The cybersecurity firm says that 97% of sensors are back online, but some organizations continue to recover, with costs tallied at $5.4 billion for the Fortune 500 alone.

Source: Sashkin via Shutterstock

A week after an ill-fated update from cybersecurity giant CrowdStrike knocked out an estimated 8.5 million Windows computers, causing problems ranging from downed medical systems at healthcare facilities to delayed flights for many airlines, organizations are still trying to restore access to their remaining affected systems.

Healthcare companies are among the most impacted organizations, with the corrupt file affecting about half of the members of the Health Information Sharing and Analysis Center (Health-ISAC), says chief security officer Errol Weiss. As of July 25, only 18% of affected organizations had fully recovered their systems, while three-quarters of companies still had as many as 25% of their systems still needing attention, Weiss says.

Many organizations had Windows-based medical devices, and now they are likely looking at a long-tailed recovery, says Weiss.

"My guess is that a lot of automated remediation was shared on Friday and Saturday — those methods probably helped a lot to get to the majority of completion," he says, referring to tools and scripts provided by Microsoft, CrowdStrike, and other companies. "But some of those scripts and automated fixes probably won't work on the kinds of devices that we're talking about, and now healthcare organizations have to take a manual look."

Microsoft released a USB Recovery Tool that gives administrators the option to use a USB drive to recover impacted systems from WinPE or safe mode. The tool may recover from safe mode even if BitLocker is enabled on a device and a recovery key is unavailable. There are also detailed recovery steps for Windows clients, servers, and operating systems hosted on Hyper-V, as well as affected Windows 365 Cloud PCs and Azure virtual machines.

**Measuring Impact of the Outage**

On July 25, CrowdStrike estimated that 97% of affected computers had returned to active status, as measured by the state of its Falcon software at the center of the outage. Managed security services provider Quest Software, whose customers span a gamut of sizes, is still offering aid to those working through the issue. The remaining companies likely represent a few hard-to-patch systems at larger firms and a large number of smaller firms that do not have the technical expertise to easily recover, says Kent Feid, senior director of product management at Quest Software.

"That 3% really represents the number of devices, and so that would equate to likely a substantial amount of small businesses still being impacted that are still somewhat unsure how to attack this," he says. "Smaller businesses tend to leverage more IT generalists or don't staff IT experts in-house."

The vast impact of the outage has still not been tallied, but insurance services firm Parametrix estimates that the event impacted a quarter of the Fortune 500 companies, with losses reaching $5.4 billion. That includes nearly $2 billion in losses for healthcare and more than $1.1 billion for the banking sector.

**Even With Tools, Many Companies Worked the Weekend**

While the recovery process is, for the most part, fairly simple, technical experts have gauged that each system requires an average of 15 minutes to recover because an administrator is required to physically access each system. In addition, companies that used BitLocker to encrypt the hard drive — a cybersecurity best practice, especially on laptop systems — would have to find the encryption key and input that key at the beginning of the process.

"There's no way to do this remotely because it has to be done in safe mode, where networking isn't working, so you can't connect to the machine remotely," says Vadim Vladimirskiy, CEO of Nerdio, a virtual desktop management firm.

At least 700 outages coincided with the bad update from CrowdStrike, with 39% of outages rated Critical. Source: Parametrix

Nerdio, which provides virtual desktops for its customers, said its customers were only minimally impacted by the failed update and its cloud desktop systems were easily repaired by recovering to a previous image. While many customers connect to Nerdio's service using a Windows computer, only the systems left on during the 78-minute window — during which the bad CrowdStrike update was distributed — were impacted. Affected customers could just switch to a different system to access their virtual desktops, limiting any impact, Vladimirskiy says.

Ironically, healthcare firms recovered by falling back on measures implemented to protect them from a threat CrowdStrike is deployed to prevent: ransomware. Health-ISAC's Weiss compiled a list of systems affected by the attack, and it includes patient services, lab collections, secure file transfers, dictation and transcription services, shipments, electronic medical records, and Medicaid and insurance billing.

"I started hearing about the impacts to these organizations and looking at the list, and it's like, 'My gosh, this sounds just like another ransomware incident,'" he says. "So that's what was going on inside healthcare on Friday for those organizations that were impacted by this. They just went, 'OK, systems are down, we're going to the manual backup procedures, we're going to paper,' and they knew what to do because they were drilling \[their response to ransomware\] in the past."

**Preventing the Next Big Failure**

The bad update also came after a significant outage of Azure services affected an above average number of companies, according to Parametrix. (On average, about 300 service disruptions occur among the Fortune 500 every day, the firm said. On Thursday, July 18, 419 coincided with the Azure outage, and on Friday, at least 700 occurred as the company dealt with the bad update from CrowdStrike.)

While CrowdStrike is feeling the market's wrath right now, the company is unlikely to be down for long because businesses need the type of services the company — and others like it — provide, says Quest Software's Feid.

