Cybersecurity snow day.
A Crowdstrike update takes down IT systems worldwide. A U.S. District Court judge dismissed most charges against SolarWinds. Sophos examines the ransomware threat to the energy sector. European web hosting companies suspend Doppelgänger propaganda. An Australian digital prescription services provider confirms a ransomware attack affecting nearly 13 million. A pair of Lockbit operators plead guilty. N2K’s CSO Rick Howard speaks with AWS’ CISO Chris Betz about strong security cultures and AI. A look inside the world’s largest live-fire cyber-defense exercise.
Today is Friday July 19th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
A Crowdstrike update takes down IT systems worldwide.
A widespread IT outage has impacted businesses globally, causing significant disruptions in banking, aviation, healthcare, media, and more. Early Friday, companies in Australia using Microsoft’s Windows began reporting Blue Screens of Death (BSODs), followed by similar reports from the UK, India, Germany, the Netherlands, and the US. This led to Sky News going offline and major US airlines grounding flights.
The issues have been traced to a misconfigured update from cybersecurity firm CrowdStrike, affecting only Windows devices. CrowdStrike engineers acknowledged the problem on their Reddit forum, offering a workaround and guidance for affected customers. The update involved CrowdStrike’s Falcon Sensor product, which is part of their security suite.
CrowdStrike CEO George Kurtz confirmed the update defect, emphasizing it wasn’t a cyberattack. He stated that a fix had been deployed and reassured that Mac and Linux systems weren’t affected. Microsoft also acknowledged the problem, noting that a resolution was in progress.
The financial impact of halted operations and business disruptions could reach millions. Airports faced delays and long queues, with flights canceled worldwide. Passengers in India received handwritten boarding passes. TV networks like TF1, Canal+, and Sky News experienced broadcasting issues.
The outage has been a stark reminder of the global economy’s dependence on a handful major tech companies. CrowdStrike’s stock dropped nearly 12% in premarket trading, while Microsoft’s fell about 1.4%. The incident has prompted financial regulators in the UK to investigate the impact on banks and payment systems.
In an event unrelated to the Crowdstrike issue, a major Microsoft 365 outage on Thursday, caused by an Azure configuration change, impacted users across the Central US region. Starting around 6:00 PM EST, the outage affected services like Microsoft Defender, Intune, Teams, PowerBI, OneDrive, and Xbox Live, preventing access and login. Microsoft worked to reroute traffic to restore service, noting a positive trend in availability after a few hours. Downdetector received tens of thousands of issue reports, particularly from Xbox users experiencing server connection problems.
A U.S. District Court judge dismissed most charges against SolarWinds.
A U.S. District Court judge dismissed most charges in a landmark case against SolarWinds, following the Sunburst hacking campaign linked to Russia. Judge Paul Engelmayer ruled that many of the charges “impermissibly rely on hindsight and speculation,” though some claims about misleading cybersecurity statements were upheld. The SEC had charged SolarWinds and its CISO, Timothy Brown, with fraud for overstating cybersecurity practices and failing to disclose known risks. SolarWinds must respond to remaining charges within 14 days. The court noted SolarWinds’ inadequate cybersecurity measures, including weak passwords and excessive administrative access, but dismissed other claims as “non-actionable corporate puffery.” The decision underscores challenges in holding companies accountable for cybersecurity in public and regulatory statements, amidst criticism from the cybersecurity community.
Sophos examines the ransomware threat to the energy sector.
Ransomware is a significant threat to the energy, oil/gas, and utilities sectors globally. A report from Sophos titled The “State of Ransomware in Critical Infrastructure 2024” highlights that median recovery costs for energy and water sectors soared to $3 million in the past year, four times the global median. Vulnerability exploitation initiated 49% of attacks in these sectors. Data from 275 respondents in energy, oil, gas, and utilities shows that 67% of these organizations faced ransomware attacks in 2024, higher than the 59% global average. Median ransom payments rose to over $2.5 million. Recovery times have worsened, with only 20% recovering within a week, down from 41% in 2023. High rates of backup compromise and encryption were also reported. Proactive monitoring and response plans are essential to mitigate these threats.
European web hosting companies suspend Doppelgänger propaganda.
