Plus: The FBI unlocks the Trump shooter’s phone, a security researcher gets legal threats for exposing hackable traffic lights, and more.

The week was particularly chock-full of dramatic security news. On Friday, a flawed update to CrowdStrike’s Falcon platform caused massive global service outages and disruptions around the world. The issue, which only impacted Windows computers, crashed PCs and servers, disrupting air travel, hospitals, banks, universities, and more.

Earlier in the week, WIRED had reported that following a massive data breach, AT&T paid $370,000 to get hackers to delete the stolen data. And, though it’s always possible that attackers saved a copy of the trove, a security researcher with knowledge of the transaction told WIRED he believes the only copy has been wiped. In a separate incident, hackers claimed last week to have stolen and leaked more than a terabyte of data comprising Disney’s complete Slack archive.

A WIRED analysis of Republican vice presidential nominee J.D. Vance’s Venmo account sheds some light on the Senator’s network and connections, including some of the architects of Project 2025 and enemies of Vance’s running mate, Donald Trump.

Federal prosecutors indicted a 20-year-old man on Tuesday for allegedly leading the violent and White supremacist Eastern European gang known as “Maniac Murder Cult,” or MKY. The group has been implicated in a number of assaults and attacks abroad, including at least one murder.

The US Supreme Court’s recent decision in _Loper Bright Enterprises v. Raimondo_ to overturn what’s known as the Chevron deference will have major implications for US cybersecurity defense, because federal agencies are now limited in their ability to regulate. And US senator Mark Warner of Virginia is working to pass new limits on government wiretaps, but at least two senators are quietly trying to stop him.

And there’s more. Each week, we round up the security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

**Russian Hacktivists Who Attacked US Water Utilities Named and Sanctioned**

Sometimes “Julia,” the shadowy, pseudonymous Russian hacker telling you her grand plans to sabotage the West, really is just Julia. Or Yuliya.

On Friday, the Treasury Department announced that it is imposing sanctions on two alleged Russian cybercriminals for their alleged involvement in the hacktivist group Cyber Army of Russia Reborn, or CARR, which rose to prominence this year due to its reckless and somewhat sloppy attacks on Western critical infrastructure, as well as its apparent ties to Russia’s GRU military intelligence agency. Those two sanctioned hackers are identified in Treasury’s statement for the first time as Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko.

In May, WIRED interviewed a CARR spokesperson who called herself Julia about the group’s attacks, which included one that caused tens of thousands of gallons of water to be spilled from a water utility in the small town of Muleshoe, Texas. That spokesperson now appears to have likely been Pankratova, who is identified by Treasury as CARR’s spokesperson, while Degtyarenko is described as its “primary hacker.”

Treasury also notes that “instances of major damage to victims have thus far been avoided due to CARR’s lack of technical sophistication,” a line that, for any hacker, may hurt even worse than sanctions.

**FBI Gains Access to Trump Shooter’s Locked Phone**

For anyone who thought the locked phone of would-be Trump assassin Thomas Crooks was about to lead to another standoff between the FBI and the tech industry’s privacy advocates—standoff over. Immediately following the assassination attempt, which ended when Crooks was shot and killed by police, Crooks’ locked Android phone was unlocked by the FBI, the Bureau announced last weekend. Though the FBI didn’t reveal how it was able to crack the phone, Bloomberg reported later this week that law enforcement used “unreleased technology” from the phone-hacking software company Cellebrite.

**Security Researcher Shows Traffic Lights Are Hackable—and Gets a Legal Threat**

Hacking traffic lights has long been one of Hollywood’s favorite ideas of cyber mayhem, from the _Italian Job_ to _Live Free or Die Hard_. If only cyber defenders had known all along that they could prevent all that traffic hacking with a strongly worded letter from their lawyer.

This week, Andrew Lemon, a researcher for security firm Red Threat, published a pair of blog posts that outline how it would be possible to hack traffic light systems sold by the company Econolite due to a lack of authentication in their web interface. While the software had safeguards in place that would have prevented tampering with the lights to cause collisions, a hacker could nonetheless have messed with their configuration to cause traffic jams, Lemon found. When Lemon reported the issues to Econolite, however, its parent company, Q-Free, responded in a letter that not only didn’t suggest it would fix the issue—it said it no longer sells the systems—but also threatened Lemon by pointing out his hacking research was potentially illegal. A company spokesperson told TechCrunch, which broke the story, that municipalities that use the vulnerable system should not leave the traffic light software exposed online and should buy newer systems to replace them.

**North Korean Hackers Steal $230 Million in Crypto From WazirX Exchange**

Another week, another nine-figure injection of digital funds into the world’s most authoritarian country. WazirX, India’s largest cryptocurrency exchange, was hacked this week and robbed of nearly a quarter-billion dollars in crypto, largely in the form of SHIB, a Shiba Inu-themed cryptocurrency. Crypto-tracing firm Elliptic quickly tied the attack to North Korean hackers. That absurd and disturbing crime adds significantly to the $1.4 billion that hackers have stolen in crypto so far this year, which was already on pace to double last year’s total cryptocurrency thefts.

The Feds Say These Are the Russian Hackers Who Attacked US Water Utilities

Swindlers are spinning up bogus websites in an attempt to dupe people with “CrowdStrike support” scams following the security firm's catastrophic software update.

The security firm CrowdStrike inadvertently caused mayhem around the world on Friday after deploying a faulty software update to the company's Falcon monitoring platform that bricked Windows computers running the product. Fallout from the incident will take days to resolve, and the company is warning that, as system administrators and IT staff work on remediation, another threat is looming: predatory digital scams attempting to capitalize on the crisis.

Researchers on Friday afternoon began warning that attackers are reserving domain names and starting to spin up websites and other infrastructure to run “CrowdStrike Support” scams targeting the company's customers and anyone who might be impacted by the chaos. CrowdStrike's own researchers also warned about the activity on Friday and published a list of domains seemingly registered to impersonate the company.