"No software development company — I include ourselves in that — is perfect, right?" he says. "What's hard, I think, especially in the security industry and specifically for a company like CrowdStrike, they are being looked at and relied upon across a large part of the market to protect endpoints. ... The product is specifically designed to be ahead of the curve as much as it can, which means you can't have it both ways, consumers. There's always going to be inherent risk."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Companies Struggle to Recover From CrowdStrike's Crippling Falcon Update

The individual is part of a DPRK-backed group known as Andariel, which is known for using the 'Maui' ransomware strain to target and extort healthcare entities.

Source: Panther Media GmbH via Alamy Stock Photo

The US Department of Justice has unsealed an indictment of a North Korean military intelligence operative targeting US critical infrastructure.

The individual, Rom Jong Hyok, allegedly carried out ransomware attacks against healthcare facilities and funneled the ransom payments to arrange other breaches into defense, technology, and government organizations globally, in violation of the Computer Fraud and Abuse Act, according to the indictment.

The ransom payments were laundered through Hong Kong, where they were converted into Chinese yuan, withdrawn from an ATM, and then used to purchase virtual private servers in order to exfiltrate sensitive defense and technology information. 

Hyok is part of a hacking crew known as Andariel (aka APT45, Nickel Hyatt, Onyx Sleet, Silent Chollima, Stonefly, and TDrop2) and is allegedly behind cyberattacks involving a ransomware strain coined "Maui," which was targeting organizations in the US and Japan as far back as 2022. The group uses this ransomware against healthcare providers' systems and servers used for medical testing or electronic medical records.

Andariel is controlled by DPRK's military intelligence agency, the Reconnaissance General Bureau, which is involved in the DPRK's illicit arms trade and responsible for its malicious cyber acts.

"This group poses an ongoing threat to various industry sectors worldwide, including, but not limited to, entities in the United States, South Korea, Japan, and India," said the National Security Agency. 

The US Department of State's Rewards for Justice (RFJ) announced a reward of up to $10 million for information that could lead to the whereabouts of Rim Jong Hyok, Andariel, or co-conspirators.

**About the Author(s)**

US Offers $10M Reward for Information on North Korean Hacker

Nvidia doesn't just make the chips that accelerate a lot of AI applications — the company regularly creates and uses its own large language models, too.

Source: The KonG via Shutterstock

As the builder of the processors used to train the latest AI models, Nvidia has embraced the generative AI (GenAI) revolution. It runs its own proprietary large language models (LLMs), and several internal AI applications; the latter include the company's NeMo platform for building and deploying LLMs, and a variety of AI-based applications, such as object simulation and the reconstruction of DNA from extinct species.

At Black Hat USA next month in a session entitled "Practical LLM Security: Takeaways From a Year in the Trenches," Richard Harang, principal security architect for AI/ML at the chip giant, plans to talk about lessons the Nvidia team has learned in red-teaming these systems, and how cyberattack tactics against LLMs are continuing to evolve. The good news, he says, is that existing security practices don't have to shift that much in order to meet this new class of threats, even though they do pose an outsized enterprise risk because of how privileged they are.

"We've learned a lot over the past year or so about how to secure them and how to build security in from first principles, as opposed to trying to tack it on after the fact," Harang says. "We have a lot of valuable practical experience to share as a result of that."

**AIs Pose Recognizable Issues, With a Twist**

Businesses are increasingly creating applications that rely on next-generation AI, often in the form of integrated AI agents capable of taking privileged actions. Meanwhile, security and AI researchers have both already pointed out potential weaknesses in these environments, from AI-generated code expanding the resulting application's attack surface to overly helpful chatbots that give away sensitive corporate data. Yet, attackers often do not need specialized techniques to exploit these, Harang says, because they're just new iterations of already known threats.

"A lot of the issues that we're seeing with LLMs are issues we have seen before, in other systems," he says. "What's new is the attack surface and what that attack surface looks like — so once you wrap your head around how LLMs actually work, how inputs get into the model, and how outputs come out of the model ... once you think that through and map it out, securing these systems is not intrinsically more difficult than securing any other system."

GenAI applications still require the same essential triad of security attributes that other apps do — confidentiality, integrity, and availability, he says. So software engineers need to perform standard security architecting due-diligence processes, such as drawing out the security boundaries, drawing out the trust boundaries, and looking at how data flows through the system.

In the defenders favor: Because randomness is often injected into AI systems to make them "creative," they tend to be less deterministic. In other words, because the same input does not always produce the same output, attacks do not always succeed in the same way either.

"For some exploits in a conventional information security setting, you can get close to 100% reliability when you inject this payload," Harang says. "When \[an attacker\] introduces information to try to manipulate the behavior of the LLM, the reliability of LLM exploits in general is lower than conventional exploits."

