🔒
There are new articles available, click to refresh the page.
Before yesterdayCrowdStrike

April 2022 Patch Tuesday: 10 Critical CVEs, One Zero-Day Under Attack and Wormable Bugs

14 April 2022 at 14:54

Microsoft has released 117 security patches for its April Patch Tuesday rollout. Of the 117 CVEs addressed, two are ranked as Important zero-days, including CVE-2022-24521, which is under active exploitation. This zero-day was discovered by CrowdStrike Intelligence and affects the Windows Common Log File System. Additionally, this month featured 10 critical vulnerability patches, bringing the total number of updates to nearly double what was offered in March 2022.

Two Zero-Day Vulnerabilities, One Under Active Attack

The two zero-day vulnerabilities patched this month received CVSS scores between 7 and 7.8 — a rank of Important. Nonetheless, these vulnerabilities are relevant to any organization using the affected products. CrowdStrike Falcon Spotlight™ ExPRT.AI provides valuable data and insights for a more accurate understanding of how these zero-day vulnerabilities could affect your environment. 

CVE-2022-24521: Windows Common Log File System Driver elevation of privilege vulnerability. Although given a CVSS score of 7.8, Microsoft has seen active exploitation with a low attack complexity. Now that Microsoft has issued a patch, adversaries may be analyzing the details of this vulnerability to learn how to better exploit it. 

CVE-2022-26904: Windows User Profile Service elevation of privilege vulnerability. This publicly known zero-day flaw impacts the Windows User Profile Service and has a CVSS severity score of 7.0. In addition to having a proof-of-concept (POC) code available, there’s a Metasploit module. This vulnerability allows an attacker to gain code execution at SYSTEM level on affected systems. Microsoft has not seen this exploited in the wild.

Rank CVSS Score CVE Description
Important 7.8 CVE-2022-24521 Windows Common Log File System Driver Elevation of Privilege Vulnerability
Important 7.0 CVE-2022-26904 Windows User Profile Service Elevation of Privilege Vulnerability

April 2022 Risk Analysis

The top three attack types — remote code execution, elevation of privilege and information disclosure — continue to dominate, with denial of service following at almost 8% (up from 5% in March).

Figure 1. Breakdown of April 2022 Patch Tuesday attack types

The affected product families, however, are much different than last month. For April 2022, Developer tools saw a significant increase in vulnerabilities patched. Microsoft Office has taken second place in receiving the most patches, with Windows and Extended Security Updates following close behind.

Figure 2. Breakdown of April 2022 Patch Tuesday affected product families

Critical Vulnerabilities in LDAP, Hyper-V and SMB

Ten vulnerabilities ranked as Critical received patches this month across a number of Microsoft products, most notably in Windows Network File System (NFS) and Remote Procedure Call (RPC) runtime. 

CVE-2022-26809: Remote Procedure Call (RPC) runtime remote code execution vulnerability. This flaw is rated CVSS 9.8, and is described as “exploitation more likely” by Microsoft. It could allow an attacker to execute code with high privileges on an affected system. Since no user interaction is required, these factors combine to make this wormable, at least between target hosts where RPC can be reached. However, the static port used (TCP port 135) is typically blocked at the network perimeter. This vulnerability could be used for lateral movement by an attacker. We recommend that your team test and deploy this patch quickly as possible.  

CVE-2022-24491 and CVE-2022-24497: Windows Network File System remote code execution vulnerabilities. These two NFS vulnerabilities also have a 9.8 CVSS score and are listed as “exploitation more likely.” On systems where the NFS role is enabled, a remote attacker could execute their code on an affected system with high privileges and without user interaction. Again, that adds up to a wormable bug — at least between NFS servers. Similar to RPC, this is often blocked at the network perimeter. Microsoft offers some guidance on how the RPC port multiplexer (port 2049) “is firewall-friendly and simplifies deployment of NFS.” Check your installations and roll out these patches rapidly.

Rank CVSS Score CVE Description
Critical 8.1 CVE-2022-26919 Windows LDAP Remote Code Execution Vulnerability
Critical 8.8 CVE-2022-23259 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
Critical 7.8 CVE-2022-22008 Windows Hyper-V Remote Code Execution Vulnerability
Critical 7.8 CVE-2022-24537 Windows Hyper-V Remote Code Execution Vulnerability
Critical 8.8 CVE-2022-23257 Windows Hyper-V Remote Code Execution Vulnerability
Critical 9.8 CVE-2022-24491 Windows Network File System Remote Code Execution Vulnerability
Critical 9.8 CVE-2022-24497 Windows Network File System Remote Code Execution Vulnerability
Critical 9.8 CVE-2022-26809 Remote Procedure Call Runtime Remote Code Execution Vulnerability
Critical 8.8 CVE-2022-24541 Windows Server Service Remote Code Execution Vulnerability
Critical 8.8 CVE-2022-24500 Windows SMB Remote Code Execution Vulnerability

18 Windows DNS Server Remote Code Execution Vulnerabilities

Eighteen RCE vulnerabilities affecting Windows DNS Server received patches this month. All are ranked as Important, with two vulnerabilities that warrant additional attention. 

