Major security incidents impacted the tech world this week. A faulty CrowdStrike update caused widespread system crashes, impacting organizations globally. Meanwhile, MediSecure, an Australian prescription service, suffered a ransomware attack, compromising the data of millions. In other news, SolarWinds and Cisco scrambled to patch critical vulnerabilities in their respective software offerings. Finally, the FIN7 cybercrime group is now advertising an EDR bypass tool, signaling a concerning development in cybercrime.
Faulty CrowdStrike Falcon Sensor Update Causes Global System Crashes
/Major/ /CrowdStrike/
A faulty update to CrowdStrike’s Falcon Sensor security software caused widespread disruptions across the globe on July 19, 2024, affecting numerous organizations and services, including airports, TV stations, and hospitals. The issue, which primarily impacted Windows systems, resulted in computers being rendered inaccessible due to a “Blue Screen of Death” (BSOD) error. The incident was not attributed to a cyberattack but rather to a defect in a content update specifically for Windows hosts.
CrowdStrike acknowledged the problem and swiftly deployed a fix, stating that the issue had been identified, isolated, and resolved. The company advised users to boot their Windows machines into Safe Mode or the Windows Recovery Environment, navigate to the directory ‘C:\Windows\System32\drivers\CrowdStrike’, locate and delete the problematic file named ‘C-00000291*.sys’, and then boot the host normally.
While CrowdStrike asserted that the issue was resolved, large organizations faced manual recovery of the impacted systems, leading to prolonged downtime and potential operational challenges. The incident underscores the critical importance of thorough testing and quality assurance measures for software updates, particularly those deployed to mission-critical systems. It also highlights the potential for widespread disruption stemming from a single point of failure in complex, interconnected systems.
References
CrowdStrike update crashes Windows systems, causes outages worldwide [bleepingcomputer.com]
Bad CrowdStrike Update Linked to Major IT Outages Worldwide [securityweek.com]
CrowdStrike update at center of Windows “Blue Screen of Death” outage [malwarebytes.com]
Global outage of Microsoft clients due to CrowdStrike update | Kaspersky official blog [kaspersky.com]
CrowdStrike update epic fail crashed Windows systems worldwide [securityaffairs.com]
CrowdStrike Windows patchpocalypse could take weeks to fix, IT admins fear [go.theregister.com]
Blue screen of death strikes crowd of CrowdStrike servers [csoonline.com]
CrowdStrike Fault Causes Global IT Outages [infosecurity-magazine.com]
Buggy CrowdStrike EDR Update Crashes Windows Systems Worldwide [darkreading.com]
Analyzing the CrowdStrike Incident and Its Ripple Effects - SWN #399 [sites.libsyn.com]
MediSecure Data Breach Impacts Millions Following Ransomware Attack
/Major/ /MediSecure/ /Unknown Ransomware Group/
MediSecure, an Australian digital prescription services provider, suffered a ransomware attack in April 2024, resulting in the theft of personal and health information belonging to approximately 12.9 million individuals. The breach, which impacted individuals who received services from MediSecure between March 2019 and November 2023, involved the exfiltration of a massive 6.5TB of data from the company’s server.
The stolen data included sensitive information such as prescription medication details, reasons for prescriptions, full names, dates of birth, genders, email addresses, phone numbers, addresses, and various healthcare identifiers. MediSecure acknowledged the breach and stated that they were unable to identify the specific impacted individuals due to the complexity of the dataset.
This incident raises concerns about the potential for scams, phishing attacks, and identity theft against Australians whose data was compromised. MediSecure is reviewing the data set exposed on the dark web and working to mitigate potential risks to affected individuals. The incident serves as a reminder of the increasing threat of ransomware attacks and the importance of robust cybersecurity measures to protect sensitive personal and health information.
References
MediSecure data breach impacted 12.9 million individuals [securityaffairs.com]
MediSecure: Ransomware gang stole data of 12.9 million people [bleepingcomputer.com]
MediSecure Data Breach Impacts 12.9 Million Individuals [securityweek.com]
Nearly 13 Million Australians Affected by MediSecure Attack [infosecurity-magazine.com]
MarineMax Notifying 123,000 Of Data Breach [packetstormsecurity.com]
SolarWinds Access Rights Manager Patched Against Critical RCE Vulnerabilities
/Critical/ /SolarWinds/
SolarWinds, a US software development company, released critical security updates for its Access Rights Manager (ARM) software, addressing multiple vulnerabilities that could potentially allow remote code execution (RCE) on unpatched systems. The vulnerabilities, six of which were rated 9.6 out of 10 on the Common Vulnerability Scoring System (CVSS), posed a significant risk as attackers could exploit them without requiring administrator privileges.
