The Global IT Shutdown of 2024: A Historical Cyber Incident

 

On July 19, 2024, a significant IT shutdown caused disruptions across industries worldwide. The fallout was extensive, with flight cancellations, and the stalling of critical systems in hospitals, banks, stock exchanges, and various other institutions. Microsoft-based computers around the globe were plagued by the infamous “blue screen of death,” rendering them unusable.

The Source of the Mishap

The source was a corrupted software update from cyber security firm, CrowdStrike. This error, deemed one of the worst cyber-incidents in history, drew parallels to the infamous WannaCry cyber-attack of May 2017, which affected approximately 300,000 computers across 150 countries. Similarly, the NotPetya attack in June 2017 caused widespread disruption and financial loss.

CrowdStrike’s Role and Response

CrowdStrike Holdings, Inc., based in Austin, Texas, specializes in cybersecurity technology, offering cloud workload protection and endpoint security through platforms like Falcon. A misconfiguration during an update triggered a flaw, leading to widespread computer crashes. CrowdStrike’s CEO, George Kurtz, a former McAfee employee, addressed the issue publicly.

Kurtz assured the public that the company was “actively working with customers impacted by a defect found in a single content update for Windows hosts,” clarifying that Mac and Linux systems were unaffected. He emphasized that this was not a security breach or cyberattack, and the problem had been identified, isolated, and a fix deployed.

 

 

George Kurtz on Crowdstrike

https://www.linkedin.com/posts/georgekurtz_crowdstrike-is-actively-working-with-customers-activity-7220000897341251584-K2OS

 

Collaboration and Assurance from Microsoft

Microsoft CEO Satya Nadella also stepped forward to reassure affected users. He confirmed that Microsoft was collaborating closely with CrowdStrike to provide technical guidance and support to restore systems. The joint efforts of both companies aimed to mitigate the impact and bring affected systems back online swiftly.

Satya Nadella on Crowdstrike

 

https://www.linkedin.com/posts/satyanadella_yesterday-crowdstrike-released-an-update-activity-7220094835574099968-Lvt9

 

The Complexity and Risks of Security Software Updates

Security software updates, while essential, carry inherent risks. Matthieu Suiche, head of detection engineering at Magnet Forensics, compares it to “open-heart surgery” because of the deep access required, which increases the risk of system crashes.

Costin Raiu, a former lead of Kaspersky’s threat intelligence team, underscores that driver updates for Windows software are typically subjected to extensive inspection and testing before being deployed. However, in this instance, a less scrutinized configuration file managed to alter the driver’s functionality, leading to a system crash. “It’s surprising that with the extreme attention paid to drivers, this still happened,” says Raiu. “One simple driver can bring down everything. Which is what we saw here.”

CrowdStrike is not alone in dealing with these issues. Similar incidents have occurred with updates to Kaspersky and Windows Defender, Microsoft’s built-in antivirus software. “Every security solution on the planet has had their CrowdStrike moments,” says Raiu. “This is nothing new but the scale of the event.”

Mikko Hyppönen, Chief Research Officer at cybersecurity company WithSecure, emphasizes the unprecedented nature of the global outage caused by this incident. “It’s the biggest case in history. We’ve never had a worldwide workstation outage like this,” he says. Hyppönen points out that around a decade ago, widespread outages were more common due to the spread of worms or trojans. In recent years, global outages have typically stemmed from server-side issues, such as cloud provider disruptions, internet cable cuts, or authentication and DNS problems.

 

In a recent discussion, Hyppönen was asked if WithSecure could guarantee their updates wouldn’t cause an outage and if they test every update thoroughly. He honestly responded, “No, I can’t. Yes, we do.” He acknowledges that it could happen with WithSecure as well. However, WithSecure is committed to preventing similar incidents by rigorously testing every update across multiple configurations.

This incident serves as a reminder of the critical importance of meticulous testing and validation in the cybersecurity industry, where even a small oversight can have far-reaching consequences.

 

https://www.linkedin.com/posts/hypponen_the-crowdstrike-outage-is-historical-millions-activity-7220035726451572737-YB8c

 

Historical Background and Significance

This incident serves as a stark reminder of the vulnerabilities inherent in our increasingly digital world. While the WannaCry and NotPetya attacks of 2017 highlighted the devastating potential of cyber threats, the 2024 IT shutdown underscores the ongoing risks associated with software updates and cybersecurity management. As industries continue to rely heavily on digital infrastructure, the need for robust cybersecurity measures and vigilant monitoring becomes ever more critical.

The global IT shutdown of 2024 will likely be studied extensively in the years to come, offering valuable lessons in crisis management, cybersecurity, and the importance of swift, transparent communication during such events.

