From the CrowdStrike outage front,
- Dark Reading reports,
- The CrowdStrike update that hobbled businesses, disrupted consumer travel plans, and took French and British broadcasters offline has predictably led to a host of lawsuits filed by investors and customers of both CrowdStrike and other affected companies.
- Yet the incident could lead to another destination: software liability.
- The overall consensus among legal experts is that CrowdStrike is likely protected by its terms and conditions from reimbursing customers for more than they paid for the product, limiting its software liability in what the company now refers to as “the Channel File 291 Incident.” However, the fact that affected businesses and consumers have little recourse to recover damages will likely lend momentum to legislation and state regulations to hold firms responsible for such chaos, says Chinmayi Sharma, associate professor of law at Fordham University.
- Cybersecurity Dive lets us know,
- “A mismatched software update in CrowdStrike’s Falcon sensor led to the crash that caused a global IT outage of millions of Microsoft Windows systems on July 19, the company said Tuesday.
- “CrowdStrike, in a root cause analysis report, said the Falcon sensor expected 20 input fields in a rapid response content update, but the software update actually provided 21 input fields. The mismatch resulted in an out-of-bounds memory read, leading to the system crash.
- “We are using lessons learned from this incident to better serve our customers,” CrowdStrike CEO George Kurtz said in a statement Tuesday. “To this end, we have already taken decisive steps to prevent this situation from repeating, and to help ensure that we – and you – become even more resilient.”
- and
- “CrowdStrike is in talks to acquire Action1, a Houston-based patch management and vulnerability specialist. The agreement being discussed would value the company at nearly $1 billion, according to a memo sent to Action1 employees.
- “Action1 Co-Founder and CEO Alex Vovk sent a memo to employees Wednesday confirming the discussions, after speculation around the talks gained within the company. A spokesperson for Action1 confirmed the authenticity of the memo to Cybersecurity Dive Friday.
- “This proves that Action1 is in a rapidly growing market and explains why Action1 is experiencing hypergrowth and is on track to soon reach $100M AAR,” Vovk wrote in the memo.”
From the cybersecurity policy front,
- Per Cybersecurity Dive,
- “For Cybersecurity and Infrastructure Security Agency Director Jen Easterly the doomed CrowdStrike software update that took global IT systems and networks offline last month holds a “big lesson” for critical infrastructure.
- “The CrowdStrike incident was such a terrible incident,” Easterly said Wednesday during a media briefing at Black Hat, but “it was a useful exercise, like a dress rehearsal for what China may want to do to us.”
- “The outage was not the result of a malicious act, but rather a basic field input error that caused an out-of-bounds memory read. Yet, to Easterly, the widespread chaos it caused offers a clear example of what could occur if China-affiliated attackers make good on its efforts to cause systemic disruption to U.S. critical infrastructure.
- “When Easterly learned of the outage, around 2 a.m. on July 19: “What was going through my mind was ‘oh, this is exactly what China wants to do.’”
- Per Cyberscoop,
- “Jen Easterly, the head of the Cybersecurity and Infrastructure Security Agency, told attendees at the Black Hat security conference on Thursday that delivering major improvements in computer security will require a sea change in how companies approach building software.
- “Amid an epidemic of breaches, Easterly laid the blame squarely at the feet of the technology industry. “We don’t have a cybersecurity problem. We have a software quality problem,” she said.
- “We have a multi-billion dollar cybersecurity industry because for decades, technology vendors have been allowed to create defective, insecure, flawed software,” Easterly said in her remarks.
- “To address that issue, Easterly and CISA have launched a secure by design pledge, the signatories of which commit to a series of principles to improve the security of how products are developed and deployed. Easterly said 200 companies have now signed that pledge since its launch in March.”
- To that end, this week, CISA and the FBI posted their “Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem.” Here’s a link to the federal government’s Internet Complaint Center supplement guidance on this effort.
- Cyberscoop also tells us,
- “A year after asking the hacker community how they can better help protect the open source software that is the foundation of the digital economy, the White House is looking to better secure the ecosystem through a new office dedicated to study such components in critical infrastructure.
- “The Office of the National Cyber Director released new details Friday on several projects aimed at securing open source software. The report comes a year after the office asked attendees at DEF CON in 2023 to contribute to a request for information around how to better focus on securing open source software.
