Jul 30 2024

Threat Actors Claiming Leak of IOC list with 250M Data, CrowdStrike Responded

Category: Cyber Threats,Threat detectiondisc7 @ 9:27 am
A hacktivist entity known as USDoD has asserted that it has leaked CrowdStrike’s “entire threat actor list” and claims to possess the company’s “entire IOC [indicators of compromise] list,” which purportedly contains over 250 million data points.

Details of the Alleged Leak

On July 24, 2024, the USDoD group announced an English-language cybercrime forum, stating that they had obtained and leaked CrowdStrike’s comprehensive threat actor database.

The group provided a link to download the alleged list and shared sample data fields to substantiate their claims.

The leaked information reportedly includes:

  • Adversary aliases
  • Adversary status
  • The last active dates for each adversary
  • Region/Country of Adversary Origin
  • Number of targeted industries and countries
  • Actor type and motivation
Claim of the breach
Claim of the breach

The sample data contained “LastActive” dates up to June 2024, while the Falcon portal’s last active dates for some actors extend to July 2024, suggesting the potential timeframe of the data acquisition.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Cyber Press researchers stated that they were able to view some of the documents leaked.

Background on USDoD

USDoD has a history of exaggerating claims, likely to enhance its reputation within hacktivist and eCrime communities.

For example, they previously claimed to have conducted a hack-and-leak operation targeting a professional networking platform, which was later debunked by industry sources as mere web scraping.

Since 2020, USDoD has engaged in both hacktivism and financially motivated breaches, primarily using social engineering tactics.

In recent years, they have focused on high-profile targeted intrusion campaigns and have sought to expand their activities into administering eCrime forums.

USDoD also claimed to possess “two big databases from an oil company and a pharmacy industry (not from the USA).” However, the connection between these claims and the alleged CrowdStrike data acquisition remains unclear.

The potential leak of CrowdStrike’s threat actor database could have significant implications for cybersecurity:

  • Compromise of ongoing investigations
  • Exposure of tracking methods for malicious actors
  • Potential advantage for cybercriminals in evading detection

This story unfolds following a CrowdStrike update that caused Windows machines to experience the Blue Screen of Death (BSOD) error.

CrowdStrike’s Response

CrowdStrike, a leading cybersecurity firm known for its threat intelligence and incident response services, has responded to the claims. The company stated:

“The threat intel data noted in this report is available to tens of thousands of customers, partners, and prospects – and hundreds of thousands of users. Adversaries exploit current events for attention and gain. We remain committed to sharing data with the community.”

While USDoD has been involved in legitimate breaches, its credibility in this specific case is questionable.

Their history of exaggeration, the inconsistencies in the leaked data, and CrowdStrike’s response all cast doubt on the authenticity and severity of the claimed leak.

Hacker Scrapes and Publishes 100,000-Line CrowdStrike IoC List

THE CROWDSTRIKE & MICROSOFT CATASTROPHE OF 2024: How a Single Update Brought the World to a Standstill: A Detailed Investigation into the Global IT Outage and Its Aftermath

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: CrowdStrike, IoC


Jul 23 2024

Microsoft releases tool to speed up recovery of systems borked by CrowdStrike update

Category: Security Toolsdisc7 @ 9:20 am

By now, most people are aware of – or have been personally affected by – the largest IT outage the world have ever witnessed, courtesy of a defective update for Crowdstrike Falcon Sensors that threw Windows hosts into a blue-screen-of-death (BSOD) loop.

“We currently estimate that CrowdStrike’s update affected 8.5 million Windows devices, or less than one percent of all Windows machines. While the percentage was small, the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services,” David Weston, Microsoft’s VP of Enterprise and OS Security, stated on Saturday.

CrowdStrike claimed earlier today that “a significant number” of affected systems are back online and operational.

“Together with customers, we tested a new technique to accelerate impacted system remediation. We’re in the process of operationalizing an opt-in to this technique,” they noted on their remediation and guidance hub. “Customers are encouraged to follow the Tech Alerts for latest updates as they happen and they will be notified when action is needed.”

Microsoft collaborates with Crowdstrike, provides recovery tool

Microsoft is, understandably, doing everything it can to speed up worldwide recovery from the issue, has deployed hundreds of Microsoft engineers and experts to work with customers to restore services, and is collaborating with CrowdStrike.

“CrowdStrike has helped us develop a scalable solution that will help Microsoft’s Azure infrastructure accelerate a fix for CrowdStrike’s faulty update. We have also worked with both AWS and GCP to collaborate on the most effective approaches,” Weston explained.