**With Great Agency Comes Great Risks**

One thing that sets AI environments apart from their more traditional IT counterparts is their ability for autonomous agency. Companies do not just want AI applications that can automate the creation of content or analyze data, they want models that can take action. As such, those so-called agentic AI systems do pose even greater potential risks. If an attacker can cause an LLM to do something unexpected, and the AI systems has the ability to take action in another application, the results can be dramatic, Harang says.

"We've seen, even recently, examples in other systems of how tool use can sometimes lead to unexpected activity from the LLM or unexpected information disclosure," he says, adding: "As we develop increasing capabilities — including tool use — I think it's still going to be an ongoing learning process for the industry."

Harang notes that even with the greater risk, it's important to realize that it's a solvable issue. He himself avoids the "sky is falling" hyperbole around the risk of GenAI use, and often taps it to hunt down specific information, such as the grammar of a specific programming function, and to summarize academic papers.

"We've made significant improvements in our understanding of how LLM-integrated applications behave, and I think we've learned a lot over the past year or so about how to secure them and how to build security in from first principles," he says.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Nvidia Embraces LLMs &amp; Commonsense Cybersecurity Strategy

Outlining the wider organization's proactive role in fortifying the security program allows the security team to focus on the most pressing issues that only they can solve.

Lenny Zeltser, Chief Information Security Officer, Axonius

July 26, 2024

4 Min Read

Source: Andrii Yalanskyi via Alamy Stock Photo

COMMENTARY

Love it or hate it, cybersecurity compliance continues to be top of mind across private organizations and federal bodies alike. With new regulations on emerging technology continuing to be developed and introduced, even the US Senate is proposing legislation to streamline federal cybersecurity regulations. 

Regulations offer security leaders leverage for improving processes and strengthening accountability for cybersecurity throughout the organization. However, new compliance requirements also increase the burden of making sure the security program meets the requirements of all external stakeholders. Many chief information security officers (CISOs) must simultaneously navigate the need to contain costs, increase trust, improve security, and support the business while maintaining compliance. 

Supporting cybersecurity compliance requirements is particularly challenging for today's security leaders because they don't control all aspects of security in the organization. Employees across all departments make decisions each day that impact the security of the organization's data. CISOs can harness a distributed responsibility model to address security and compliance needs, but they must do this in an intentional way. The key is to make sure all internal stakeholders understand the role they play in the organization's security program and hold them accountable for their responsibilities.

**Clarifying Expectations Beyond the Security Team**

It's true that security teams have the specialized knowledge that colleagues in other parts of the organization lack. That's why such groups monitor for suspicious activities, identify and track vulnerabilities, ensure that the necessary security measures are enforced, and provide security guidance.

When designing security programs, however, CISOs must also document the expectation that all employees across an organization must do their part in safeguarding the company's systems, applications, and data. This goes beyond the employees merely maintaining the vague sense of awareness emphasized by the requisite security awareness training. 

The CISO should lead the effort to clarify the security responsibilities that extend past the security team. Methodologies such as the RACI matrix help capture who should be responsible, accountable, consulted, and informed for specific security-related tasks. Even if the resulting matrix isn't perfect, the discussions that lead to its creation surface responsibility gaps so organizations can address them. 

**Enforcing Accountability Across an Organization**

It's unreasonable to expect that employees — especially those without security training and expertise — will always make the right decisions when it comes to data protection. CISOs can mitigate this risk by deploying technologies that make it easier for employees to perform their work securely. For instance, security leaders can define configuration templates that disable unnecessary features or enable security capabilities. Another example is automatically enrolling accounts with multifactor authentication (MFA), rather than requesting that each employee elect to apply these safeguards. 

While mandating MFA minimizes the opportunity for noncompliance with security expectations, automatic opt-ins like this aren't always possible. Security leaders should also establish guardrails against severe risks resulting from decisions that are outside the boundaries the organization considers reasonable. The use of network security measures like DNS filtering, for example, restricts access to dangerous website categories, in turn decreasing the likelihood that an employee unknowingly interacts with a malicious online resource. 

In addition, the security team must monitor for gaps in security and take action when issues arise. Security event aggregation and continuous compliance monitoring, which automates the tracking of security controls, along with modern asset management approaches, are pieces to this puzzle. 

**Making Security Responsibilities Personal**

To ensure that people outside the security team pay attention to their security responsibilities, security leaders should look for ways to establish a personal connection between the individual and the data or system they help protect. For example, employees typically feel a sense of ownership over the laptops and files they use on a daily basis. Therefore, the CISO can highlight that connection when discussing endpoint-related security measures that depend on the employee, such as manually updating software that isn't centrally managed by the organization. 

Just like personnel outside of security should understand how their security responsibilities apply to the work they do, the people on the security team need to understand how their responsibilities aid the organization as a whole. What business initiatives are supported by the work that the security team is doing? Understanding this connection will not only motivate the security personnel but also allow the security leaders to have the business context when collaborating with colleagues throughout the organization. 