“We know that adversaries and bad actors will try to exploit events like this,” CrowdStrike founder and CEO George Kurtz wrote in a statement. “I encourage everyone to remain vigilant and ensure that you’re engaging with official CrowdStrike representatives. Our blog and technical support will continue to be the official channels for the latest updates."

Attackers inevitably take advantage of prominent global events as well as topical issues in specific geographic areas to try to trick people into sending them money, steal target account credentials, or compromise victims with malware.

“Threat actors invariably attempt to capitalize on any major event,” says Brett Callow, managing director of cybersecurity and data privacy communications at FTI Consulting. “Whenever an organization experiences an incident, it's something customers and business partners should be prepared for.”

While most individuals are not personally responsible for addressing CloudStrike-related computer outages, the incident is ripe for exploitation because some of the IT professionals working on remediation could be desperate for solutions. In most cases, the fix for impacted computers involves individually booting and correcting each one—a potentially time-consuming and logistically difficult process. And for small-business owners who don't have access to extensive IT expertise, the challenge may be particularly daunting.

Researchers, including those from CrowdStrike intelligence, have thus far seen attackers sending phishing emails or making phone calls where they pretend to be CrowdStrike support staff and selling software tools that claim to automate the process of recovering from the faulty software update. Some attackers are also pretending to be researchers and claiming to have special information vital to recovery—that the situation is actually the result of a cyberattack, which it's not.

CrowdStrike emphasizes that customers should confirm that they are communicating with legitimate company staff members and only trust the company's official corporate communications.

“Speedy alerts to employees outlining potential risks will help,” Callow says of how CloudStrike customers should work to defend themselves. "Forewarned is forearmed."

Don't Fall for CrowdStrike Outage Scams

In janeczku Calibre-Web 0.6.0 to 0.6.21, the edit_book_comments function is vulnerable to Cross Site Scripting (XSS) due to improper sanitization performed by the clean_string function. The vulnerability arises from the way the clean_string function handles HTML sanitization.

**Calibre-Web Cross Site Scripting (XSS)**

Moderate severity GitHub Reviewed Published Jul 19, 2024 to the GitHub Advisory Database • Updated Jul 19, 2024

GHSA-j22r-3rf3-cv25: Calibre-Web Cross Site Scripting (XSS)

An enormous IT outage across the world today is not the result of a cyberattack, but rather a faulty update from CrowdStrike.

A faulty update from the cybersecurity vendor CrowdStrike crashed countless Windows computers and sent them into a “Blue Screen of Death” (BSOD), grinding to a halt the global operations of airlines, hospitals, news broadcasters, transportation agencies, and more.

The incident itself is not the result of a cyberattack. There is no evidence of a breach or of any cybercriminal involvement.

But, as Malwarebytes Labs has reported before, many major events can lead to follow-on threats of phishing and scams, and this global outage is no different. On July 19, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on this same risk:

“CISA has observed threat actors taking advantage of this incident for phishing and other malicious activity. CISA urges organizations and individuals to remain vigilant and only follow instructions from legitimate sources. CISA recommends organizations to remind their employees to avoid clicking on phishing emails or suspicious links.”

As of reporting, CrowdStrike has already issued a fix.

****What happened****

On July 19, businesses in Australia began reporting that their Windows computers were restarting automatically into a BSOD, making them inaccessible to users. The reports were limited only to Windows machines and, as verified later by CrowdStrike, computers running Mac OS or Linux were not affected.

As IT admins in Australia scrambled to get their organizations back online, the same BSOD issue began greeting workers across Europe. The problem, it became clear, was becoming global, with reports of similar problems in Germany, Japan, India, and, eventually, the United States.

Hundreds of businesses were immediately impacted. Flights were grounded. Delays are being warned for package delivery provider UPS. Hospitals in the state of Maryland began cancelling procedures. And The Washington Post reported that, while many retailers were unscathed, coffee giant Starbucks was experiencing difficulties with its mobile ordering system.

What every affected business had in common was their use of Windows computers running CrowdStrike’s cybersecurity platform.

In the past 24 hours, CrowdStrike issued a faulty software update for Windows devices that included a problematic “channel file.” Windows devices that installed this update were then sent into a boot loop back into the “Blue Screen of Death” which kept users from accessing their own computers.

****The fix****

As of 05:27 AM UTC, CrowdStrike had identified the faulty channel file and issued a new, safe channel file for use. Deleting the channel file and installing the correct channel file, however, could require direct, physical access to a computer—a particularly time-intensive task as increasingly more businesses have adopted hybrid and Work From Home models.

CrowdStrike has a full statement on hox to fix Windows machines that are still stuck in the BSOD loop here.

Everyday users who are affected by this outage on their work machines or personal machines are not at heightened risk of a cybersecurity attack. Instead, people should simply remain vigilant about malicious emails and websites that promise fixes for the problem. For any and all maintenance, rely on CrowdStrike’s official statements and, if experiencing problems at work, rely on your IT admin.

**Summer mega sale**

Go into your vacation knowing you’re much more secure: This summer you can get a huge **50% off a Malwarebytes Standard subscription** or **Malwarebytes Identity bundle**. Run, don’t walk!

 CrowdStrike update at center of Windows &#8220;Blue Screen of Death&#8221; outage 

The Identity Theft Resource Center has published a report showing a 1,170% increase in compromised data victims compared to the same quarter last year.

Nope, that headline’s not a typo. Over one thousand percent.

The Identity Theft Resource Center (ITRC) tracked 1,041,312,601 data breach victims in Q2 2024, an increase of 1,170% over Q2 2023 (81,958,874 victims).

The ITRC is a national non-profit organization set up with the goal of minimizing the risk and mitigating the impact of identity compromise. Through public and private support, it provides no-cost victim assistance and consumer education.