Access Rights Manager is a software solution designed to enable administrators to manage and audit access rights across their IT infrastructure. The critical vulnerabilities identified in ARM could have allowed attackers to gain unauthorized control over affected systems, potentially compromising sensitive data and disrupting business operations.
SolarWinds urged users to update to Version 2024.3 of Access Rights Manager to mitigate the risks associated with these vulnerabilities. The company did not disclose whether any of these flaws had been exploited in the wild. The incident highlights the importance of timely patching and vulnerability management practices to ensure the security of critical software applications.
References
Solarwinds patches critical RCE flaws in Access Rights Manager [csoonline.com]
SolarWinds Patches Critical Vulnerabilities in Access Rights Manager [securityweek.com]
SolarWinds fixes 8 critical bugs in access rights audit software [bleepingcomputer.com]
SolarWinds Patches 8 Critical Flaws in Access Rights Manager Software [thehackernews.com]
Cisco Patches Critical Vulnerability in Secure Email Gateway Allowing Root User Addition
/Critical/ /Cisco/
Cisco addressed a critical vulnerability, tracked as CVE-2024-20401, in its Secure Email Gateway (SEG) appliances. The vulnerability, with a CVSS score of 9.8, could allow unauthenticated, remote attackers to add new users with root privileges and cause permanent denial of service (DoS) on affected devices.
The vulnerability resides in the content scanning and message filtering features of the SEG appliances and stems from improper handling of email attachments when file analysis and content filters are enabled. Attackers could exploit this flaw by sending specially crafted email attachments, enabling them to replace any file on the file system.
Successful exploitation of this vulnerability could have severe consequences, including unauthorized access, configuration modifications, arbitrary code execution, and permanent device disruption. Cisco released updates to address the vulnerability and recommended that users upgrade their SEG appliances to the latest AsyncOS software version or ensure that the Content Scanner Tools version is 23.3.0.4823 or later. The company’s PSIRT was not aware of any exploitation attempts targeting this vulnerability in the wild at the time of the advisory.
References
Cisco fixed a critical flaw in Security Email Gateway that could allow attackers to add root users [securityaffairs.com]
Cisco Patches Critical Vulnerabilities in Secure Email Gateway, SSM [securityweek.com]
Critical Cisco bug lets hackers add root users on SEG devices [bleepingcomputer.com]
FIN7 Cybercrime Group Advertises EDR Bypass Tool on Hacking Forums
/High/ /Multiple/ /FIN7/
The financially motivated cybercrime group FIN7 has been observed advertising a security evasion tool, known as AvNeutralizer or AuKill, on multiple underground forums. This tool is designed to bypass endpoint detection and response (EDR) solutions, effectively disabling security measures and facilitating ransomware attacks.
FIN7, a prolific Russian cybercrime syndicate, has been linked to various ransomware operations, including AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit. The group has employed automated SQL injection attacks to exploit public-facing applications and has used multiple pseudonyms to conceal its identity and maintain its criminal activities.
The emergence of AvNeutralizer and its availability on underground forums raise concerns about the increasing sophistication of cybercrime tools and the challenges in defending against EDR bypass techniques. Security researchers and organizations need to remain vigilant and adapt their defenses to mitigate the risks posed by FIN7 and other cybercriminal groups leveraging such tools.
References
Cybercrime group FIN7 advertises new EDR bypass tool on hacking forums [securityaffairs.com]
FIN7 Cybercrime Gang Evolves with Ransomware and Hacking Tools [hackread.com]
Russia’s FIN7 is peddling its EDR-nerfing malware to ransomware gangs [go.theregister.com]
FIN7 Is Peddling EDR-Nerfing Malware To Ransomware Operators [packetstormsecurity.com]
WazirX Cryptocurrency Exchange Suffers $230 Million Security Breach
/Major/ /WazirX/ /Unknown/
Indian cryptocurrency exchange WazirX reported a security breach resulting in the theft of cryptocurrency assets worth over $230 million. The breach, which occurred in one of the company’s multi-signature wallets, was attributed to a cyberattack.
