Bug in CrowdStrike Falcon Causes Blue Screens of Death Across the Globe

On July 18, 2024 CrowdStrike pushed out a minor update to their MDR system called Falcon. Shortly after it made its way to the systems, computers started crashing for no apparent reason. As it turned out, there is a critical bug in the driver that the update has introduced; Windows cannot handle it properly and consequently crashes. At first, customers along with some of the analysts were thinking of a cyberattack, but it then became apparent that it is just a software bug. Well, not “just”, considering the scale.

What is the worst in all this story is the fact that Falcon is a rather popular solution, used in quite a lot of organizations across the world. And, you guessed it right, a faulty update have jammed all the customers’ systems, with no apparent way to fix the issue. Among companies that have reported issues related to the CrowdStrike Falcon bug are numerous airlines and airports, telecommunications companies, railways, and more. At the moment, companies that reported the issues are as follows:

This list is, of course, incomplete, as there are many smaller companies that experience problems, but are not that noticeable to the public. Some of the mentioned organizations managed to switch to manual operations, while others had no other option but to idle.

CrowdStrike Publishes a Workaround

Considering the massiveness of the problems, CrowdStrike developers immediately went to work, reverting the update. Thing is – it would not really be possible to install the update as the affected computers won’t even boot into Windows. To let the companies access their systems for now, and consequently install the fix when it is here, the developers shared a workaround solution.

To temporarily fix up the mess, customers should boot into Windows Safe Mode or the Recovery Environment. These modes allow for accessing actual Windows systems or at least its partitions, which is what further steps require. There, users should find the C:\Windows\System32\drivers\CrowdStrike with the C-00000291*.sys file in it, and delete this file. This is the faulty driver that causes all the issues. After that, the system should be able to boot up normally.

Potential Impact

The massiveness of the bug is, obviously, impossible to ignore; this situation will barely be forgiven and forgotten. All the huge companies that were forced to just idle, losing money and time, will likely ask for some kind of compensation. And this, together with yet another stain on the reputation, is what pushes CrowdStrike shares price down at the moment. As of 5:30 ET, $CRWD is down almost 20% from yesterday’s close price, losing $70 of its share price.

One more thing such a massive outage should push up is the availability of a quick remedy for such a situation. What should allow them to skip the BSODs quickly and get back to normal is backups. Applying them will take some time, too, but that’s nothing compared to the manual intrusion into every single machine that the remedy requires.

The post CrowdStrike Falcon Bug Causes Windows Outages Around the Globe appeared first on Gridinsoft Blog.

Terminator Tool Bypasses Antivirus Tools

The author of the tool, known by the pseudonym “Spyboy“, sells his product from $300 for one type of detection bypass to $3,000 for all types at once.

In order to use Terminator, clients require administrative privileges on the target Windows systems, and therefore it is necessary to somehow trick the user into accepting the Windows User Account Control (UAC) pop-up that will be displayed when the tool is launched. This is already a headache for the client, not for the developer of malicious software. A CrowdStrike engineer in his post on Reddit found out that “Terminator” is being sold under a louder slogan than it really is. As it turned out, the tool simply dumps a legitimate signed Zemana antivirus driver – “zamguard64.sys” or “zam64.sys” into the “C:\Windows\System32\” folder of the target system.

After the aforementioned driver is written to disk, “Terminator” loads it to obtain elevated privileges at the kernel level to terminate the processes of antivirus, EDR and XDR programs running on the device. Currently, only one VirusTotal antivirus scan engine detects this driver as vulnerable. Fortunately, researchers at Nextron Systems have already shared indicators of compromise (IoC) that can help security professionals detect a vulnerable driver used by the Terminator tool before it does any harm.

What then?

BYOVD attacks are common among attackers who like to inject malicious payloads “silently”. In these types of attacks, hackers use completely legitimate drivers with valid certificates and the ability to run with kernel privileges, used, of course, for other purposes – to disable security solutions and take over the system. A wide range of cybercriminal groups have been using this technique for years, from financially motivated gangs to state-backed hacker groups.

In April, Sophos wrote about similar malware developed by another group of attackers. A hacking tool called AuKill allowed criminals to disable EDR solutions thanks to a vulnerable driver of a legitimate third-party program, Process Explorer, and was even used for a while in LockBit attacks.

The post Russian Hacker Sells Terminator Tool That Is Allegedly Able to Bypass Any Antivirus Programs appeared first on Gridinsoft Blog.

CrowdStrike warns that hackers are adding malicious functionality to self-extracting SFX archives containing harmless honeypot files that can launch PowerShell.

This simple trick allows attackers to plant backdoors on victims’ machines without raising an “alarm”.

Let me remind you that we also wrote that Attackers target .NET Developers with Malicious NuGet Packages, and also that Hackers compromised Slack private GitHub repositories.

Also information security specialists warned that Hackers bypass ransomware protection using WinRAR.

The researchers remind that self-extracting archives created with archivers such as WinRAR and 7-Zip are, in fact, executable files that contain archive data along with built-in unpacking functionality.