- “The new office runs out of the Department of Homeland Security and will examine the prevalence of open source software present in critical infrastructure and how to secure it, said Nasreen Djouini, senior policy advisor at the Office of the National Cyber Director. The program will have the support of the Department of Energy’s national labs, including at Los Alamos and Lawrence Livermore.”
From the cybersecurity vulnerabilities and breaches front,
- Again, per Cyberscoop,
- “An Israeli cybersecurity firm has identified a zero-day vulnerability affecting major web browsers that could allow attackers to bypass normal browser security measures and potentially breach local networks.
- “The flaw, discovered by Oligo Security, was found in how browsers handle network requests.
- “In summary, devices read IP addresses to connect users to websites, with 0.0.0.0 serving as a placeholder until a real address is assigned. Oligo researchers found that a would-be attack can exploit how browsers like Apple’s Safari, Google’s Chrome and Mozilla’s Firefox handle queries to 0.0.0.0, redirecting them to other addresses such as ‘localhost,’ which is typically private.
- “This exploit allows attackers to access private data by sending requests to 0.0.0.0. Attackers could then perform all types of nefarious actions, gaining unauthorized access and executing remote code on locally running programs, which could impact development platforms, operating systems and internal networks.
- Oligo has dubbed the vulnerability “0.0.0.0 day,” and wrote in a blog post that it considers it to be “far-reaching, affecting individuals and organizations alike.”
- Here are the known exploited vulnerabilities that CISA added to its catalog this week,
- August 5, 2024: CVE-2018-0824 Microsoft COM for Windows Deserialization of Untrusted Data Vulnerability
- August 7, 2024, CVE-2024-36971 Android Kernel Remote Code Execution Vulnerability, and CVE-2024-32113 Apache OFBiz Path Traversal Vulnerability
- Security Week points out,
- The US cybersecurity agency CISA on Thursday informed organizations about threat actors targeting improperly configured Cisco devices.
- The agency has observed malicious hackers acquiring system configuration files by abusing available protocols or software, such as the legacy Cisco Smart Install (SMI) feature.
- This feature has been abused for years to take control of Cisco switches and this is not the first warning issued by the US government.
From the ransomware front,
- Per a CISA press release,
- “CISA—in partnership with the Federal Bureau of Investigation (FBI)—released an update to joint Cybersecurity Advisory #StopRansomware: Royal Ransomware, #StopRansomware: BlackSuit (Royal) Ransomware. The updated advisory provides network defenders with recent and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with BlackSuit and legacy Royal activity. FBI investigations identified these TTPs and IOCs as recently as July 2024.
- “BlackSuit ransomware attacks have spread across numerous critical infrastructure sectors including, but not limited to, commercial facilities, healthcare and public health, government facilities, and critical manufacturing.
- “CISA encourages network defenders to review the updated advisory and apply the recommended mitigations. See #StopRansomware for additional guidance on ransomware protection, detection, and response. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.”
- Per Bleeping Computer,
- ‘On Tuesday (August 6], IT and phone systems at McLaren Health Care hospitals were disrupted following an attack linked to the INC Ransom ransomware operation.
- “McLaren is a non-profit healthcare system with annual revenues of over $6.5 billion, which operates a network of 13 hospitals across Michigan supported by a team of 640 physicians. It also has over 28,000 employees and works with 113,000 network providers throughout Michigan, Indiana, and Ohio.
- “While McLaren Health Care continues to investigate a disruption to our information technology system, we want to ensure our teams are as prepared as possible to care for patients when they arrive,” a statement on the health system’s website reads.”
From the cybersecurity defenses front,
- TechTarget identifies
- and explains how
- Dark Reading writes about how
- “Enterprises are implementing Microsoft’s Copilot AI-based chatbots at a rapid pace, hoping to transform how employees gather data and organize their time and work. But at the same time, Copilot is also an ideal tool for threat actors.
- “Security researcher Michael Bargury, a former senior security architect in Microsoft’s Azure Security CTO office and now co-founder and chief technology officer of Zenity, says attackers can use Copilot to search for data, exfiltrate it without producing logs, and socially engineer victims to phishing sites even if they don’t open emails or click on links.
- The article explains how to avoid such attacks.