 

 

 

Reference:

https://www.nbcnews.com/news/world/live-blog/live-updates-it-outage-flights-banks-businesses-microsoft-crowdstrike-rcna162669

https://abcnews.go.com/US/american-airlines-issues-global-ground-stop-flights/story?id=112092372

https://www.cnbc.com/2024/07/19/latest-live-updates-on-a-major-it-outage-spreading-worldwide.html

https://www.bbc.com/news/articles/cpe3zgznwjno#

https://www.wired.com/story/crowdstrike-outage-update-windows/

Understanding NIS2: The Next Evolution in Cybersecurity Regulations

What is NIS2?

The NIS2 Directive is the successor to the original Network and Information Security Directive (NIS Directive), which was introduced by the European Union in 2016. The primary aim of the NIS Directive was to enhance the level of cybersecurity across the EU by ensuring that member states, key industries, and service providers take appropriate measures to safeguard their networks and information systems. While the NIS Directive laid a strong foundation, the rapid evolution of cyber threats necessitated an update, leading to the introduction of NIS2.

NIS2, formally adopted in December 2022, builds upon the original directive and introduces several important updates and improvements. Its overarching goal is to further strengthen the EU’s resilience to cyber threats and ensure the security of critical infrastructure and essential services.

Key Objectives of NIS2

NIS2 aims to address several critical objectives, including:

Enhanced Security Requirements: NIS2 mandates more stringent security requirements for organizations, focusing on risk management, incident response, and reporting. This ensures that organizations are better prepared to prevent, detect, and respond to cyber incidents.

Expanded Scope: Unlike its predecessor, NIS2 expands its scope to include a broader range of sectors and services. It now covers sectors such as healthcare, public administration, manufacturing, and more. This expansion acknowledges the interconnected nature of modern industries and the importance of securing all critical services.

Improved Cooperation and Information Sharing: NIS2 emphasizes the importance of cooperation and information sharing among EU member states and organizations. It establishes mechanisms for sharing threat intelligence, best practices, and coordinated incident response.

Stronger Enforcement and Penalties: To ensure compliance, NIS2 introduces more robust enforcement mechanisms and penalties for non-compliance. This includes regular audits, inspections, and the possibility of significant fines for organizations that fail to meet the directive’s requirements.

Why Do We Need to Know About NIS2?

Understanding NIS2 is crucial for several reasons:

Evolving Cyber Threat Landscape: Cyber threats are becoming increasingly sophisticated and frequent. The original NIS Directive was a step in the right direction, but the evolving threat landscape necessitates updated regulations. NIS2 addresses these emerging threats by mandating higher security standards and encouraging proactive measures.

Critical Infrastructure Protection: The expansion of NIS2 to cover more sectors underscores the importance of protecting critical infrastructure. From healthcare systems to public administration, ensuring the security of these services is vital for societal well-being. IT experts must understand these requirements to safeguard essential services effectively.

Legal and Regulatory Compliance: For organizations operating within the EU, compliance with NIS2 is not optional. Failure to adhere to its requirements can result in severe penalties, including substantial fines. IT professionals must be well-versed in NIS2 to ensure their organizations remain compliant and avoid legal repercussions.

Risk Management and Incident Response: NIS2 places a strong emphasis on risk management and incident response. IT experts need to be familiar with these requirements to develop robust security strategies, conduct risk assessments, and implement effective incident response plans. This proactive approach minimizes the impact of cyber incidents and enhances organizational resilience.

Collaboration and Information Sharing: NIS2 promotes cooperation and information sharing among organizations and member states. IT professionals should leverage this opportunity to share threat intelligence, collaborate on best practices, and participate in coordinated incident response efforts. This collective approach strengthens the overall cybersecurity posture of the EU.

 

Key Components of NIS2

To fully grasp the implications of NIS2, it is essential to understand its key components:

Risk Management and Security Measures: NIS2 requires organizations to adopt comprehensive risk management frameworks. This includes identifying and assessing risks, implementing appropriate security measures, and regularly reviewing and updating these measures to address evolving threats.

Incident Reporting: Timely reporting of cybersecurity incidents is a critical aspect of NIS2. Organizations must report significant incidents to the relevant authorities within a specified timeframe. This ensures that incidents are promptly addressed, and lessons are learned to prevent future occurrences.

Security of Supply Chains: NIS2 acknowledges the importance of securing supply chains. Organizations must assess the security of their supply chains and take necessary measures to ensure that third-party providers meet the required security standards.

Cooperation and Coordination: NIS2 establishes mechanisms for cooperation and coordination at both the national and EU levels. This includes the establishment of Computer Security Incident Response Teams (CSIRTs) and the development of national cybersecurity strategies.

Awareness and Training: NIS2 emphasizes the need for cybersecurity awareness and training programs. Organizations must ensure that their employees are adequately trained to recognize and respond to cyber threats effectively.

