CrowdStrike and Microsoft battle blue screens across the globe.

Mitigation continues on the global CrowdStrike outage. UK police arrest a suspected member of Scattered Spider. A scathing report from DHS says CISA ignored a directive to cut ties with a faulty contractor. Huntress finds SocGholish distributing AsyncRAT. Ransomware takes down the largest trial court in the U.S. A US regulator finds many major banks inadequately manage cyber risk. CISA adds three critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Australian police forces combat SMS phishing attacks. Our guest Chris Grove, Director of Cybersecurity Strategy at Nozomi Networks, shares insights on the challenges of protecting the upcoming Summer Olympics. Rick Howard looks at Cyber Threat Intelligence. Appreciating the value of internships. 

Today is Monday July 22nd 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Mitigation continues on the global Crowdstrike outage. 

The CrowdStrike IT outage has had significant global repercussions, impacting approximately 8.5 million devices and causing widespread operational disruptions. In the US, the airline industry has been particularly affected, with more than 1,500 flights canceled for the third consecutive day. Delta Air Lines, based in Atlanta, has struggled the most, with Delta Chief Executive Ed Bastian reporting that the airline canceled over 3,500 flights. Bastian attributed the cancellations to the failure of a crew tracking tool unable to process the high volume of changes triggered by the system outage. Delta has been offering waivers to affected customers in an effort to manage the fallout.

CrowdStrike CEO George Kurtz issued an apology for the outage, acknowledging the gravity and impact of the situation. He explained that the problem originated from a sensor configuration update released on July 19, 2024, which triggered a logic error leading to system crashes and blue screens (BSOD) on impacted devices. The specific update involved Channel File 291, which controls how Falcon evaluates named pipe execution on Windows systems. Named pipes are used for interprocess or intersystem communication in Windows. The update, intended to target malicious named pipes used in cyberattacks, inadvertently caused the operating system crash.

CrowdStrike quickly identified and corrected the logic error, updating the content in Channel File 291 and halting further changes. Despite this, some experts criticized CrowdStrike for not following industry-standard testing procedures, suggesting that the faulty update may have bypassed normal vetting processes.

To assist affected customers, CrowdStrike has published a “Remediation and Guidance Hub” with detailed information on the faulty update and recovery steps. Microsoft also played a crucial role in addressing the issue, developing a custom WinPE recovery tool to automate the removal of the faulty update. This tool is available for download and requires specific technical configurations for use.

The incident has sparked a wave of malicious activities, with bad actors exploiting the turmoil to conduct phishing scams and other cyberattacks. The Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) have issued warnings about increased phishing activities related to the CrowdStrike outage. Australia’s home affairs minister, Clare O’Neil, also cautioned small businesses to be wary of scam attempts disguised as communications from CrowdStrike or Microsoft.

The broader implications of the outage have raised concerns about the fragility of the modern digital ecosystem and the concentration of power among key technology firms. Anne Neuberger, the deputy national security adviser for cyber and emerging technologies, emphasized the need for resilience in a globally interconnected economy. Sir Jeremy Fleming, the recently retired head of GCHQ, echoed these sentiments, highlighting the accelerated risks due to technological interconnectivity.

Regulators and lawmakers are calling for greater scrutiny of major tech firms, particularly Microsoft, which has a near monopoly on office productivity systems. Lawmakers from the House Oversight, House Homeland Security, and House Energy and Commerce committees have requested briefings from Microsoft and CrowdStrike to understand the causes and impacts of the outage. 

A recurring theme in the coverage of the incident, particularly in the broader tech press, is that many people had not heard of CrowdStrike before this event. It’s a useful reminder of how cybersecurity firms often operate behind the scenes until a significant disruption brings them to public attention.

UK police arrest a suspected member of Scattered Spider. 

Law enforcement in the UK arrested a 17-year-old from Walsall [WALL-sull], suspected of being part of the Scattered Spider cybercrime group, also known as UNC3944 or 0ktapus. This arrest followed a joint operation by the UK National Crime Agency (NCA) and the US FBI. The teenager is accused of targeting large organizations with ransomware and accessing their networks. He was arrested on suspicion of blackmail and Computer Misuse Act offenses, then released on bail. Evidence, including digital devices, was recovered for forensic examination. This arrest is part of a global investigation into the cybercrime group, which has targeted major companies like MGM Resorts. Scattered Spider has hacked numerous organizations, including Twilio, LastPass, and DoorDash, often using social engineering tactics.

A scathing report from DHS says CISA ignored a directive to cut ties with a faulty contractor. 

The Department of Homeland Security’s (DHS) inspector general released a scathing report on Wednesday, criticizing the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Law Enforcement Training Centers (FLETC) for failing to protect sensitive data. Both agencies ignored a direct order from DHS leadership to cease working with a high-risk contractor.

The inspector general’s audit revealed “urgent cybersecurity issues” at CISA and FLETC. Despite a directive to stop using the contractor due to poor cybersecurity practices, both agencies continued their engagement without mitigating the risks. The contractor was not named in the report, but DHS’s internal investigation highlighted significant security deficiencies in its operations.

The report stated that by not mitigating the control deficiencies, CISA and FLETC potentially exposed sensitive personally identifiable information (PII) and law enforcement training data to compromise. This included the names, Social Security numbers, dates of birth, genders, ranks, and titles of 37,951 DHS and federal law enforcement officers. Additionally, the contractor’s software contained training materials on disarming active shooters and countering seaport terrorism.

Huntress finds SocGholish distributing AsyncRAT. 