Security leaders will amplify their powers and motivate others to do their part in securing the organization by aligning security responsibilities with the personal interests, affiliations, and objectives of all stakeholders.

**Empowering Everyone to Do Their Part**

There is power in numbers; outlining the wider organization's proactive role in fortifying the security program allows the security team to focus on the most pressing issues that only they can solve. Helping employees understand the role they play in the security program will prevent coverage gaps, avoid misunderstandings, and ensure that the right processes are in place for a security program that supports the relevant compliance requirements. 

Security teams play a key role in safeguarding their organizations. This includes empowering colleagues in the wider organization to do their part and making sure they understand their roles.

**About the Author(s)**

Chief Information Security Officer, Axonius

Lenny Zeltser is the CISO at Axonius, a leader in cybersecurity asset management. Prior to Axonius, he led security product management at Minerva Labs and NCR. Before that, he spearheaded the US security consulting practice at a leading cloud services provider acquired by CenturyLink. He also helps shape global cybersecurity practices by teaching at SANS Institute and sharing knowledge through writing, public speaking, and community projects. He has earned the prestigious GIAC Security Expert designation and developed the Linux malware analysis toolkit REMnux. He is also on the Board of Directors of the SANS Technology Institute.

Distributing Security Responsibilities (Responsibly)

Intel works closely with academic researchers on hardware flaws and coordinates efforts with other vendors to roll out fixes for emerging vulnerabilities. That wasn't always the case.

Source: Mentor58 via Alamy Stock Photo

The Spectre and Meltdown chip vulnerabilities could have been resolved much earlier had chip makers taken reports from academic researchers more seriously, says one researcher who helped unveiled the hardware bug.

Daniel Gruss, a researcher at Graz University of Technology, hasn't had a break since Meltdown and Spectre came to light. Chip vulnerabilities are multiplying with increasingly complex chip designs and the emergence of new technologies, such as graphics processing units (GPUs) and confidential computing.

"I think the number of bugs that we have in our systems will not get less over time," Gruss says.

Gruss and Intel fellow Anders Fogh will reflect on past chip vulnerabilities and explore emerging threats during their Black Hat USA 2024 on Thursday, Aug. 8. The presentation, "Microarchitecture Vulnerabilities: Past, Present, and Future," will cover recent side-channel attack techniques as exposed by Hertzbleed, Platypus, and Zenbleed. Gruss and Fogh will also explore how academic researchers and chip makers are collaborating to counter vulnerabilities and discuss top-line mitigation and patching strategies.

Gruss, now a professor in information security, says the chip makers hadn't been as responsive as the companies are now. His team reported the prefetch side-channel at the center of Spectre to Intel in 2016, but the chip maker dragged its feet.

"Intel could have had Spectre two years earlier than they had it ... if they would just have looked at our report a bit more closely and tried it out for a longer time on different machines and then investigated, but they didn't," Gruss says.

But that has changed, and Intel takes every security flaw reported very seriously, Gruss says.

**Communication Is Key**

Intel is in lockstep with researchers and also keeps communication lines open with rivals, such as AMD and Nvidia, as hardware bugs could affect multiple vendors, says Suzy Greenberg, vice president for Intel Product Assurance and Security Group.

Spectre and Meltdown used side-channel attacks to leak sensitive data that could include usernames and passwords. Hackers can conduct side-channel attacks by using system functions, such as frequency scaling and power consumption patterns.

Hundreds of papers on side-channel attacks have come out since the bugs were initially reported. However, no real-world break-ins based on the bugs have been reported, yet, according to Gruss and Intel. Side-channel attacks will always be there, and chip vendors won't be able to solve the bugs, Gruss says.

"The question is ... how can we keep them restricted enough so that attackers cannot exploit them for valuable information," Gruss says.

**Researchers Shift Focus to GPUs**

Researchers are also shifting their attention to exploring security bugs in GPUs, which are chips being used to serve artificial intelligence (AI).

A team of researchers including Gruss recently published research about a side-channel attack on Nvidia's GPUs. Nvidia last month issued 10 security alerts related to its GPU drivers and virtualization software.

"As we understand more and more about the microarchitecture on GPUs, and as they get more complex, we will also see more complex and more impactful attacks," Gruss says.

Side-channel attacks may also increase in the realm of confidential computing, which involves creating a secure enclave within hardware to run protected applications. Top chip makers Intel and AMD offer confidential computing chips for AI applications.

"Confidential computing adds attack surface from an academic perspective ... there is more to attack there than if you would be an unprivileged attacker," Gruss says.

Privileged users can get access to interfaces, instructions, and model-specific registers, which widens the attack surface.

Many new use cases and exploits are going to start coming with AI, Intel's Greenberg said.