CVE-2022-26815: This vulnerability is the most severe of the 18 DNS Server CVEs patched this month. This flaw is also very similar to one (CVE-2022-21984) patched in February, which raises the question whether or not this month’s patch for CVE-2022-26815 is the result of a failed or incomplete patch. Important to note for patching teams:

  • Dynamic updates must be enabled for a server to be affected
  • CVSS details lists a level of privileges to exploit 

Any opportunity for an attacker to get RCE on a DNS server is one too many, so we recommend prioritizing this vulnerability and patching your DNS servers.

CVE-2022-26826: This vulnerability is rated as Important with a CVSS score of 7.2. To exploit this vulnerability, the attacker or targeted user would need specific elevated privileges. As is best practice, regular validation and audits of administrative groups should be conducted.

Rank CVSS Score CVE Description
Important 8.8 CVE-2022-26815 Windows DNS Server Information Disclosure Vulnerability
Important 7.5 CVE-2022-26814 Windows DNS Server Information Disclosure Vulnerability
Important 7.5 CVE-2022-26817 Windows DNS Server Information Disclosure Vulnerability
Important 7.5 CVE-2022-26818 Windows DNS Server Information Disclosure Vulnerability
Important 7.5 CVE-2022-26829 Windows DNS Server Information Disclosure Vulnerability
Important 7.2 CVE-2022-24536 Windows DNS Server Information Disclosure Vulnerability
Important 7.2 CVE-2022-26811 Windows DNS Server Information Disclosure Vulnerability
Important 7.2 CVE-2022-26813 Windows DNS Server Information Disclosure Vulnerability
Important 7.2 CVE-2022-26823 Windows DNS Server Information Disclosure Vulnerability
Important 7.2 CVE-2022-26824 Windows DNS Server Information Disclosure Vulnerability
Important 7.2 CVE-2022-26825 Windows DNS Server Information Disclosure Vulnerability
Important 7.2 CVE-2022-26826 Windows DNS Server Information Disclosure Vulnerability
Important 6.7 CVE-2022-26812 Windows DNS Server Information Disclosure Vulnerability
Important 6.6 CVE-2022-26819 Windows DNS Server Information Disclosure Vulnerability
Important 6.6 CVE-2022-26820 Windows DNS Server Information Disclosure Vulnerability
Important 6.6 CVE-2022-26821 Windows DNS Server Information Disclosure Vulnerability
Important 6.6 CVE-2022-26822 Windows DNS Server Information Disclosure Vulnerability
Important 4.9 CVE-2022-26816 Windows DNS Server Information Disclosure Vulnerability

RCE Is Still a Popular Attack Type, So Consider Prioritizing Patches Accordingly

This month’s Patch Tuesday contains 47 patches for RCE bugs. In addition to those already mentioned is yet another RDP client flaw (CVE-2022-24533) that would allow code execution if a user connected to a malicious RDP server. If that sounds familiar, it’s because there was a similar bug last month, with a number of related CVEs going further back. There are a few open-and-own vulnerabilities in Office components, most notably Excel, that have also received patches this month. The chance of people applying patches to Excel before April 15 appears low, but there is risk of exploitation if patching isn’t applied. Another vulnerability to consider is CVE-2022-26788 (another CVE this month discovered by CrowdStrike, this one in conjunction with VMware), which is a PowerShell privilege elevation CVE. It’s ranked as Important with a CVSS of 7.8. 

CrowdStrike recommends continually reviewing your patching strategy, as vigilance can make a dramatic difference in keeping your environments protected. 

Learn More

Watch this video on Falcon Spotlight™ vulnerability management to see how you can quickly monitor and prioritize vulnerabilities within the systems and applications in your organization. 

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources

Engineer Rotem Bar On on Solving Big Challenges with Autonomy in Cybersecurity

15 April 2022 at 13:32

Our latest installment of 5 Questions takes us to Tel Aviv, where we sit down with Rotem Bar On to discuss his role on the cloud infrastructure team, what he loves about his job and how he is helping CrowdStrike build a scalable, future-proof system.