WazirX stated that the compromised wallet was operated using the services of Liminal, a digital asset custody and security platform. The company is investigating the incident and working to recover the stolen funds.
This breach is a significant loss for WazirX and its users, highlighting the ongoing security challenges faced by cryptocurrency exchanges. The incident underscores the importance of robust security measures, including multi-signature wallets and secure custody solutions, to protect digital assets from cyberattacks.
References
WazirX Cryptocurrency Exchange Loses $230 Million in Major Security Breach [thehackernews.com]
North Korea likely behind takedown of Indian crypto exchange WazirX [go.theregister.com]
North Korea May Have Hacked Crypto Exchange WazirX [packetstormsecurity.com]
Cisco Smart Software Manager On-Prem Password Reset Vulnerability
/Critical/ /Cisco/
Cisco released a patch for a critical vulnerability in its Smart Software Manager On-Prem (SSM On-Prem) software, which enables organizations to manage product licenses using an on-premises server. The vulnerability, identified as CVE-2024-20419 and rated with a maximum CVSS score of 10.0, affects the password reset process, potentially allowing unauthenticated, remote attackers to change user passwords, including those of administrative accounts.
SSM On-Prem is typically used by organizations in sectors where network connectivity is unreliable or where security concerns require on-premises infrastructure, such as energy, shipping, financial services, and government. The vulnerability affects all versions of SSM On-Prem prior to version 8-202212, including Cisco SSM Satellite (released in 2019).
Exploitation of this flaw could enable attackers to gain unauthorized access to the web UI or API with the privileges of compromised user accounts. While the advisory suggests potential risks of license theft or interference with licensed features, a more likely scenario involves attackers establishing a foothold for further lateral movement within the network. Cisco urged users to update their SSM On-Prem software to the latest version to mitigate this vulnerability.
References
Maximum-severity Cisco vulnerability allows attackers to change admin passwords [go.theregister.com]
Cisco patches severe password reset flaw that lets hackers hijack SSM On-Prem license servers [csoonline.com]
High-Severity Cisco Bug Grants Attackers Password Access [darkreading.com]
Vulnerability In Cisco Smart Software Manager Lets Attacker Change Any User Password [packetstormsecurity.com]
Cisco Patches Critical Vulnerabilities in Secure Email Gateway, SSM [securityweek.com]
Microsoft-Signed Chinese Adware 'HotPage' Grants Kernel-Level Privileges
/High/ /Unknown Chinese Adware Developers/
ESET researchers discovered a sophisticated Chinese adware module named “HotPage” that disguises itself as an ad blocker while stealthily installing a malicious kernel driver component on Windows systems. The driver grants attackers the ability to execute arbitrary code with elevated permissions, potentially compromising system security and user privacy.
HotPage masquerades as a legitimate tool that enhances web browsing security by blocking ads and malicious websites. However, it covertly installs a driver that operates at the kernel level, giving attackers unrestricted access to the operating system and allowing them to bypass security measures.
The use of a Microsoft-signed driver adds to the malware’s stealth and complexity, making it more difficult to detect and remove. The discovery of HotPage highlights the evolving tactics of adware developers and the potential risks associated with seemingly benign browser extensions. Users should exercise caution when installing browser add-ons and ensure that they are obtained from trusted sources.
References
Microsoft-Signed Chinese Adware Opens the Door to Kernel Privileges [darkreading.com]
Alert: HotPage Adware Disguised as Ad Blocker Installs Malicious Kernel Driver [thehackernews.com]
HotPage Malware Hijacks Browsers With Signed Microsoft Driver [infosecurity-magazine.com]
HotPage: Story of a signed, vulnerable, ad-injecting driver [welivesecurity.com]
ESET: Chinese Adware Opens Windows Systems to More Threats [securityboulevard.com]
This site is auto-generated from feeds which I personally follow using Generative AI APIs. This was primarily done to make it easier for me to consume the feeds I like to follow, but its also an experiment to see how Gen AI could be used in real life.