The vast majority of that rise in numbers in due to a few very large compromises. The ITRC mentions Prudential (2.5 million people) and Infosys McCamish Systems (6 million people) as main contributors.

Because both of these breaches were announced/updated in the second quarter of 2024 they have a huge impact on the numbers. When we compare the number of data breach victims in the first half of 2024 (H1 2024) then we see an increase of 490 percent compared to the first half of 2023. Which is still significant and worrying.

The ITRC broke down some of the numbers to show them in an infographic.

Infographic by ITRC

Some notable statistics we can derive from the infographic:

*   Almost 90% of the compromises in H1 2024 are due to data breaches.
*   Financial services had the most breaches, followed by healthcare.
*   The largest data breaches in number of victims are Ticketmaster, Advance Auto Parts, and Dell.
*   80 supply chain attacks accounted for 446 affected entities and over 10 million victims.

Another trend the ITRC highlights is the increase in stolen driver’s license information. Mostly caused by a post pandemic trend to use driver’s license information for identity confirmation. This has increased both the chances of this information being included in a breach, and increased the value of that information to thieves.

The number of data breaches where driver’s license data was stolen totaled 198 instances in pre-pandemic, full-year 2019 compared to 636 in full-year 2023 and 308 through June 30, 2024.

Most of the data breaches are not the result of negligence but of targeted cyberattacks. This explains the rising demand for data deletion services. Not only does it play a significant role in safeguarding privacy rights on the business side, it also helps avoid or lessen the legal consequences of a breach.

ITRC president and CEO Eva Velasquez summarized the report like this:

> “The takeaway from this report is simple. Every person, business, institution and government agency must view data and identity protection with a greater sense of urgency.”

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**Check your exposure**

Looking at the numbers in the ITRC report, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan, and we’ll give you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

**Summer mega sale**

Go into your vacation knowing you’re much more secure: This summer you can get a huge **50% off a Malwarebytes Standard subscription** or **Malwarebytes Identity bundle**. Run, don’t walk!

 Number of data breach victims goes up 1,000% 

Though the cybersecurity vendor has since reverted the update, chaos continues as companies continue to struggle to get back up and running.

Source: SOPA Images Limited via Alamy Stock Photo

This is a breaking news story and will be updated as new developments occur.

This morning, Microsoft servers across the world displayed the dreaded "blue screen of death," leading to mass IT outages that disrupted business, airlines and flights, healthcare providers, banks, and more. The cause: A defective update to CrowdStrike Falcon Sensor, a widely used cloud-based endpoint detection and prevention (EDR) software program.

CrowdStrike said its engineering team has identified the issue that caused the massive disruption to Windows-based systems: A bug in the Memory Scanning prevention policy, which was not identified during their testing stages, Callie Guenther, senior manager at Critical Start, noted in an emailed statement.

"While CrowdStrike likely performed standard regression and functionality tests, these were insufficient because they did not simulate the real-world deployment environment where the bug caused the Falcon sensor to consume 100% of a CPU core," she wrote. This ultimately led to system performance issues.

CrowdStrike has since reverted the flawed Falcon software update. Even so, some users are still experiencing system crashes or are unable to stay online to receive the new and fixed version. The cybersecurity vendor has provided workaround steps for this issue.

In a post on social platform X, Microsoft CEO Satya Nadella said the company is aware of the issue and is working closely with CrowdStrike to provide technical support to its customers and get their systems back online.

**Falcon Fallout**

The severity of the broken CrowdStrike update became increasingly painful as victim reports rolled in throughout the day: More than 1,300 flights have been canceled or delayed, trains, card payments in stores, pharmacies, and even general practitioner (GP) surgeries were stalled. 

The Department of Health in Belfast reported that two-thirds of GP practices in Northern Ireland have been affected, with patient records inaccessible as well as lab tests and routine prescriptions.

Delta flights have been paused as it "works through a vendor technology issue," the New York Times reported, and Turkish Airlines has canceled at least 84 flights. Employees at financial institutions like JPMorgan Chase and Instinet have had trouble accessing their corporate systems as operations began to stutter.

Even the Paris Olympics organizing committee reports that its IT operations have been affected, mainly affecting delivery of uniforms and accreditations.

Meanwhile, President Joe Biden has been briefed on the outage, according to the White House, and administration officials are reportedly in touch with affected entities as well as CrowdStrike, which is working with customers that have been impacted.

"Mac and Linux hosts are not impacted," George Kurtz, president and CEO of CrowdStrike, wrote online. "This is not a security incident or cyberattack. The issue has been identified \[and isolated,\] and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website."

**It's Not a Data Breach, but it's a Disaster**

In an industry where cybersecurity practices and services are meant to protect an enterprise without interrupting them, this outage proves that "even non-malicious cybersecurity failures can bring businesses to their knees," according to Maxine Holt, cybersecurity analyst at Omdia.

This massive incident underscores an over-reliance on cloud services, Holt noted in an online statement, and the outage may prompt organizations to reconsider moving their mission-critical applications to the cloud.

"Omdia's Cloud and Data Center analysts have long warned about over-reliance on cloud services," Holt said. "Today's outages will make enterprises rethink moving mission-critical applications off-premises. The ripple effect is massive, hitting CrowdStrike, Microsoft, AWS, Azure, Google, and beyond. CrowdStrike's shares have plummeted by more than 20% in unofficial pre-market trading in the US, translating to a staggering $16 billion loss in value."

As CrowdStrike will undoubtedly face scrutiny as it gets back on its feet, only time will tell how this outage could affect regulation and pressure on software vendors.

"We need stronger regulations and guidance on vendor responsibilities for functional testing," Josh Thorngren, security strategist at ForAllSecure, wrote in an emailed statement. "If you're not testing the behavior of your application under-expected (and unexpected) conditions with every update — this type of issue will always be a risk."