"We're really trying to encourage that community to start looking at poking there because that's the big unknown," Greenberg says.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Could Intel Have Fixed Spectre &amp; Meltdown Bugs Earlier?

Mimecast's acquisition of Code42 helps the company move into insider risk management, joining key rival Proofpoint and others in the space.

Source: Panther Media GmbH via Alamy Stock Photo

Email security providers are increasingly adding human risk management (HRM) tools to their portfolios to broaden their data loss prevention (DLP) capabilities. The latest to sharpen its focus on HRM is Mimecast, which acquired insider risk tool provider Code42 for undisclosed terms this week.

The deal marks Mimecast's second acquisition of an HRM company this year. In January, it made its foray into human risk management with the acquisition of Elevate Security, which resulted in last week's release of Mimecast's Engage risk management platform.

Omdia senior principal analyst Fernando Montenegro says Mimecast's competitors, such as Proofpoint, Sophos, ESET, OpenText (Webroot), and Barracuda Networks, have made similar moves into HRM.

"We have seen similar packaging of messaging security with user training and human factors in many vendors," Montenegro says. "This makes sense as we think there is a long-standing evolutionary pattern to cybersecurity to be better aligned to business outcomes and concerns, and this fits well into this narrative."

Mimecast is playing catch-up to Proofpoint, its most formidable competitor, which released its Proofpoint Nexus People Risk Explorer in 2021. Earlier, Proofpoint made its foray into insider threat management by acquiring ObserveIT, known for its insider threat management platform.

**Insider Risk Tied to Data Breaches**

According to Verizon's "2024 Data Breach Investigations Report" (DBIR), insiders were involved in 68% of all breaches in 2023. Forrester Research forecasts that figure could rise to 90% in 2024, according to its "Predictions 2024" report.

"HRM solutions and programs have surfaced to help CISOs evaluate their firm's human risk, determine whether they are getting a return on their training investment, whether their training is really changing anyone's behavior and improving the firm's cybersecurity posture, and determine what to manage human risk in addition to training people," the report's authors noted.

Weeks after closing the Elevate acquisition in January, Marc van Zadelhoff was tapped as Mimecast's new CEO, replacing co-founder Peter Bauer. Tasked with expanding Mimecast's emerging HRM portfolio, Zadelhoff inked a partnership with Code42 to integrate Code42 Incydr with the Mimecast platform.

By integrating Code42 Incydr's Watchlists for employees with a history of engaging in risky behavior (such as those who frequently fall for phishing attempts) with Mimecast's Profile Groups, organizations can automate the formation, management and policy enforcement among user groups. Likewise, Incydr can be used to manage Mimecast Profile Groups. The integration also lets Mimecast administrators detect and manage exfiltration activity.

Mimecast CEO Marc van Zadelhoff tells Dark Reading that the plan was to leverage that capability to emphasize Mimecast's human risk detection and management capabilities.

"We had been talking to Code42 for a while, and we did the partnership," van Zadelhoff says. "One thing led to another in terms of strengthening it."

Van Zadelhoff says the two acquisitions mark the company's entry into HRM.

"The partnership exposed to us that we had a lot of joint customer interest," he says. "In fact, during that time, we saw an increasing number of our customers adopt Code42 in a fairly short amount of time. As we started leveraging the human risk dashboard and the human risk platform, we started to see that when you add Code42 into the score, it really adds a lot of value on identifying the riskiest segment of the population out there.

**Product Portfolios to Remain Intact With Common Dashboard**

According to van Zadelhoff, there is no overlap between the products Mimecast now offers and Code42's portfolio.

"We tested the product around scalability and how it would work with our technology stack," he says. "It is incredibly compatible. There's zero overlap."

Further, van Zadelhoff insists no products from either company will be deprecated in the wake of the acquisition; the Code42 products will be rebranded Mimecast. Also, in the coming months, Mimecast will create a common human risk dashboard tied to its distinct offerings.

At next month's Black Hat USA Conference in Las Vegas, the company will demonstrate and roll out new artificial intelligence (AI) tools to detect exfiltration risk when employees upload files into generative AI platforms, such as Chat GPT.

"What we're really focused on is understanding when someone takes data from their corporate organizations or from a key repository and exfiltrates that to a public generative AI location," says Rob Juncker, Code42's CTO. "AI is something that we all have to deal with now. So it will be in our base product for all customers effective immediately."

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Mimecast Joins Human Risk Management Fray With Code42 Deal

The fake updates are part of a phishing and fraud surge that is both more voluminous and more targeted that the usual activity around national news stories.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

Scam alert: Cybercriminals are using last week's CrowdStrike outage as a vehicle for social engineering attacks against the security vendor's customers.

In the hours after the event that grounded planes, shuttered stores, closed down medical facilities, and more, national cybersecurity agencies in the US, UK, Canada, and Australia all reported follow-on phishing activity by petty criminals. That much is to be expected after any national news event. But, says BforeAI CEO Luigi Lenguito, these post-CrowdStrike attacks are both more copious and more targeted than those typically seen after major media stories.

