BREAKING
CrowdStrike Update Causes Massive Microsoft Outage Affecting Multiple Critical Industries
A recent CrowdStrike Falcon update has caused widespread IT outages, impacting global sectors including banks, airports, TV stations, healthcare organizations, and hotels. The faulty update led to Windows machines displaying Blue Screens of Death (BSODs), grounding flights and causing disruptions to services worldwide, including emergency services in the U.S. and Canada. CrowdStrike identified the issue as a corrupted Channel File within the update and provided a workaround, but the impact remains significant, with major organizations such as hospitals, airports, and airlines experiencing massive outages. Reports of disruptions came from countries including Australia, the UK, India, Germany, the Netherlands, and the U.S. Despite the fix being deployed, the outages have led to significant financial losses and operational halts, with affected devices needing manual intervention to resolve the issue. Mac and Linux systems were not affected, and both CrowdStrike and Microsoft are working on ensuring the stability of their services. The incident underscores the critical dependence on IT systems and the potential widespread impact of software issues. CTIX analysts will continue to track this matter, and an update may be released in the future if warranted.
Ransomware/Malware Activity
FIN7 Group Selling EDR-Bypassing Tool on Dark Web to Assist Ransomware Operations
The cybercriminal group FIN7, known for its financial motivations and origins in Russia and Ukraine, has been actively promoting and selling a sophisticated security evasion tool named AvNeutralizer (also referred to as AuKill) across various underground forums. This ransomware tool, designed to tamper with and bypass security solutions, has garnered attention for its use by several ransomware groups, including AvosLocker, Black Basta, BlackCat, LockBit, and Trigona. SentinelOne's analysis reveals that FIN7, which has evolved from targeting point-of-sale (PoS) systems to operating ransomware-as-a-service (RaaS) schemes, has developed and commercialized AvNeutralizer. FIN7's utilization of multiple pseudonyms such as "goodsoft," "lefroggy," "killerAV," and "Stupor" across underground forums in advertising the tool underscores the group's attempts to obscure its identity and sustain illicit operations. The pricing for AvNeutralizer ranges from $4,000 to $15,000, indicating a targeted approach towards customizing the tool for specific security systems at the buyer's request. The tool's development, which began in April 2022, signifies FIN7's continued innovation in creating mechanisms for security evasion. The extensive use of AvNeutralizer across multiple ransomware campaigns since early 2023 highlights its effectiveness and demand among cybercriminals. This trend also points to the increasing sophistication of FIN7's operations, including its shift towards automated SQL injection attacks targeting public-facing applications. Despite facing arrests and sentencing of some of its members, the group has maintained a persistent threat presence, adapting its tactics and expanding its arsenal to include malware loaders and a penetration testing toolkit. The commercialization of AvNeutralizer and its adoption by various ransomware operators exemplify the evolving and interconnected nature of the cybercriminal ecosystem. CTIX analysts will continue monitoring the latest malware developments that have potential to cause significant impacts on the cybersecurity landscape.
Threat Actor Activity
Scattered Spider Adds Ransomhub and Qilin Ransomware to its Arsenal
Microsoft has linked Qilin and RansomHub ransomware attacks in Q2 of this year to the Scattered Spider threat actor group. Scattered Spider (AKA Octo Tempest, UNC3944, Oktapus, and Muddled Libra) has been closely tracked by Microsoft and have been active since at least early 2022. Scattered Spider has been attributed to some of the most notorious attacks and breaches over the past few years, including the attacks against MGM Casinos, Riot Games, Okta, and LastPass. The English-speaking group is believed to operate out of the U.K. and North America and are well known for their social engineering tactics which include vishing, smishing, MFA bombing, SIM swapping, and impersonation. Scattered Spider is financially motivated and has evolved and adapted their techniques over the years. In 2023, Scattered Spider was seen using BlackCat/ALPHV ransomware to add encryption to its extortion schemes. This latest update by Microsoft indicates that the group is further expanding their arsenal to include Qilin and Ransomhub ransomware in their attacks. BleepingComputer notes that the Qilin ransomware group has been developing advanced Linux encryptors targeting VMWare ESXi servers, which Scattered Spider has also been known to target. Microsoft tracks activities and attacks by Scattered Spider closely as they are considered a very dangerous threat actor based on their use of social engineering, living-off-the-land techniques, and diverse tooling. Scattered Spider's goal is to maximize profit and will leverage all tools at their disposal to broaden their impact. It is important that organizations are aware of Scattered Spider's tactics, techniques, and procedures (TTPs), and employ appropriate security controls to minimize risk associated with the threat. CTIX analysts will continue to report on threat actor activity worthy of the attention of security professionals.
Vulnerabilities
Maximum Severity Cisco Vulnerability Allows Attackers to Change Any Account Password
Cisco has released patches for a critical vulnerability in its Smart Software Manager On-Prem (SSM On-Prem) that allows unauthenticated remote attackers to change any user's password, including administrative accounts. The vulnerability, tracked as CVE-2024-20419, carries a CVSS score of 10/10. This flaw stems from improper implementation of the password-change process, which can be exploited via maliciously crafted HTTP requests to gain web UI or API access with the privileges of the compromised user. The vulnerability affects versions 8-202206 and earlier, with a fix available in version 8-202212, while version 9 remains unaffected. Cisco advises immediate upgrades as there are no workarounds and no evidence of exploitation yet. This issue is particularly concerning for industries such as financial institutions and government organizations. The disclosure coincides with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding three (3) other vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including critical flaws in Adobe Commerce, SolarWinds Serv-U, and VMware vCenter Server. Their addition to the KEV mandates that all Federal Civilian Executive Branch (FCEB) agencies must apply authorized mitigations by no later than August 7, 2024.
- The Hacker News: CVE-2024-20419 Article
- The Register: CVE-2024-20419 Article
- Bleeping Computer: CVE-2024-20419 Article
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.