Buggy CrowdStrike EDR Update Crashes Windows Systems Worldwide

A defective CrowdStrike kernel driver sent computers around the globe into a reboot death spiral, taking down air travel, hospitals, banks, and more with it. Here’s how that’s possible.

Only a handful of times in history has a single piece of code managed to instantly wreck computer systems worldwide. The Slammer worm of 2003. Russia’s Ukraine-targeted NotPetya cyberattack. North Korea’s self-spreading ransomware WannaCry. But the ongoing digital catastrophe that rocked the internet and IT infrastructure around the globe over the past 12 hours appears to have been triggered not by malicious code released by hackers, but by the software designed to stop them.

A software update from cybersecurity company CrowdStrike appears to have inadvertently disrupted IT systems globally.

Two internet infrastructure disasters collided on Friday to produce disruptions around the world in airports, train systems, banks, health care organizations, hotels, television stations, and more. On Thursday night, Microsoft’s cloud platform Azure experienced a widespread outage. By Friday morning, the situation turned into a perfect storm when the security firm CrowdStrike released a flawed software update that sent Windows computers into a catastrophic reboot spiral. A Microsoft spokesperson tells WIRED that the two IT failures are unrelated.

The cause of one of those two disasters, at least, has become clear: buggy code pushed out as an update to CrowdStrike’s Falcon monitoring product, essentially an antivirus platform that runs with deep system access on “endpoints” like laptops, servers, and routers to detect malware and suspicious activity that could indicate compromise. Falcon requires permission to update itself automatically and regularly, since CrowdStrike is constantly adding detections to the system to defend against new and evolving threats. The downside of this arrangement, though, is the risk that this system, which is meant to enhance security and stability, could end up undermining it instead.

“It's the biggest case in history. We’ve never had a worldwide workstation outage like this,” says Mikko Hyppönen, the chief research officer at cybersecurity company WithSecure. Around a decade ago, Hyppönen says, widespread outages were more common due to the spread of worms or trojans. More recently, global outages have happened on the “server side” of systems, meaning outages often stem from cloud providers such as Amazon’s Web Services, internet cable cuts, or authentication and DNS issues.

CrowdStrike CEO George Kurtz said on Friday that the issues were caused by a “defect” in code the company released for Windows. Mac and Linux systems were not affected. “The issue has been identified, isolated and a fix has been deployed,” Kurtz said in a statement, adding the problems were not the result of a cyberattack. In an interview with NBC, Kurtz apologized for the disruption and said it may take some time for things to be back to normal.

The widespread Windows outages have been linked to a software update from cybersecurity giant ​​CrowdStrike. It is believed the issues are not linked to a malicious cyberattack, cybersecurity officials say, but rather stem from a misconfigured/corrupted update that CrowdStrike pushed out to its customers.

Security and IT analysts searching for the root cause of the gargantuan outage say that it appears to be related to a “kernel driver” update to CrowdStrike’s Falcon software. Kernel drivers are the software components that allow applications to interact with Windows at its deepest level, the core of the operating system known as its kernel. That highly sensitive level of access is necessary for security software, so that it can run prior to any malicious software installed on the system and access any part of the system where hackers might seek to plant their code. As malware has improved and evolved, it has pushed defense software to require constant connection and more extensive control.

That deeper access also introduces a far higher possibility that security software—and updates to that software—will crash the whole system, says Matthieu Suiche, head of detection engineering at the security firm Magnet Forensics. He compares running malicious code detection software at the kernel level of an operating system to “open-heart surgery.”

Yet it’s nonetheless surprising that a kernel driver update would be able to cause such a massive global computer crash, says Costin Raiu, who worked at Russian security software firm Kaspersky for 23 years and led its threat intelligence team before leaving the company last year. During his years at Kaspersky, he says, driver updates for Windows software were closely scrutinized and tested for weeks before they were pushed out.

More importantly, they require that Microsoft also vet the code and cryptographically sign it, suggesting that Microsoft, too, may well have missed whatever bug in CrowdStrike’s Falcon driver triggered this outage. “It’s surprising that with the extreme attention paid to driver updates, this still happened,” says Raiu. “One simple driver can bring down everything. Which is what we saw here.”

A Microsoft spokesperson told WIRED that the “CrowdStrike update was responsible for bringing down a number of IT systems globally,” and added that “Microsoft does not have oversight into updates that CrowdStrike makes in its systems,” without further explanation of whether Microsoft does in fact inspect and sign kernel driver updates.

Raiu adds that even so, CrowdStrike is far from the only security firm to trigger Windows crashes with a driver update. Updates to Kaspersky and even Windows’ own built-in antivirus software Windows Defender have caused similar Blue Screen of Death crashes in years past, he notes. “Every security solution on the planet has had their CrowdStrike moments,” Raiu says. “This is nothing new but the scale of the event.”

Cybersecurity authorities around the world have issued alerts about the disruption, but have similarly been quick to rule out any nefarious activity by hackers. “The NCSC assesses that these have not been caused by malicious cyber attacks,” Felicity Oswald, CEO of the UK’s National Cyber Security Center, said. Officials in Australia have come to the same conclusion.

Nevertheless, the impact has been sweeping and dramatic. Around the world, the outages have been spiraling as companies, public bodies, and IT teams race to fix bricked machines, which involves manually taking machines through a series of corrective steps, including rebooting. In the UK, Israel, and Germany, health care services and hospitals saw systems that they use to communicate with patients disrupted, and canceled some appointments. Emergency services in the US using 911 have reportedly had problems with their lines too. In the earliest hours of the outages, some TV stations, including Sky News in the UK, stopped live news broadcasts.

Global air travel has been one of the most impacted sectors so far. Huge lines formed at airports around the world, with one airport in India using handwritten boarding passes. In the US, Delta, United, and American Airlines grounded all flights at least temporarily, with a dramatic graphic showing air traffic plummeting above the US.