Access to such files may be password protected to prevent unauthorized access. SFX files were originally created to make it easier to distribute data to users who don’t have a decompressor.

Password protected SFX file

Recently, Crowdstrike experts discovered an attacker who used stolen credentials to abuse utilman.exe (an accessibility application that can be run before a user logs in) and configured it to run a password-protected SFX file that was previously placed on the system.

The SFX file launched by utilman.exe was password protected and contained an empty text file that acted as a decoy. The real purpose of the archive was to run PowerShell, the Windows command line (cmd.exe) and the “Task Manager” with system privileges.

Further analysis of the threat showed that the attacker added several commands at once, which were run after the target unpacked the archived text file.

As you can see in the screenshot above, the attacker configured the SFX archive in such a way that no dialog boxes were displayed during the extraction process. He also added instructions for launching PowerShell, Command Prompt, and Task Manager.

The fact is that WinRAR offers a set of advanced settings for SFX, which allow adding a list of executable files to be automatically launched before or after the unpacking process, as well as overwrite existing files in the destination folder if files with the same name already exist.

The researchers remind that users should pay special attention to self-extracting archives and use the appropriate software to check their contents and look for potential scripts and commands scheduled to run on extraction.

The post SFX Archives Can Sneakily Launch PowerShell appeared first on Gridinsoft Blog.

The malicious version of the application was distributed through the vendor’s website from at least September 26 to September 29, 2022. As a result, organizations from North America and Europe, working in the field of industry, healthcare, technology, manufacturing, insurance and telecommunications, were infected.

Let me remind you that we also reported that the FBI warned about an increase of supply chains attacks, and also that Researcher compromised 35 companies through a new “dependency confusion” attack.

The problem was discovered by researchers from the company CrowdStrike. According to them, the trojanized version of the installer used a valid Comm100 Network Corporation digital signature, so the attack was not immediately detected.

Unidentified attackers injected a JavaScript backdoor into the main.js file, which is present in the following versions of the Comm100 Live Chat installer:

1. 0.72 with SHA256 hash 6f0fae95f5637710d1464b42ba49f9533443181262f78805d3ff13bea3b8fd45;
2. 0.8 with SHA256 hash ac5c0823d623a7999f0db345611084e0a494770c3d6dd5feeba4199deee82b86.

The researchers say the backdoor was extracting an obfuscated JS script from a hard-coded URL “http[:]//api.amazonawsreplay[.]com/livehelp/collect”, which ultimately gave the attackers remote shell access to the vulnerable machine.

After the compromise, experts observed the deployment of malicious loaders (MidlrtMd.dll) that were used to load payloads in the context of legitimate Windows processes, such as notepad.exe, running directly from memory. The downloader extracted the final payload (license) from the hackers’ control server and used a hard-coded RC4 key to decrypt it.

Crowdstrike experts attribute this attack to Chinese hackers, in particular, a cluster that previously targeted online gambling organizations in East and Southeast Asia.

The researchers reported the problem to Comm100 developers, who have already released a clean installer version 10.0.9. Users are strongly advised to update the Comm100 Live Chat application as soon as possible.

At the moment, representatives of Comm100 do not report how the attackers managed to gain access to its systems and infect the installer with malware.

The post Hackers Compromise Comm100 Live Chat to Attack a Supply Chain appeared first on Gridinsoft Blog.

Let me remind you that the CVE-2021-44228 vulnerability, also called Log4Shell and LogJam, was discovered in the popular Log4j logging library in early December.

The researchers report that Aquatic Panda uses a modified version of the exploit for a bug in Log4j to gain initial access to the target system and then performs various post-exploitation activities, including exploration and credential collection.

To compromise an unnamed educational institution, the hackers targeted VMware Horizon, which used the vulnerable Log4j library. The exploit used in this attack was published on GitHub on December 13, 2021.

The attackers also conducted reconnaissance efforts to understand privilege levels better and learn more about the domain. Also, they attempted to interrupt a third-party endpoint threat detection and response solution.

After deploying additional scripts, the hackers tried to run PowerShell commands to extract the malware and three VBS files, which appeared to be reverse shells. In addition, Aquatic Panda made several attempts to collect credentials by performing memory dumps and preparing them for theft.

Experts write that the attacked organization was timely warned of suspicious activity and could quickly use the incident response protocol, fixing vulnerable software and preventing further development of the malicious activity.

The Aquatic Panda group has been active since at least May 2020 and typically engages in intelligence gathering and industrial espionage, targeting organizations in the government, telecommunications, and technology sectors. The group’s toolbox includes Cobalt Strike, FishMaster downloader, and njRAT.

Let me also remind you that I wrote that Log4j vulnerability threatens 35,000 Java packages, as well as that Another vulnerability found in Log4j, this time it is a denial of service.

The post Chinese hack group Aquatic Panda exploits Log4Shell to hack educational institutions appeared first on Gridinsoft Blog.