Rotem Bar On

Q. What is your role and what drew you to CrowdStrike?

I joined CrowdStrike about a year and a half ago. I’m part of the Cloud Infrastructure team within the CrowdStrike Falcon® Identity Protection product group. I made the decision to join CrowdStrike because I was really impressed with the people I met during the interview process. I also got very excited about the technology CrowdStrike is pioneering. And there’s also the mission: “We stop breaches” — that really appealed to me too. CrowdStrike is helping people and organizations protect themselves from cyberattacks. 

Finally, I think the sector itself is really exciting. The technology is always progressing. There will be new threats to address, new problems to solve, new solutions to develop. I realized that CrowdStrike has the right tools and the right technology. That felt like a great opportunity for my career.

Q. What is your day-to-day focus in your role?

As an engineer working on the Cloud Infrastructure team, my role involves working in two main areas. The first one is integrating our solution with the Falcon sensor. There are many insights that we have and we want to share with the CrowdStrike ecosystem, and a lot of data we can benefit from that CrowdStrike already has. In my role, I think about how to integrate the different components to play well with each other.

My other area of focus is on the production side, investigating scale issues and eliminating bottlenecks in our system. CrowdStrike is dealing with a truly enormous amount of data each day — more than almost any big company you can name — so we have a lot of scale. We have to eliminate bottlenecks, pursue low latencies and ensure everything is running optimally because at this scale, you want to stay ahead of anything that could impact overall performance. So my job is all about building for the future and designing for scale.

Q. What do you enjoy most about working for the CrowdStrike team in Israel?

I really enjoy the CrowdStrike culture. In the Tel Aviv office, there is a good combination between a startup vibe and corporate resources. For example, we have the infrastructure of a mature company, but we’re also moving at a really fast pace, like in the startup world. It’s also really exciting to be building something new.

Another aspect of working at CrowdStrike that I really value is that people have autonomy in their day-to-day role. We understand the goal we need to reach, but as engineers, we can decide how we want to get there, how we implement. That really keeps things interesting for us as engineers and developers.

Q. Tell me more about the culture at CrowdStrike, particularly in Israel.

CrowdStrike is a remote-first company, so all systems, processes and roles are meant to enable asynchronous work across a distributed team. But I like that people have the option to work remotely or in the office. In Israel, there’s a good mix. Some people never come to the office and some people are here pretty much every day.

Personally, I prefer to come to the office often. It’s a really friendly environment. We have a regular happy hour on Thursday, and once a week the company orders lunch. It’s really nice because the team here is so diverse, representing many different cultures in Israel.

Q. What do you think makes for a successful engineer at CrowdStrike?

First, I would say good engineers need to look beyond their immediate task. So they need to figure out the implications for moving pieces within the ecosystem. They also need to be able to communicate with other teams. Some engineers may not be familiar with that collaboration element, but it’s really important at CrowdStrike because it’s the only way you can make an informed decision.  

Another thing that’s important as a CrowdStrike engineer is context. Working here, almost every task has broader implications. Even if I am designing a small piece of code, it may need to be extended in the future, or maybe it needs to work really fast or have a low-memory footprint. Again, it’s all about communicating to understand what the goal is and how what you do feeds into other aspects of the company. For people who like to solve really complex problems, CrowdStrike is an exciting place to be.

Do you like solving complex problems and working at a massive scale? Browse our job listings and internship program today and join our global engineering team.

Security Doesn’t Stop at the First Alert: Falcon X Threat Intelligence Offers New Context in MITRE ATT&CK Evaluation

  • The CrowdStrike Falcon® platform delivers 100% prevention across all nine steps in the MITRE Engenuity ATT&CK® Enterprise Evaluation
  • CrowdStrike extends endpoint and workload protection by fully integrating threat intelligence into the Falcon platform — CrowdStrike Falcon X™ enables CrowdStrike users to pivot seamlessly from detections to the latest intelligence on today’s adversaries, including their motivation and tradecraft
  • Falcon X helps organizations save time by automatically analyzing potential malware with built-in sandbox technology, finding and analyzing related malware samples, and enriching the results with industry-leading threat insights
  • Falcon X provided enriched detections throughout eight MITRE Engenuity ATT&CK Evaluation tactics and 18 techniques

CrowdStrike recently demonstrated the power of the Falcon platform and its integrated approach to providing robust protection by exposing all attack tactics used as part of the MITRE Engenuity ATT&CK Enterprise Evaluation released in April 2022. The evaluation focused on emulating two of today’s most sophisticated Russian-based threat groups: WIZARD SPIDER and VOODOO BEAR (Sandworm Team).