Preparing for NIS2 Compliance

For IT experts and organizations, preparing for NIS2 compliance involves several key steps:

Risk Assessment: Conduct a thorough risk assessment to identify potential vulnerabilities and threats. This assessment should encompass all critical systems, networks, and services.

Security Measures: Implement robust security measures to mitigate identified risks. This includes deploying advanced threat detection systems, encryption, access controls, and regular security audits.

Incident Response Plan: Develop and regularly update an incident response plan. This plan should outline the steps to be taken in the event of a cyber incident, including communication protocols, containment measures, and recovery procedures.

Employee Training: Invest in cybersecurity awareness and training programs for employees. Ensure that staff members are aware of the latest threats and best practices for maintaining security.

Collaboration and Information Sharing: Engage in collaboration and information sharing initiatives. Participate in industry forums, join cybersecurity networks, and share threat intelligence with peers and authorities.

 

NIS2 represents a significant advancement in the EU’s approach to cybersecurity. By understanding its key components and implications, IT experts and tech enthusiasts can better prepare their organizations for compliance and enhance their overall cybersecurity posture. As the threat landscape continues to evolve, staying informed about regulatory developments like NIS2 is essential for safeguarding critical infrastructure and maintaining the trust of customers and stakeholders. Embracing NIS2 is not just about compliance; it is about building a resilient and secure digital future.

How can companies ensure their technology tools are secure?

Ensuring the security of technology tools is critical for safeguarding sensitive data, maintaining business continuity, and protecting against cyber threats. Here are key measures companies can take to enhance the security of their technology tools:

  1. Regular Security Audits: Conduct routine security audits to assess vulnerabilities, identify potential risks, and ensure compliance with industry standards.
  2. Up-to-Date Software and Patch Management: Keep all software, including operating systems and applications, up to date with the latest security patches. Regularly update and patch systems to address known vulnerabilities.
  3. Access Controls and User Permissions: Implement strong access controls to restrict system access based on job roles. Regularly review and update user permissions to ensure that employees have the necessary access without unnecessary privileges.
  4. Employee Training and Awareness: Provide comprehensive cybersecurity training to employees. Educate them on security best practices, the importance of strong passwords, and how to recognize and report phishing attempts.
  5. Endpoint Security: Deploy robust endpoint security solutions to protect individual devices connected to the network. This includes antivirus software, anti-malware solutions, and endpoint detection and response (EDR) tools.
  6. Data Encryption: Implement encryption for sensitive data both in transit and at rest. This ensures that even if data is intercepted, it remains unreadable without the proper decryption keys.
  7. Network Security: Use firewalls, intrusion detection systems, and other network security tools to monitor and control network traffic. Implement Virtual Private Networks (VPNs) for secure remote access.
  8. Incident Response Plan: Develop and regularly test an incident response plan to ensure a swift and effective response to security incidents. This plan should outline the steps to take in the event of a breach or cyberattack.
  9. Regular Backups: Implement a robust backup strategy to ensure data recovery in case of data loss or a ransomware attack. Regularly test backups to confirm their integrity.
  10. Secure Development Practices: For companies involved in software development, follow secure coding practices. Conduct code reviews and testing to identify and remediate security vulnerabilities in the early stages of development.
  11. Vendor Security Assessments: Assess the security practices of third-party vendors and service providers. Ensure that they adhere to security standards and have robust measures in place to protect shared data.
  12. Continuous Monitoring: Implement continuous monitoring systems to detect and respond to security threats in real-time. This includes monitoring network traffic, user activities, and system logs.
  13. Compliance with Regulations: Stay informed about relevant data protection and privacy regulations. Ensure that technology tools and security practices align with regulatory requirements to avoid legal consequences.
  14. Security Culture: Foster a culture of security awareness among employees. Encourage them to take an active role in maintaining a secure environment and report any security concerns promptly.

By adopting a holistic and proactive approach to cybersecurity, companies can significantly reduce the risk of security breaches and enhance the overall resilience of their technology infrastructure.

What is Phishing?

Phishing is a cyberattack method in which malicious actors impersonate legitimate entities or individuals to deceive targets into revealing sensitive information, such as usernames, passwords, credit card numbers, or other personal data. Phishing attacks can occur via various communication channels, including email, social media, text messages, and even phone calls.

History

Phishing has a history dating back to the early 1990s when attackers began sending fraudulent emails that appeared to be from trusted sources, requesting users to provide their login credentials. The term “phishing” is a play on “fishing,” as attackers “fish” for victims using deceptive baits.