Two European web hosting companies, Hetzner from Germany and Hostinger from Lithuania, have suspended accounts linked to the Russian propaganda campaign Doppelgänger. This network used legitimate European infrastructure to spread disinformation. Hostinger’s servers in Singapore hosted several propaganda websites mimicking legitimate media, including Israeli and German sites. Hetzner’s Finnish subsidiary hosted four such websites, blocking the affected server after German nonprofit journalism group Correctiv’s investigation.
Researchers at Qurium and EU DisinfoLab discovered Doppelgänger’s operations across at least ten European countries, highlighting the inadvertent use of European services for disinformation. Doppelgänger has been active since May 2022, spreading fake articles designed to resemble real media outlets like Germany’s Der Spiegel and Britain’s The Guardian.
An Australian digital prescription services provider confirms a ransomware attack affecting nearly 13 million.
Australian digital prescription services provider MediSecure confirmed that a ransomware attack in April 2024 led to the theft of personal and health information of 12.9 million individuals. The compromised data, from services provided between March 2019 and November 2023, included names, dates of birth, addresses, phone numbers, healthcare identifiers, Medicare and concession card numbers, and prescription details. MediSecure stated that due to the complexity of the data set, identifying specific impacted individuals was not feasible without incurring substantial costs. The stolen data, totaling 6.5 terabytes, was taken before the deployment of file-encrypting ransomware, but the company restored its systems using a clean backup. Despite the data breach, prescription delivery services in Australia remain unaffected.
A pair of Lockbit operators plead guilty.
Two Russian individuals, Ruslan Magomedovich Astamirov and Mikhail Vasiliev, admitted to participating in multiple LockBit ransomware attacks, targeting victims globally and in the U.S. According to the Justice Department, these affiliates breached vulnerable systems, stole sensitive data, and deployed ransomware, demanding ransoms for decryption and data deletion. Astamirov, active between 2020 and 2023, and Vasiliev, active between 2021 and 2023, caused significant financial losses. Astamirov, arrested in June 2023, faces up to 25 years in prison, while Vasiliev, extradited and already sentenced in Ontario, could face up to 45 years.
Coming up, we’ve got N2K’s CSO Rick Howard talking with AWS’ CISO Chris Betz at the AWS re:Inforce 2024 event about strong security cultures and AI.
We’ll be right back
Welcome back. You can find details on Chris’ presentation from the event in the show notes.
A look inside the world’s largest live-fire cyber-defense exercise.
And finally, At the Retamares military base in Madrid, CSO Spain got a firsthand look at the Spanish team’s headquarters for Locked Shields 2024, the world’s largest live-fire cyber-defense exercise. The fictional island nation of Berylia faces relentless cyberattacks over 48 hours, simulating a high-stakes scenario where essential services are targeted amidst a territorial dispute with Crimsonia.
Enrique Pérez de Tena, head of international relations for the Spanish Joint Cyberspace Command (MCCE), guided reporters through this complex exercise. Locked Shields, organized by NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE), involves nearly 4,000 participants worldwide. The Spanish team, comprising military personnel and civilians, collaborates with international allies to defend Berylia’s critical infrastructures, such as nuclear power plants and banking systems, from simulated cyber threats.
Throughout the tour, observers witness the intense yet composed atmosphere as teams manage communications, legal issues, and technical defenses. Pérez de Tena explained the importance of real-time crisis management and legal compliance, likening the exercise to real government operations during cyber crises. Despite the fictional setup, the exercise underscores the ever-present nature of cyberwarfare, with no borders or safe zones.
Locked Shields not only tests defensive capabilities but also fosters collaboration and learning among participants. While Spain ranks mid-pack, the exercise emphasizes improvement over competition. Pérez de Tena highlights the significance of building relationships and sharing expertise to strengthen cybersecurity.
In the end, the exercise reveals the stark reality of our digital age: constant vigilance and cooperation are crucial, as cyberspace remains an unpredictable battlefield. As Pérez de Tena aptly puts it, “We are not aware of how cheap it is to protect ourselves and how expensive it can be if we do not. But 100% cybersecurity does not exist.”
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
And that’s the CyberWire.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.