For reference, "in the attack last week on Trump, we saw a spike on the first day of 200 \[related cyber threats\] and then it flattened to 40, 50 a day," he says. "Here, you're looking at a spike that is three times as big. We're seeing about 150 to 300 attacks per day. I would say this is not the normal volume for news-related attacks."

**Profile of a CrowdStrike-Themed Scam**

"The philosophy is: We have these large corporations' users who are lost, because their computers cannot connect to the mothership, and now they're trying to get connected. It's a perfect opportunity for cybercriminals to get back into these networks," Lenguito explains.

This makes CrowdStrike-themed phishing attacks characteristically different from, say, Trump assassination-themed ones. They're much more targeted — aimed at organizations affected by the outage — and potential victims are more technically adept and educated in cybersecurity than your average bear.

To convince those people to let them in, attackers have been masquerading as either the company itself, related technical support, or competing companies with their own "offerings."

The evidence lies in phishing and typosquatting domains registered in recent days, like crowdstrikefix\[.\]com, crowdstrikeupdate\[.\]com, and www.microsoftcrowdstrike\[.\]com. One security researcher identified more than 2,000 such domains that have been generated thus far.

These domains might be used to distribute malware, like the ZIP file pretending to be a hotfix which was uploaded to a malware scanning service last weekend. The ZIP contained HijackLoader (aka IDAT Loader), which in turn loaded the RemCos RAT. The file was first reported from Mexico, and it contained Spanish-language filenames, indicating that the campaign likely targeted CrowdStrike customers in Latin America.

In another case, attackers distributed a CrowdStrike-themed phishing email with a crudely designed PDF attachment. Inside the PDF was a link to download a ZIP attachment with an executable inside. Once launched, the executable asked the victim for permission to install an update. The update, though, was a wiper. The pro-Hamas hacktivist group "Handala" took responsibility, claiming that "dozens" of Israeli organizations had lost several terabytes of data as a result.

However the threats might arrive, Lenguito says, organizations can protect themselves by using blocklists, protective DNS tools, and by avoiding tech support from anywhere other than CrowdStrike's own website and customer service channels.

Or, perhaps, they can just wait it out. "We're still early, right? We'll probably see it taper over the coming weeks. Generally, what we see is these campaigns have a tendency to last two to three weeks," he says.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

CrowdStrike 'Updates' Deliver Malware &amp; More as Attacks Snowball

The Andariel group is targeting critical defense, aerospace, nuclear, and engineering companies for data theft, the FBI, NSA, and others said.

Source: DD Images via Shutterstock

A long-known cyber-espionage group working on behalf of North Korea's foreign intelligence service is systematically stealing technical information and intellectual property from organizations in the US and other countries to advance its own nuclear and military programs.

The group — which security vendors track variously as Andariel, Silent Chollima, Onyx Sleet, and Stonefly — is using ransomware attacks on US health care entities to fund the campaign, the US government warned this week.

**A Clear and Present Danger**

In a joint advisory, the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and others identified the threat actor as primarily targeting defense, aerospace, nuclear, and engineering organizations in the US, Japan, South Korea, and India. "The authoring agencies believe the group and the cyber techniques remain an ongoing threat to various industry sectors worldwide," the advisory noted.

Meanwhile, the US government offered a $10 million reward under the State Department's Rewards for Justice program for information leading to the arrest of Rim Jong Hyok, whom it believes is a key player in the malicious cyber activity. In tandem, the US Justice Department indicted Jong Hyok on charges related to his involvement in Andariel attacks on multiple US entities, including NASA and two US Air Force bases.

The information that Andariel is pursuing in its current campaign is broad and varied. From defense organizations, the adversary has been stealing information pertaining to heavy and light tanks, self-propelled howitzers, combat ships, autonomous underwater vehicles, and other equipment. Aerospace companies are being targeted for information on everything from fighter aircraft, missiles, and missile defense systems to radars and nano-satellite technology. The goal with attacks on organizations in the nuclear sector is to gather data in areas like uranium processing and enrichment, material waste, and storage. And with engineering firms, the threat actor's focus is on shipbuilding, robotics, additive manufacturing, 3D printing, and other technologies.

"The authoring agencies encourage critical infrastructure organizations to apply patches for vulnerabilities in a timely manner, protect web servers from web shells, monitor endpoints for malicious activities, and strengthen authentication and remote access protections," the advisory said.

**Well-Known Threat Actor**

Andariel has been active for several years. Researchers at Google's Mandiant who track the group as APT45 believe it has been operational since at least 2009. Microsoft, which tracks the threat actor as OnyxSleet, says it first spotted the group in 2014. Over the years, researchers have tied the group to numerous information stealing campaigns and destructive attacks on organizations in more than a dozen critical sectors, including defense, aerospace, energy, financial services, transportation, and health care. Many of its attacks have targeted South Korean entitities.