Microsoft has also released a recovery tool that can be downloaded and used by IT admins to make the repair process less time-consuming.

The tool provides two repair options.

The first one – Recover from WinPE (Preinstallation Environment) â€“ does not require local admin privileges, but requires the person to manually enter the BitLocker recovery key (if BitLocker is used on the device).

The second one – Recover from safe mode â€“ may allow recovery without entering the BitLocker recovery keys.

“For this option, you must have access to an account with local administrator rights on the device. Use this approach for devices using TPM-only protectors, devices that are not encrypted, or situations where the BitLocker recovery key is unknown,” the Intune Support Team noted.

They also included detailed recovery steps for Windows clients, servers, and OSes hosted on Hyper-V.

Microsoft has previously confirmed that the buggy CrowdStrike update affected Windows 365 Cloud PCs and that users “may restore their Windows 365 Cloud PC to a known good state prior to the release of the update (July 19, 2024)”. The company has also provided guidance for restoring affected Azure virtual machines.

Cloud security company Orca has released a script that automates the remediation of Windows virtual machines hosted on AWS.

Threat actor exploiting the situation

As expected, scammers and threat actors have immediately started taking advantage of the chaos that resulted from the faulty update.

Trend Micro researchers provided examples of tech support scams doing the rounds, and even legal scams.

A tech support scam exploiting the situation (Source: Trend Micro)

CrowdStrike warned about:

  • Attackers offering a fake utility for automating recovery that loads the Remcos remote access tool
  • Phishers and vishers impersonating CrowdStrike support and contacting customers
  • Scammers posing as independent researchers, claiming to have evidence the technical issue is linked to a cyberattack and offering remediation insights

“CrowdStrike Intelligence recommends that organizations ensure they are communicating with CrowdStrike representatives through official channels,” the company said.

UPDATE (July 23, 2024, 05:15 a.m. ET):

CrowdStrike has provided a way for remediating affected systems more quickly. Customers must opt in to use the technique via the support portal. (A Reddit user has explained the process involved.)

The company has also released a video explaining how users can self-remediate affected remote Windows laptops.

Fake CrowdStrike repair manual pushes new infostealer malware

“Resiliency in the digital age isn’t just about preventing outages; it’s about being prepared to respond effectively when they happen.”

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: CrowdStrike, Microsoft


Feb 09 2023

9 Ways a CISO Uses CrowdStrike for Identity Threat Protection

https://www.crowdstrike.com/blog/9-ways-a-public-sector-ciso-uses-crowdstrike-identity-threat-protection/

Identity isn’t a security problem — it’s the security problem. 

This was the takeaway from my recent meeting with a local government CISO in the Washington, D.C. area. Tasked with protecting infrastructure, including the fire and police departments, the CISO turned to CrowdStrike a year ago for endpoint and identity protection.

The CISO outlined the main challenge his team faced: the managed detection and response (MDR) solution in use at the time was unable to keep up with modern security demands. The tool didn’t deliver the speed or fidelity he needed. Nor did it provide remediation, leading to long delays between when the tool sent data to the management console and when his thinly stretched security team could investigate and triage alerts.

CrowdStrike Falcon® Complete solved these problems by providing a bundle of Falcon modules on AWS GovCloud, complete with a virtual team of experts to administer the technology and quickly eliminate threats.

“There’s a complete difference between our previous MDR and CrowdStrike Falcon Complete. One gives me work to do. The other tells me the work is done.” –CISO, A county in the Washington, D.C. area

Identity Is the New Perimeter

Of everything the CISO shared, it was the identity piece that really stood out to me. According to the CrowdStrike 2022 Global Threat Report, nearly 80% of cyberattacks leveraged compromised credentials — a trend the county sees regularly, he said. 

With Falcon Complete, the CISO gets CrowdStrike Falcon® Identity Threat Protection to stop identity-based attacks, both through services performed by CrowdStrike and via work done by his security operations center (SOC) team.

Check out this live attack and defend demo by the Falcon Complete team to see Falcon Identity Threat Protection in action.

Below are nine use cases for the identity protection capability, in his own words.

1. We receive executive-level key metrics on identity risks. Falcon Identity Threat Protection provides us immediate value with real-time metrics on total compromised passwords, stale accounts and privileged accounts. As these numbers decrease, our risk and expenditures drop as well, allowing us to prove the value of our cybersecurity investments to stakeholders.

