leaks are ready to leak them free of charge.
The sad statistics are explained by the growth of cyber attacks with “non-financial motivation”, namely hacktivism. According to our specialists, the number of offers with leaked databases has grown by 30% compared to last year, and the number of companies that have encountered leaks for the first time has grown by 15%.
According to some estimates, the number of leaked user strings in the first six months was ~200 million, a third of which was data from retail companies. In general, the number of hacks is actively growing, and businesses, for obvious reasons, are still actively resisting tightening data leakage laws. That's how we live.
New record for ransomware payments
To another July record. Big game hunting in Ransomvar Wednesday brings results: last month, researchers revealed largest known ransom: An unnamed Fortune 50 company paid the Dark Angels $75 million.
The payout was recorded in early 2024, and blockchain analysts also confirmed it took place. The previous record was $40 million from insurance giant CNA after the Evil Corp attack in the spring of 2021.
Although the source of the new dubious record is not named, pharmaceutical megacorporation Cencora, the tenth on the Fortune 50 list, was hacked in February of this year. No group claimed responsibility for the attack, which may indicate that a ransom was paid. With a quarter of a trillion dollars in revenue, it is not hard to imagine a record amount. For Cencora, it is just a small bonus for the CEO.
Fin7 Returns to Cybercrime Business
In May 2023, the US government announced the end of the Fin7 group after three people associated with it were jailed. But it was too early: in April of this year, the attackers took on for the old and restore the network of sites. Moreover, as a BPH supplier they have none other than Stark Industries Solutions – Fin7 infrastructure hangs on a bunch of their IP addresses.
The group is actively raising domains – researchers have counted more than 4 thousand. Typosquatting, malicious extensions and advertising, sites for targeted phishing, spoofing of brands and software from Netflix and AIMP to Dropbox and AnyDesk – you can find everything.
In general, Fin7 is rapidly returning to the cybercrime business, and the unattributed campaigns noticed since April may well be related to it. Even the website of the fake infosec company has been brought up again, Cybercloudsec. So remember this name, so as not to inadvertently sign up for ransomware attacks under the guise of working as a pentester.
NSO Group and its connections to the Israeli government
Last month, emails from Israel's Justice Ministry were leaked revealed the inner workings of the developer Pegasus in terms of interaction with the government. The obvious-unbelievable was revealed: the company founded by Israeli intelligence closely cooperates with the state.
Thus, in 2020, Israel was involved in the investigation into WhatsApp's lawsuit from day one. Officials met with the company's representatives to discuss the request. And just three days later, the government issued a classified order prohibiting NSO Group from transferring documents and technical materials abroad without permission from the authorities. Along with this, there was a ban on disclosure, so that information about the order would not leak to the press. In other words, Israel provided NSO Group with an excuse to avoid US demands to provide data for the investigation.
According to WhatsApp, the developer of Pegasus has been actively obstructing the case for all these years and not providing access to internal documents. And the solution is simple: the Israeli government is on its side, and the company can simply refer to the fact that it complies with the law. In principle, this will hardly surprise anyone. As is known, Israel has long been using Pegasus as a business card in diplomatic negotiations. But having confirmation in the form of court orders is not superfluous.
Kaspersky Lab Leaves US Market
As expected, Kaspersky Lab's legal battle for American consumer cybersecurity did not last long. Less than a month after being banned from selling its products in the States, the company realized the futility of its efforts. And in July announced about winding down business in the US.
As reported by the company, an analysis of the sanctions imposed showed that there are no prospects for doing business in the States. Therefore, Kaspersky Lab will cease active operations in the US. For those who caught June on vacation, I will remind you that last month Kaspersky Lab received a ban on selling software in the US and sanctions against top management. All this, as usual, due to widespread assumptions in the West that the company is “under the jurisdiction, control or management of the Russian authorities.” So now it will have to join the trend and develop new promising markets.
As a parting gift, Kaspersky Lab offered six months of free use of its products to US customers. That was the end of its work in the US market, and the green bear, the company's mascot, left the States to be enjoyed by other bears, already known in narrower circles.
Craig Wright publicly admitted to fraud
And finally, in July came up by the end of the eight-year saga of security specialist Craig Wright, who claimed that he was none other than Satoshi Nakamoto. No, he is not Nakamoto. Wright did not create Bitcoin or develop software for it, did not write a white paper for the cryptocurrency, and does not own the copyright to it, despite many years of attempts to sue. Not that anyone doubted this, but now Wright has admitted it publicly and officially.
On July 16, the judge handling Wright's case ruled that he had repeatedly lied to the court and had massively falsified evidence that he was using the pseudonym Satoshi Nakamoto. At this point, Craig Wright apparently realized that the prank had failed and admitted that he had failed to steal the identity of the most famous crypto anonymity.
But he did become one of the most despised people in the crypto world. As a bonus, Wright will pay £6 million in costs to the Crypto Open Patent Alliance, which he demanded remove the Bitcoin white paper, and he could potentially face a lawsuit for perjury. And rightfully so.