In a report that coincided with the US government warning this week, Mandiant said it had observed APT45 gradually launching more financially motivated attacks — like ransomware attacks — in recent years, even as it has continued with its cyber espionage mission. "APT45 is one of North Korea’s longest running cyber operators, and the group's activity mirrors the regime's geopolitical priorities even as operations have shifted from classic cyber espionage against government and defense entities to include healthcare and crop science," Mandiant said.

Microsoft also released an update on the North Korean actor this week and has observed Onyx Sleet actors recently switch from spear-phishing as a way to gain initial access to using vulnerability exploits. But otherwise, its tradecraft has remained largely unchanged, Microsoft said. "Onyx Sleet has used the same tactics, techniques, and procedures (TTPs) over extended periods, suggesting the threat actor views its tradecraft as effective."

**Vulnerability Exploits and Custom Tools**

The US government advisory described Andariel as looking for and exploiting multiple well-known vulnerabilities to gain initial access to target networks in its recent attacks. Vulnerabilities that the group has been exploiting in its attacks include the Log4Shell flaw (CVE-2021-44228) in Apache's Log4j software; CVE-2023-46604, a maximum severity bug in Apache ActiveMQ server technology; CVE-2023-34362, a widely exploited remote code execution flaw in Progress Software's MOVEIt file transfer technology; and a similar flaw in Fortra's GoAnywhere software (CVE-2023-0669).

In all, the joint advisory listed 41 CVEs that Andariel actors have exploited to break into target networks as part of its cyberespionage campaign. Of that, 16 were vulnerabilities that various vendors disclosed last year. The oldest flaw in the list is from 2017 — CVE-2017-4946 — a privilege escalation bug in VMWare's V4H and V4PA desktop agents.

Once they gain access to a network, Andariel actors typically use a variety of custom tools and malware to establish remote access, enable lateral movement, and steal data, the advisory said, listing nearly two dozen of them. The tools "include functionality for executing arbitrary commands, keylogging, screenshots, listing files and directories, browser history retrieval, process snooping, creating and writing to files, capturing network connections, and uploading content to command and control," the advisory said. "The tools allow the actors to maintain access to the victim system, with each implant having a designated C2 node."

The advisory describes in detail other tactics, techniques, and procedures that Andariel actors have employed in recent attacks so organizations in the group's crosshairs can take protective measures. It also provides indicators of compromise that organizations can use to check for signs of the threat actor's presence on their network and systems.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Feds Warn of North Korean Cyberattacks on US Critical Infrastructure

Though IE was officially retired in June 2022, the vulnerability ramped up in January 2023 and has been going strong since.

Source: mundissima via Alamy Stock Photo

Check Point earlier this month discovered a remote code execution vulnerability, tracked as CVE-2024-38112, that impacts Microsoft Windows users and different versions of Windows Server.

The attackers used Windows Internet Shortcut files, which call on the retired Internet Explorer to visit a URL with a hidden malicious extension name and controlled by these threat actors. Because users are opening this URL with Internet Explorer, and not more secure browsers like Chrome or Edge, the threat actor has more advantages in exploiting the victim's device.

The threat actors also use a second method where they "make the victim believe they are opening a PDF file, while in fact, they are downloading and executing a dangerous .hta application," wrote the Check Point researchers.

The Cybersecurity and Infrastructure Security Agency (CISA) has added this high-severity vulnerability to its Known Exploited Vulnerabilities Catalog  Catalog, with its score of 7.5 due to its active exploitation, and mandated that all Windows systems within federal agencies must be updated or shut down by July 30.

Other research shows that of the roughly 500,000 endpoints running Windows 10 and 11, more than 10% of those devices are missing endpoint protection controls and almost 9% lack patch management controls, meaning that these organizations have a significant number of blind spots for attackers to exploit. 

Though Microsoft issued a patch on July 9, some exploits of this vulnerability date back more than a year ago, which means organizations need to act quickly in their mitigation efforts.

**About the Author(s)**

Microsoft's Internet Explorer Gets Revived to Lure in Windows Victims

How your organization can leverage the disruptive CrowdStrike update to become more resilient.

Chip Stewart, Director–Security, Privacy, and Risk Consulting, RSM US

July 25, 2024

5 Min Read

Source: Illia Uriadnikov via Alamy Stock Photo

COMMENTARY

In the wake of global IT issues caused by a defect in a content update for CrowdStrike's Falcon sensor, many organizations engaged in executing business continuity plans (BCPs), recovering systems, and restoring from backups. In the throes of these activities, it's easy to overlook the similarity with the playbook for ransomware recovery and miss how organizations of all sizes can leverage this event to identify gaps in their capabilities to respond to and recover from ransomware or other disruptive cyberattacks.