Variations of Phishing Attacks over the years

  • Email Phishing: Attackers send emails that impersonate trusted organizations, like banks, social media platforms, or government agencies. These emails contain links to fake websites designed to steal login credentials or prompt users to download malware.
  • Spear Phishing: A targeted form of phishing, where attackers customize messages for specific individuals or organizations. They gather information about their targets to make the messages more convincing.
  • Vishing: This involves voice communication, where attackers call potential victims and pretend to be someone they trust, often using tactics like claiming to be a tech support agent or a bank representative.
  • Smishing: Phishing via text messages (SMS). Attackers send SMS messages with malicious links, enticing users to click on them, often posing as delivery notifications or prize notifications.
  • CEO Fraud or Business Email Compromise (BEC): In this case, attackers impersonate high-ranking executives within a company to trick employees into transferring money or sensitive data.

Be informed and learn how to identify and protect yourself against these attacks.

  1. Verify the Sender: Double-check the sender’s email address or contact details. Legitimate organizations typically use their official domains for communication.
  2. Avoid Clicking on Suspicious Links: Hover over links in emails to see the actual URL. Be cautious about clicking on links from unknown sources.
  3. Use Multi-Factor Authentication (MFA): Enable MFA whenever possible to add an extra layer of security to your accounts.
  4. Keep Software and Systems Updated: Ensure your operating system, antivirus, and applications are up-to-date with security patches.
  5. Be Cautious with Email Attachments: Don’t open attachments in unsolicited emails, especially if they come from unknown sources.
  6. Educate Yourself and Others: Learn to recognize phishing attempts and educate your family and colleagues to do the same.
  7. Use Email Filters: Enable spam and phishing filters in your email client to help identify and filter out suspicious messages.
  8. Avoid Sharing Personal Information: Be wary of sharing personal or financial information in response to unsolicited requests, even if they seem urgent.
  9. Verify Requests for Money or Sensitive Data: If you receive a request for money or sensitive data from a colleague or boss, verify it through a separate communication channel.
  10. Use a Secure and Updated Browser: Browsers with built-in security features can help detect and block known phishing websites.

Phishing attacks are prevalent and continually evolving, making it crucial to remain vigilant and adopt these best practices to protect yourself and your digital assets from falling victim to these deceptive tactics.

Add additional layers of security and keep a keen sharp mind when making decisions on sharing sensitive information to others no matter who they are.

Ransomware Newcomers from WithSecure’s Threat Highlight Report

,

WithSecure shared these Ransomware newcomers from their September 2023 report:

3AM
A new ransomware variant and group called 3AM has struck
victims and posted victim data on its dark web leak site since
the 17th of September. Interestingly, in one known instance
an attacker deployed 3AM after failing to deploy LockBit
suggesting the attacker was an affiliate in both groups.

Retch
Little is known about newcomer Retch but its ransom note
demands a relatively low amount of €300, suggesting it is
targeting small businesses or consumers, rather than bigger
organizations.

S.H.O
Another new variant that appears to be targeting small
businesses and consumers is S.H.O. Similarly, to Retch, this
group is demanding a small ransom of $200.

Lost Trust
LostTrust has posted 52 victims to its dark web leak site, a huge
number that was all dumped on the same date, suggesting a
longer campaign. This aligns with reports that LostTrust is a
simple rebrand of MetaEncryptor, with the groups utilizing the
same website templates and encryption locker.

CiphBit
Intelligence on CiphBit is scant, but the group dumped data
relating to eight different victims on its dark web leak site
in September. These victims come from different nations
(Canada, Belgium, France, Germany, Moldova, Poland, and
the UK) and different sectors, suggesting the group is purely
opportunistic, rather than motivated by a specific target
characteristic or ideology

WithSecure is an active player in controlling the threat in today’s cybersecurity landscape adding newly found threats in their AI powered cloud based endpoint protection. If it can be detected, it can be prevented.

ARA Industries is registered partner of WithSecure aiming to secure Small and Medium enterprises in the Philippines 1 device at a time. Start securing your digital assets today using WithSecure Elements.

Meet the Ducks – a Vietnamese threat group targeting Meta Business Accounts

,

In today’s interconnected world, social media has become the largest hub where individuals and businesses converge, with approximately 4.9 billion people using these platforms. For organizations, social media serves as a powerful tool to engage with the global audience, a resource that most businesses utilize in various ways.

However, while businesses have strong incentives to harness the potential of social media for their benefit, these platforms also present unique opportunities for adversaries with diverse intentions and capabilities. The challenges posed by adversaries on these platforms are multifaceted, ever-evolving, intricate, and, most significantly, detrimental.

WithSecure has published a complete report about the threat landscape surrounding Meta’s ad ecosystem that are pre-dominantly originating out of Vietnam. Additionally, they shared an update on the infamous DUCKTAIL operation exposed in their previous reports DUCKTAIL: An infostealer malware targeting Facebook Business accounts and DUCKTAIL returns: Underneath the ruffled feathers.

Checkout the full report here: https://labs.withsecure.com/publications/meet-the-ducks