The catastrophic situation reflects the fragility and deep interconnectedness of the internet. Numerous security practitioners told WIRED that they anticipated or even worked with clients to attempt to protect against a scenario where defense software itself caused cascading failures as a result of malicious exploitation or human error, as is the case with CrowdStrike. “This is an incredibly powerful illustration of our global digital vulnerabilities and the fragility of core internet infrastructure,” says Ciaran Martin, a professor at the University of Oxford and the former head of the UK’s National Cyber Security Center.

The ability of one update to trigger such massive disruption still puzzles Raiu. According to Gartner, a market research firm, CrowdStrike accounts for 14 percent of the security software market by revenue, meaning its software is on a wide array of systems. Raiu suggests that the Falcon update must have triggered crashes in other parts of web infrastructure, which could have multiplied the disaster. “CrowdStrike is big, but it can’t be this big,” Raiu says. “Airports, critical infrastructure, hospitals. It cannot be just CrowdStrike everywhere. I suspect we’re seeing a combination of factors, a cascading effect, a chain reaction.”

Hyppönen, from WithSecure, says his “guess” is that the issues may have happened due to “human error” in the update process. “An engineer at CrowdStrike is having a really bad day,” he says. Hyppönen suggests that CrowdStrike could have shipped software different to what they had been testing or mixed up files, or there could’ve been a combination of different factors. “Software like this has to go through extensive testing,” Hyppönen says. “That's what we do. That's what CrowdStrike, of course, does. You have to be really careful about what you ship, which is tough to do because security software is updated very frequently.”

While many of the impacts of the outage are ongoing and still unraveling, the nature of the problem means that individually impacted machines may need to be rebooted manually rather than through an automated process. “It could be some time for some systems that just automatically won’t recover,” CrowdStrike CEO Kurtz told NBC.

The company’s initial “workaround” guidance for dealing with the incident says Windows machines should be booted in a safe mode, a specific file should be deleted, and then rebooted. “The fixes we’ve seen so far mean that you have to physically go to every machine, which will take days, because it’s millions of machines around the world which are having the problem right now,” says Hyppönen from WithSecure.

As system administrators race to contain the fallout, the larger existential question of how to prevent another, similar crisis looms large.

“People may now demand changes in this operating model,” says Jake Williams, vice president of research and development at the cybersecurity consultancy Hunter Strategy. “For better or worse, CrowdStrike has just shown why pushing updates without IT intervention is unsustainable.”

_Update 7/19/2024, 11am ET: Added comment from Microsoft saying that the Azure outage and the CrowdStrike kernel driver issue are unrelated._

_Update 7/19/2024, 12:30pm ET: Added further comment from Microsoft about its lack of oversight of CrowdStrike's updates._

_Update 7/19/2024, 3:45pm ET: Updated to clarify that Amazon Web Services was not impacted by the CrowdStrike update, according to the company._

How One Bad CrowdStrike Update Crashed the World’s Computers

A faulty software update from cybersecurity vendor Crowdstrike crippled countless Microsoft Windows computers across the globe today, disrupting everything from airline travel and financial institutions to hospitals and businesses online. Crowdstrike said a fix has been deployed, but experts say the recovery from this outage could take some time, as Crowdstrike's solution needs to be applied manually on a per-machine basis.

A faulty software update from cybersecurity vendor **Crowdstrike** crippled countless **Microsoft Windows** computers across the globe today, disrupting everything from airline travel and financial institutions to hospitals and businesses online. Crowdstrike said a fix has been deployed, but experts say the recovery from this outage could take some time, as Crowdstrike’s solution needs to be applied manually on a per-machine basis.

A photo taken at San Jose International Airport today shows the dreaded Microsoft “Blue Screen of Death” across the board. Credit: Twitter.com/adamdubya1990

Earlier today, an errant update shipped by Crowdstrike began causing Windows machines running the software to display the dreaded “Blue Screen of Death,” rendering those systems temporarily unusable. Like most security software, Crowdstrike requires deep hooks into the Windows operating system to fend off digital intruders, and in that environment a tiny coding error can quickly lead to catastrophic outcomes.

In a post on Twitter/X, Crowdstrike CEO **George Kurtz** said an update to correct the coding mistake has been shipped, and that Mac and Linux systems are not affected.

“This is not a security incident or cyberattack,” Kurtz said on Twitter, echoing a written statement by Crowdstrike. “The issue has been identified, isolated and a fix has been deployed.”

Posting to Twitter/X, the director of Crowdstrike’s threat hunting operations said the fix involves booting Windows into Safe Mode or the Windows Recovery Environment (Windows RE), deleting the file “C-00000291\*.sys” and then restarting the machine.

The software snafu may have been compounded by a recent series of outages involving Microsoft’s **Azure** cloud services, _The New York Times_ reports, although it remains unclear whether those Azure problems are at all related to the bad Crowdstrike update. **Update, 4:03 p.m. ET:** Microsoft reports the Azure problems today were unrelated to the bad Crowdstrike update.

A reader shared this photo taken earlier today at Denver International Airport. Credit: Twitter.com/jterryy07

**Matt Burgess** at _Wired_ writes that within health care and emergency services, various medical providers around the world have reported issues with their Windows-linked systems, sharing news on social media or their own websites.

“The US Emergency Alert System, which issues hurricane warnings, said that there had been various 911 outages in a number of states,” Burgess wrote. “Germany’s University Hospital Schleswig-Holstein said it was canceling some nonurgent surgeries at two locations. In Israel, more than a dozen hospitals have been impacted, as well as pharmacies, with reports saying ambulances have been rerouted to nonimpacted medical organizations.”

In the United Kingdom, NHS England has confirmed that appointment and patient record systems have been impacted by the outages.

“One hospital has declared a ‘critical’ incident after a third-party IT system it used was impacted,” Wired reports. “Also in the country, train operators have said there are delays across the network, with multiple companies being impacted.”