It's important to acknowledge the scale of this disruption, with 8.5 million incapacitated PCs across all sectors and organizational sizes. Small businesses, global conglomerates, government agencies, hospitals, and critical infrastructure were all met with the dreaded blue screen of death.

Even those who were not CrowdStrike customers felt the impact, with flights delayed and canceled, gas stations and grocery stores unable to complete transactions, and critical services like police and fire dispatch delayed.

However, there are lessons that every organization can take away from this event to help improve their ability to respond to a cyberattack.

**Detection**

The mean time to detect, or MTTD, is a metric in cyber operations describing how long it takes between when an incident begins and when the organization identifies that something has happened. This metric has been trending down for the past several years, partially because incidents resulting in ransomware deployment are glaringly and quickly apparent. This speedy detection contrasts with incidents where a sophisticated threat actor is siphoning private data from a network, which typically takes longer to discover.

This behavior parallels the obviousness of the CrowdStrike event. Computers across the network became unavailable, displaying a cryptic message about a failed driver. With this event, we have clarity on the start time, with organizations experiencing blue screens around 04:09 UTC.

Organizations should evaluate how long their teams took to detect the outage and how quickly they could reasonably speculate on the root cause. These metrics matter when threat actors deploy ransomware on a network.

**Response**

As IT teams confirmed the cause of the system issues, organizations scrambled to begin restoring systems. Many organizations struggled with incomplete asset inventories, partially managed devices, and no way to prioritize recovery activities reliably. Some found themselves locked out of the password vaults needed to restore critical systems. Others struggled to scale quickly to reimage laptops of remote users scattered across the country. 

These challenges mirror those expected during a ransomware incident and highlight the importance of maintaining an accurate accounting of IT assets that informs prioritization during recovery. Also, recovery plans must consider the operating environment and support reconstituting services in time frames that align with business objectives.

Organizations should evaluate the effectiveness of their response plans during this event, including their ability to prioritize systems that support critical functions and develop or test the granular recovery plans necessary to expedite the reconstitution of these services. They should also determine where there were gaps in asset management and the underlying causes of those discrepancies.

**Business Continuity**

As IT teams worked around the clock to restore systems and get users back online, this event forced many organizations to execute their business continuity plans and restore mission-critical functions. Organizations frequently confuse BCPs with disaster recovery plans (DRPs), resulting in an inability to execute mission-critical functions during this event.

Organizations frequently experience challenges in this area during a ransomware event, with no plan to reconstitute the capabilities that support mission-critical functions. With several high-profile ransomware attacks affecting health departments across the United States (including one during my tenure as the chief information security officer for the State of Maryland), seemingly simple administrative tasks, such as issuing death certificates, become impossible.

To prepare for ransomware events or other cyber disruptions, organizations should conduct a business impact analysis (BIA) and integrate the outputs into comprehensive BCPs, reducing the risk of protracted business disruption from a ransomware incident.

**Supply Chain and Vendor Risk**

The scale of this event has highlighted the risks of cyber events affecting supply chains more than any event in recent history, with financial transactions stalled, logistics companies unable to deliver goods, and hospitals unable to replenish lifesaving supplies. 

In 2021, Kronos, a human capital and workforce management SaaS provider, experienced substantial downtime due to a ransomware event, preventing employees from being paid and stopping work activities at thousands of organizations around the globe. With many organizations relying on their partners to recover quickly from a cyber incident, few were prepared to sustain operations in the event of an incident affecting their supply chain.

Organizations should consider and plan for cyber incidents that have negative consequences on their supply chains as part of their business continuity plans and ensure their partners do the same. 

**Improving Resilience From This Event**

For organizations affected by the CrowdStrike disruption, there is a unique opportunity to reflect on what went well and what your organization should focus on improving through the lens of a ransomware incident. While the disruption certainly should not be minimized, the reality of a ransomware incident includes exorbitant costs, weeks to months of downtime, regulatory challenges, potential lawsuits, and numerous other adverse effects that represent long-term organizational damage.

For organizations that experienced indirect impact through partners in their supply chain, there is an opportunity to ensure adequate supply chain diversification and contingency planning is happening.

For organizations lucky enough to have not experienced any adverse impact from this event, it's crucial to recognize that this could have happened to your organization just as easily, and it's better to be prepared than to be lucky.

For everyone, this is an opportunity to reflect on what you should be doing to improve your organization's resilience.

**About the Author(s)**

Director–Security, Privacy, and Risk Consulting, RSM US

Chip Stewart is a director in RSM's Security, Privacy, and Risk Consulting practice and the former CISO for the state of Maryland, where his charge was to build a statewide security program from the ground up. In this role, he championed the creation of the MD-ISAC, an advanced cyber-threat intelligence center focused on helping all levels of government in Maryland proactively protect their networks from cyber threats by providing them with real-time information.

Source

DARKReading