2. We get powerful policies and analytics. Falcon Identity Threat Protection helped us move away from reactive, once-a-year privileged account analysis to proactive real-time analysis of all of our identities, including protocol usage such as Remote Desktop Protocol (RDP) to DCs/critical servers. Many attacks leverage compromised stale accounts, and with Falcon Identity Threat Protection we can monitor and be alerted to stale accounts that become active.

3. We can stop malicious authentications. With Falcon Identity Threat Protection, we can enforce frictionless, risk-based multifactor authentication (MFA) when a privileged user remotely connects to a server — stopping adversaries trying to move laterally. Additionally, we can define policies to reset passwords or block/challenge an authentication from stale or high-risk accounts.

“I’ve bought a lot of cyber tools. My analysts unanimously thanked me the day we bought CrowdStrike.”

4. We can alert system admins to critical issues. Adversaries often target critical accounts. Instead of simply alerting the security team, Falcon Identity Threat Protection allows us to flag critical accounts with specific policies and alerts that can be sent directly to the account owner. For example, the owner of a critical admin account for our organization’s financial systems can be alerted to anomalous behavior around that account, eliminating the need for the security team to reach out to her for every alert.

5. We can investigate behavior and hygiene issues. When reviewing RDP sessions from the last 24 hours, we noticed a former employee, Steve Smith (names changed), remotely accessing a server in our environment from Jane Doe’s computer. Upon investigation, we found Jane Doe was legitimately using Steve Smith’s credentials to perform business functions that Steve was no longer around to perform. We immediately tied Jane’s account to Steve’s to trigger MFA for any authentication. We also reviewed Steve’s permissions and noticed he had extensive local administrator privileges to over 600 computers, which we were able to remove instantly.

6. We can eliminate attack paths to critical accounts. It takes only one user’s credentials to compromise your organization. In previous phishing campaigns that asked users to reset their passwords, 7% of our employees entered their username and password into a fake Microsoft login screen. Falcon Identity Threat Protection shows us how one username and password dump from a single machine can lead to the compromise of a highly privileged account, allowing for full, unfettered access to an enterprise network. We now have the ability to visualize how a low-level account compromise can lead to a full-scale breach.

“Within two hours of deploying Falcon Identity Threat Protection, we identified 10 privileged accounts with compromised passwords and began resetting them immediately.”

7. We gain awareness of AD incidents. With Falcon Identity Threat Protection, we can now see credential scanning and password attacks on all of our external-facing systems that link to our Microsoft AD and Azure AD logins.

8. We can verify if lockouts are actually malicious. Every day, we face a handful of account lockouts, mostly due to users forgetting their passwords or a system that continues to authenticate after the user has reset their password. With Falcon Identity Threat Protection, we can see all account lockouts and failed authentications, allowing us to immediately understand why a lockout occurred and if malicious activity was involved.

9. We can correlate endpoint and identity activity. Once an alert fires off regarding a potentially misused identity, such as a stale account becoming active after 90+ days of inactivity, we can correlate this information with endpoint-related detections. We simply grab the hostname where the stale account became active, pivot to CrowdStrike Falcon® Insight XDR, and look for malicious activity and detections on a specific machine. Likewise, if a machine becomes infected, we can use Falcon Identity Threat Protection to investigate who has access to that machine and whether their behavior is normal. This integration is not only unique but essential with identity-based attacks.

“CrowdStrike not only revolutionized the way our SOC operates, it changed the way I sleep at night.”

Tags: CrowdStrike, Threat Protection


Nov 10 2022

CrowdStrike Achieves 99% Detection Coverage in First-Ever MITRE ATT&CK Evaluations for Security Service Providers

Category: Attack Matrix,Information SecurityDISC @ 3:20 pm
  • CrowdStrike achieved 99% detection coverage by conclusively reporting 75 of the 76 adversary techniques during the MITRE ATT&CK evaluation.
  • Leveraging the power of the CrowdStrike Falcon® platform with integrated threat intelligence and patented tooling, the CrowdStrike Falcon® Complete and CrowdStrike® Falcon OverWatch™ managed threat hunting teams identified the adversary and associated tradecraft within minutes.
  • Closed-book evaluations such as this provide the most realistic reflection of how a security vendor would perform in a customer environment. CrowdStrike’s combination of market-leading technology and elite human expertise led the evaluation, which is the gold standard in managed detection and response testing.  
  • MITRE does not rank or rate participants; the following is CrowdStrike’s analysis of the results provided by MITRE Engenuity.

Tags: CrowdStrike, MDR, MITRE ATT&CK, MITRE ATT&CK Evaluations, Security Service Providers