Reactions to today’s outage were swift and brutal on social media, which was flooded with images of people at airports surrounded by computer screens displaying the Microsoft blue screen error. Many Twitter/X users chided the Crowdstrike CEO for failing to apologize for the massively disruptive event, while others noted that doing so could expose the company to lawsuits.

Meanwhile, the international Windows outage quickly became the most talked-about subject on Twitter/X, whose artificial intelligence bots collated a series of parody posts from cybersecurity professionals pretending to be on their first week of work at Crowdstrike. Incredibly,Twitter/X’s AI summarized these sarcastic posts into a sunny, can-do story about Crowdstrike that was promoted as the top discussion on Twitter this morning.

“Several individuals have recently started working at the cybersecurity firm Crowdstrike and have expressed their excitement and pride in their new roles,” the AI summary read. “They have shared their experiences of pushing code to production on their first day and are looking forward to positive outcomes in their work.”

The top story today on Twitter/X, as brilliantly summarized by X’s AI bots.

This is an evolving story. Stay tuned for updates.

Global Microsoft Meltdown Tied to Bad Crowdstrike Update

According to Mandiant, among the many cyber espionage tools the threat actor is using is a sophisticated new dropper called DustTrap.

Source: Travel mania via Shutterstock

One of China's more prolific threat groups, APT41, is carrying out a sustained cyber espionage campaign targeting organizations in multiple sectors, including global shipping and logistics, media and entertainment, technology, and the automotive industry.

The advanced persistent threat (APT) actor appears to have launched the new campaign sometime in early 2023. Since then, the group has successfully infiltrated multiple victim networks and maintained prolonged access on them, Google's Mandiant security group said this week in a joint analysis with Google's Threat Analysis Group (TAG). Most of the affected organizations are located in the United Kingdom, Italy, Spain, Taiwan, Thailand, and Turkey.

APT41 is sort of an umbrella descriptor for a collective of China-based threat actors engaged in cyber espionage, supply chain attacks, and financially motivated cybercrime around the globe since at least 2012. Over the years security researchers have identified multiple subgroups as being part of the APT41 collective, including Wicked Panda, Winnti, Suckfly, and Barium. These groups have stolen trade secrets, intellectual property, healthcare related data and other sensitive information from US organizations and entities around the word on behalf of the Chinese government. In 2020, the US government indicted five members of APT41 for participating in or contributing to attacks on more than 100 companies worldwide. Those charges have done little to deter the group's activities so far, however.

**APT41's Widespread Geographic Impact**

Nearly all but one of the targeted organizations in the shipping and logistics sector were based in the Middle East and Europe, while all organizations that APT41 targeted in the media and entertainment sector were located in Asia. Many victims within the shipping and logistics sectors have operations across multiple continents, either as subsidiaries or affiliates of large multinational companies in the same sector, Mandiant researchers said.

"An analysis of victim organizations within specific sectors reveals a notable geographic distribution," Mandiant researchers said in its blog post.

Further, "Mandiant has detected reconnaissance activity directed towards similar organizations operating within other countries such as Singapore," the security vendor wrote. "At the time of the publication, neither Mandiant nor Google TAG have any indicators of these organizations being compromised by APT41, but it could potentially indicate an expanded scope of targeting."

**Custom Cyber Espionage Tools**

Mandiant researchers also said it had observed APT41 actors using a range of custom tools in its ongoing campaign, including those for dropping malware on target systems, establishing backdoors, moving laterally in compromised networks, and exfiltrating data from them. The tools include two Web shells for persistence, called AntsWord and BlueBeam, which the threat actor has been using to download a dropper called DustPan, which in turn attempts to load the Beacon post-compromise tool on victim systems.

In addition to this, Mandiant said it observed APT41 use a hitherto unseen multi-stage plugin framework called DustTrap for decrypting malicious payloads and executing them in memory so as to enable communication between the compromised system and APT-41 controlled systems and infrastructure. "DustPan has been used by APT41 as far back as 2021, but DustTrap was first seen in this activity," says Ben Read, head of cyber espionage analysis at Mandiant.

Other tools that APT41 actors have effectively deployed in the current campaign include malware dubbed SQLULDR2 for copying data from Oracle Databases and PineGrove for exfiltrating large volumes of data from a compromised network to a OneDrive account for subsequent analysts.

"APT41 has always had a global mandate, so while their targeting in this campaign likely reflects current PRC priorities, the widespread nature is consistent with what we have seen previously from them," Read says.

So far, Mandiant has found no evidence to suggest that APT41 are seeking to monetize their attacks in the current campaign in any way. "However, we do not have full insight into the post compromise activity, so can't say for sure."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