Researchers at Huntress have observed the JavaScript downloader malware SocGholish (aka FakeUpdates) being used to deliver the remote access trojan AsyncRAT and the legitimate open-source project BOINC (Berkeley Open Infrastructure Network Computing Client). BOINC is a volunteer computing platform maintained by the University of California for large-scale distributed computing. The SocGholish attack chain involves a malicious JavaScript file that downloads further stages, ultimately deploying a fileless AsyncRAT variant and a malicious BOINC installation. The compromised BOINC installation connects to fake servers to collect data and execute tasks, acting as a command and control (C2) server. Huntress reported the misuse to BOINC administrators, who have been aware of the issue since June 2024. The report includes indicators of compromise and Yara and Sigma rules.

Ransomware takes down the largest trial court in the U.S. 

A ransomware attack has shut down the computer system of the Superior Court of Los Angeles County, the largest trial court in the U.S. The attack began early Friday and is unrelated to the recent CrowdStrike software update issue. The court disabled its computer network and will kept it down through the weekend. Preliminary investigations show no evidence of compromised user data. The court serves 10 million residents with 1.2 million cases filed and 2,200 jury trials conducted in 2022.

A US regulator finds many major banks inadequately manage cyber risk. 

A U.S. regulator, the Office of the Comptroller of the Currency (OCC), has found that half of the major banks it oversees are inadequately managing risks such as cyber attacks and employee errors. Bloomberg reported that 11 of the 22 large banks under OCC supervision have “insufficient” or “weak” operational risk management. About one-third of these banks received poor ratings for overall management. This comes amid rising concerns following last year’s bank failures and a major global computer systems outage. The OCC’s operational-risk assessments contribute to CAMELS ratings, which influence regulatory scrutiny and capital requirements. Acting Comptroller Michael Hsu has emphasized the need for effective risk management. In May 2023, Hsu testified before Congress about the importance of proactive supervisory actions and risk mitigation from third-party vendors using new technologies.

CISA adds three critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified and added three critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the ongoing threats to cybersecurity.

First, CVE-2024-34102, a severe vulnerability with a CVSS score of 9.8, affects Adobe Commerce and Magento Open Source. This flaw involves an Improper Restriction of XML External Entity (XXE) Reference, which can lead to arbitrary code execution. The vulnerability impacts several versions, including 2.4.7 and earlier. Adobe has acknowledged that this issue has been exploited in limited attacks, targeting their commerce merchants without requiring user interaction.

Next, CVE-2024-28995 is a high-severity directory traversal vulnerability in SolarWinds Serv-U, scoring 7.5 on the CVSS scale. Discovered by Hussein Daher, this vulnerability allows attackers to read sensitive files on the host machine. Following the disclosure and the publication of proof-of-concept (PoC) exploit code, threat intelligence firm GreyNoise observed active exploitation attempts.

Lastly, CVE-2022-22948, an information disclosure vulnerability in VMware vCenter Server, has a CVSS score of 6.5. This issue arises from improper file permissions, enabling malicious actors with non-administrative access to obtain sensitive information.

CISA has ordered federal agencies to remediate these vulnerabilities by August 7, 2024, to protect their networks. 

Australian police forces combat SMS phishing attacks. 

Australian police forces have seized 29 SIM boxes and thousands of SIM cards in raids across several states to combat smishing (SMS phishing) attacks. In New South Wales, 26 SIM boxes capable of sending large volumes of text messages were found, having sent over 318 million messages in recent months, scamming victims out of millions. In Victoria, three SIM boxes were seized, potentially capable of sending hundreds of thousands of malicious messages daily. Six arrests were made, with charges laid.

 

The 2024 Summer Olympics start later this week in Paris. Our guest today is Nozomi Networks’ Director of Cybersecurity Strategy Chris Grove. We know the Games are surrounded with social engineering scams from ticket sales aimed at stealing credit card information to fake accommodation listings and more. We talk about how the games and facilities at the Olympics could be at risk of an attack.  

Following Chris’ interview, Rick Howard joins me to talk about his latest CSO Perspectives episode out today that focuses on the current state of cyber threat intelligence. 

We’ll be right back.

Welcome back. You can find links to Rick’s full episode in our show notes. If you are not an N2K Pro subscriber, there’s also a link to a free sample of the episode. 

 

Appreciating the value of internships. 

And finally, an article in CSOonline shares the story of Willem Westerhof, once a physiotherapist and pie maker, who embarked on a cyber internship in 2016. While still an intern he discovered a critical vulnerability in solar panel technology, which had the potential of compromising the Netherlands’ entire power grid. This breakthrough not only transformed his life, propelling him into global headlines and conferences, but also secured him a full-time role at ITsec, where he had interned.

Westerhof’s story exemplifies the transformative potential of internships. According to ISC2’s “2023 Cybersecurity Workforce Report,” 24% of new cyber professionals started as interns. Matthew Prager from CISA emphasizes internships as essential for expanding the talent pool and providing valuable work experience that education alone cannot offer.

John Anthony Smith of Conversant Group highlights the importance of mentoring interns to mold them into skilled professionals, while Alexandria Chiasson from the Information and Communications Technology Council stresses the need for internships to teach both technical and soft skills. Companies offering meaningful, project-based internships tend to secure more full-time hires, with paid internships attracting higher quality candidates.

 Willem Westerhof’s journey from a diverse work background to a celebrated cybersecurity expert underscores the immense value of internships. For interns, these opportunities provide practical experience, essential skills, and a direct pathway into full-time employment, as seen with Westerhof’s seamless transition to ITsec. For employers, internships are a strategic investment, offering access to fresh talent, innovative perspectives, and the chance to cultivate and retain skilled professionals tailored to their specific needs. By fostering an environment where interns are mentored and engaged in meaningful projects, organizations not only enhance their workforce but also contribute to closing the cybersecurity skills gap, ensuring a robust and secure digital future.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.