China's APT41 Targets Global Logistics, Utilities Companies

Ubuntu Security Notice 6898-3 - Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could possibly trigger this vulnerability to cause a denial of service. Gui-Dong Han discovered that the software RAID driver in the Linux kernel contained a race condition, leading to an integer overflow vulnerability. A privileged attacker could possibly use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6898-3July 19, 2024linux-aws, linux-azure-fde, linux-azure-fde-5.15, linux-hwe-5.15vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems- linux-azure-fde-5.15: Linux kernel for Microsoft Azure CVM cloud systems- linux-hwe-5.15: Linux hardware enablement (HWE) kernelDetails:Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did notproperly handle certain error conditions, leading to a NULL pointerdereference. A local attacker could possibly trigger this vulnerability tocause a denial of service. (CVE-2022-38096)Gui-Dong Han discovered that the software RAID driver in the Linux kernelcontained a race condition, leading to an integer overflow vulnerability. Aprivileged attacker could possibly use this to cause a denial of service(system crash). (CVE-2024-23307)It was discovered that a race condition existed in the Bluetooth subsystemin the Linux kernel when modifying certain settings values through debugfs.A privileged local attacker could use this to cause a denial of service.(CVE-2024-24857, CVE-2024-24858, CVE-2024-24859)Bai Jiaju discovered that the Xceive XC4000 silicon tuner device driver inthe Linux kernel contained a race condition, leading to an integer overflowvulnerability. An attacker could possibly use this to cause a denial ofservice (system crash). (CVE-2024-24861)Chenyuan Yang discovered that the Unsorted Block Images (UBI) flash devicevolume management subsystem did not properly validate logical eraseblocksizes in certain situations. An attacker could possibly use this to cause adenial of service (system crash). (CVE-2024-25739)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - RISC-V architecture;  - x86 architecture;  - Block layer subsystem;  - Accessibility subsystem;  - Android drivers;  - Bluetooth drivers;  - Clock framework and drivers;  - Data acquisition framework and drivers;  - Cryptographic API;  - DMA engine subsystem;  - GPU drivers;  - HID subsystem;  - I2C subsystem;  - IRQ chip drivers;  - Multiple devices driver;  - VMware VMCI Driver;  - MMC subsystem;  - Network drivers;  - Microsoft Azure Network Adapter (MANA) driver;  - Device tree and open firmware driver;  - PCI subsystem;  - S/390 drivers;  - SCSI drivers;  - Freescale SoC drivers;  - Trusted Execution Environment drivers;  - TTY drivers;  - USB subsystem;  - VFIO drivers;  - Framebuffer layer;  - Xen hypervisor drivers;  - File systems infrastructure;  - BTRFS file system;  - Ext4 file system;  - FAT file system;  - Network file system client;  - Network file system server daemon;  - NILFS2 file system;  - Pstore file system;  - SMB network file system;  - UBI file system;  - Netfilter;  - BPF subsystem;  - Core kernel;  - PCI iomap interfaces;  - Memory management;  - B.A.T.M.A.N. meshing protocol;  - Bluetooth subsystem;  - Ethernet bridge;  - Networking core;  - IPv4 networking;  - IPv6 networking;  - MAC80211 subsystem;  - IEEE 802.15.4 subsystem;  - NFC subsystem;  - Open vSwitch;  - RDS protocol;  - Network traffic control;  - SMC sockets;  - Unix domain sockets;  - eXpress Data Path;  - Key management;  - ALSA SH drivers;  - KVM core;(CVE-2024-35855, CVE-2024-35944, CVE-2024-35851, CVE-2024-35796,CVE-2024-26812, CVE-2024-26814, CVE-2024-35819, CVE-2024-26976,CVE-2024-35809, CVE-2024-35973, CVE-2024-26964, CVE-2024-35852,CVE-2024-27018, CVE-2024-26958, CVE-2024-35893, CVE-2024-35885,CVE-2024-26950, CVE-2024-26654, CVE-2024-26993, CVE-2024-26957,CVE-2024-35907, CVE-2024-26984, CVE-2024-35806, CVE-2024-35988,CVE-2024-35930, CVE-2024-27009, CVE-2024-27020, CVE-2024-35905,CVE-2024-35857, CVE-2023-52699, CVE-2024-35902, CVE-2024-35895,CVE-2024-35934, CVE-2024-35853, CVE-2024-26937, CVE-2024-27013,CVE-2024-26813, CVE-2024-35925, CVE-2024-26956, CVE-2024-26935,CVE-2024-26925, CVE-2024-26926, CVE-2024-35922, CVE-2024-35813,CVE-2024-26973, CVE-2024-26961, CVE-2024-26934, CVE-2024-26687,CVE-2024-35900, CVE-2024-35871, CVE-2024-35896, CVE-2024-36005,CVE-2024-26989, CVE-2024-35807, CVE-2024-35789, CVE-2024-26970,CVE-2024-35935, CVE-2024-27008, CVE-2024-26981, CVE-2024-35897,CVE-2024-26988, CVE-2024-26642, CVE-2024-35997, CVE-2024-35915,CVE-2024-35822, CVE-2024-26966, CVE-2024-27019, CVE-2024-26965,CVE-2024-35884, CVE-2024-35969, CVE-2024-36025, CVE-2024-27000,CVE-2024-26817, CVE-2024-35978, CVE-2024-26929, CVE-2024-27395,CVE-2024-35825, CVE-2024-36007, CVE-2024-35886, CVE-2024-35854,CVE-2023-52880, CVE-2024-26629, CVE-2024-35785, CVE-2024-35960,CVE-2024-26994, CVE-2023-52488, CVE-2024-26977, CVE-2024-27059,CVE-2024-27393, CVE-2024-26999, CVE-2024-35849, CVE-2024-36008,CVE-2024-26969, CVE-2024-35899, CVE-2024-35933, CVE-2024-35958,CVE-2024-27001, CVE-2024-35940, CVE-2024-26931, CVE-2024-36006,CVE-2024-35955, CVE-2024-26811, CVE-2024-35872, CVE-2024-36031,CVE-2024-26960, CVE-2024-26996, CVE-2024-35804, CVE-2024-35918,CVE-2024-27016, CVE-2024-36004, CVE-2024-27396, CVE-2024-35823,CVE-2024-35847, CVE-2024-35990, CVE-2024-26955, CVE-2024-35890,CVE-2024-35898, CVE-2024-35888, CVE-2024-35877, CVE-2024-35910,CVE-2024-35821, CVE-2024-26951, CVE-2024-27015, CVE-2024-35912,CVE-2024-26974, CVE-2024-26923, CVE-2024-35901, CVE-2024-26828,CVE-2024-35927, CVE-2024-35976, CVE-2024-35791, CVE-2024-35970,CVE-2024-27004, CVE-2024-35982, CVE-2024-35989, CVE-2024-35984,CVE-2024-35805, CVE-2024-36020, CVE-2024-35950, CVE-2024-35936,CVE-2024-27437, CVE-2024-26922, CVE-2024-26810, CVE-2024-35815,CVE-2024-36029, CVE-2024-35879, CVE-2024-35938, CVE-2024-35817)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  linux-image-5.15.0-1065-aws     5.15.0-1065.71  linux-image-5.15.0-1068-azure-fde  5.15.0-1068.77.1  linux-image-aws-lts-22.04       5.15.0.1065.65  linux-image-azure-fde-lts-22.04  5.15.0.1068.77.45Ubuntu 20.04 LTS  linux-image-5.15.0-1068-azure-fde  5.15.0-1068.77~20.04.1.1  linux-image-5.15.0-116-generic  5.15.0-116.126~20.04.1  linux-image-5.15.0-116-generic-64k  5.15.0-116.126~20.04.1  linux-image-5.15.0-116-generic-lpae  5.15.0-116.126~20.04.1  linux-image-azure-fde           5.15.0.1068.77~20.04.1.45  linux-image-generic-64k-hwe-20.04  5.15.0.116.126~20.04.1  linux-image-generic-hwe-20.04   5.15.0.116.126~20.04.1  linux-image-generic-lpae-hwe-20.04  5.15.0.116.126~20.04.1  linux-image-oem-20.04           5.15.0.116.126~20.04.1  linux-image-oem-20.04b          5.15.0.116.126~20.04.1  linux-image-oem-20.04c          5.15.0.116.126~20.04.1  linux-image-oem-20.04d          5.15.0.116.126~20.04.1  linux-image-virtual-hwe-20.04   5.15.0.116.126~20.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-6898-3  https://ubuntu.com/security/notices/USN-6898-1  CVE-2022-38096, CVE-2023-52488, CVE-2023-52699, CVE-2023-52880,  CVE-2024-23307, CVE-2024-24857, CVE-2024-24858, CVE-2024-24859,  CVE-2024-24861, CVE-2024-25739, CVE-2024-26629, CVE-2024-26642,  CVE-2024-26654, CVE-2024-26687, CVE-2024-26810, CVE-2024-26811,  CVE-2024-26812, CVE-2024-26813, CVE-2024-26814, CVE-2024-26817,  CVE-2024-26828, CVE-2024-26922, CVE-2024-26923, CVE-2024-26925,  CVE-2024-26926, CVE-2024-26929, CVE-2024-26931, CVE-2024-26934,  CVE-2024-26935, CVE-2024-26937, CVE-2024-26950, CVE-2024-26951,  CVE-2024-26955, CVE-2024-26956, CVE-2024-26957, CVE-2024-26958,  CVE-2024-26960, CVE-2024-26961, CVE-2024-26964, CVE-2024-26965,  CVE-2024-26966, CVE-2024-26969, CVE-2024-26970, CVE-2024-26973,  CVE-2024-26974, CVE-2024-26976, CVE-2024-26977, CVE-2024-26981,  CVE-2024-26984, CVE-2024-26988, CVE-2024-26989, CVE-2024-26993,  CVE-2024-26994, CVE-2024-26996, CVE-2024-26999, CVE-2024-27000,  CVE-2024-27001, CVE-2024-27004, CVE-2024-27008, CVE-2024-27009,  CVE-2024-27013, CVE-2024-27015, CVE-2024-27016, CVE-2024-27018,  CVE-2024-27019, CVE-2024-27020, CVE-2024-27059, CVE-2024-27393,  CVE-2024-27395, CVE-2024-27396, CVE-2024-27437, CVE-2024-35785,  CVE-2024-35789, CVE-2024-35791, CVE-2024-35796, CVE-2024-35804,  CVE-2024-35805, CVE-2024-35806, CVE-2024-35807, CVE-2024-35809,  CVE-2024-35813, CVE-2024-35815, CVE-2024-35817, CVE-2024-35819,  CVE-2024-35821, CVE-2024-35822, CVE-2024-35823, CVE-2024-35825,  CVE-2024-35847, CVE-2024-35849, CVE-2024-35851, CVE-2024-35852,  CVE-2024-35853, CVE-2024-35854, CVE-2024-35855, CVE-2024-35857,  CVE-2024-35871, CVE-2024-35872, CVE-2024-35877, CVE-2024-35879,  CVE-2024-35884, CVE-2024-35885, CVE-2024-35886, CVE-2024-35888,  CVE-2024-35890, CVE-2024-35893, CVE-2024-35895, CVE-2024-35896,  CVE-2024-35897, CVE-2024-35898, CVE-2024-35899, CVE-2024-35900,  CVE-2024-35901, CVE-2024-35902, CVE-2024-35905, CVE-2024-35907,  CVE-2024-35910, CVE-2024-35912, CVE-2024-35915, CVE-2024-35918,  CVE-2024-35922, CVE-2024-35925, CVE-2024-35927, CVE-2024-35930,  CVE-2024-35933, CVE-2024-35934, CVE-2024-35935, CVE-2024-35936,  CVE-2024-35938, CVE-2024-35940, CVE-2024-35944, CVE-2024-35950,  CVE-2024-35955, CVE-2024-35958, CVE-2024-35960, CVE-2024-35969,  CVE-2024-35970, CVE-2024-35973, CVE-2024-35976, CVE-2024-35978,  CVE-2024-35982, CVE-2024-35984, CVE-2024-35988, CVE-2024-35989,  CVE-2024-35990, CVE-2024-35997, CVE-2024-36004, CVE-2024-36005,  CVE-2024-36006, CVE-2024-36007, CVE-2024-36008, CVE-2024-36020,  CVE-2024-36025, CVE-2024-36029, CVE-2024-36031Package Information:  https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1065.71  https://launchpad.net/ubuntu/+source/linux-azure-fde/5.15.0-1068.77.1  https://launchpad.net/ubuntu/+source/linux-azure-fde-5.15/5.15.0-1068.77~20.04.1.1  https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-116.126~20.04.1

Tag

#web