Scoring 96% percent visibility of substeps across all 19 steps and 109 substeps, the Falcon platform leveraged the intelligence automation capabilities of Falcon X threat intelligence to deliver additional enriched detections and indicators of compromise on 8 tactics and 18 techniques used by the two persistent adversaries.

Security doesn’t stop at the first alert. Falcon X offers new context on the who, what, why and how behind a security alert. It gives meaning to each alert an analyst works on, helping them prioritize which alerts to handle first and understand detailed insights into the attacker, motivation and methods — like the two emulated by MITRE Engenuity.

Falcon X helps protect against future attacks by providing context, attribution and information on how to stop the next actor or malware campaign. Falcon X does this by exposing known attack vectors, identifying related malware and malware techniques that have been seen in the past, or predicted for the future, and sharing this information with your security team and across your security devices. All of this investigation and analysis happens without you having to do anything except review the results. You save time, you know your priorities and you can trust your responses to be error-free. Most importantly, you are provided with detailed information on how to protect against future attacks from these adversaries.

Outpace the Adversary with Ready-to-Go Integration and Automation

Throughout the MITRE Engenuity ATT&CK Enterprise Evaluation, the Falcon platform leveraged its native automation capabilities. Typically, when a file-based attack is blocked on the endpoint by CrowdStrike Falcon Prevent™ next-generation antivirus, it is automatically sent to Falcon X for malware analysis and detonated in a safe environment. In this case, since MITRE Engenuity prohibits blocking in the detection portion of the test, we used custom indicator of attack (IOA) detection monitoring that triggered an automated workflow in CrowdStrike Falcon Fusion™, the Falcon platform’s natively integrated security orchestration, automation and response (SOAR) framework.

Figure 1. CrowdStrike Falcon Fusion workflow (Click to enlarge)

Figure 1 shows the Falcon Fusion workflow when custom IOA behavioral detection monitoring events were triggered. This could include, for example, when suspicious files were written to disk by a scripting engine or dropped via remote hands-on desktop sessions. The workflow retrieves and auto-submits the files to the Falcon X malware analysis sandbox to determine the malicious verdict and perform detailed analysis.

Whether using built-in or custom Falcon Fusion automation, the results of the file analysis are available, in context, to the user as a pivot directly from the Falcon detection. The results include the threat score, attribution and an outline of the behavior of the suspicious file, as if it had run in your environment. By automating threat investigations, Falcon X dramatically reduces time spent investigating and alert fatigue, and frees up resources so analysts can focus on other critical and strategic tasks. Falcon X also delivers indicators of compromise (IOCs) generated from the analysis of the file, as well as related files selected from CrowdStrike’s database of over 3.8 billion malware samples.

Falcon X Delivers Key Intelligence to Identify the Attack and Understand Attacker Tactics

Detonating binaries in Falcon X helps uncover the behavior of suspicious files and extract more information than is possible on the endpoint. This enables users to identify additional IOCs and known adversarial tactics, and hunt for secondary payloads, making it difficult for adversaries to bypass detection by changing the file used for initial access.

Figure 2 shows the Falcon X file analysis report for a file used in substep 1.A.2 (part of the WIZARD SPIDER Initial Compromise emulation scenario). The ChristmasCard.docm file is malicious, with a threat score of 100/100. At the same time, Falcon X also detected that the file had macro execution triggered on opening. Along with this information, Falcon X has successfully identified and mapped the dynamic behavior of the file to MITRE tactics, techniques and procedures (TTPs). With this enriched information, analysts can search for processes exhibiting similar technique IDs (TIDs).

Figure 2. CrowdStrike Falcon X report for WIZARD SPIDER malicious payload in the Initial Compromise emulation scenario (Click to enlarge)

In addition to behavioral data, Falcon X also captures memory state during execution and presents extracted strings from the detonated process. As displayed in Figure 3, (from substep 1.A.5 — part of the same WIZARD SPIDER Initial Compromise emulation scenario), the “Advanced Analysis” helps identify the purpose of the file, which is especially useful in cases where the binary is packed. This data plays a crucial role in helping to analyze the complete behavior of the threat and understand its capabilities.

Figure 3. CrowdStrike Falcon X detonation report highlighting process details and extracted strings (Click to enlarge)

Stop Breaches with the Right Tools and the Right Information at the Right Time

Security analysts are not short on data or tools. Threat intelligence must be integrated directly into their daily workflow and, more importantly, be available when new evidence is discovered. Security teams often use the term “pivot to intelligence,” which illustrates this process of understanding the full context of a newly discovered threat alert. Having the latest intelligence such as adversary motivation and known attack methods at your fingertips reduces time and complexity of the remediation effort.

Falcon X enriches the events and incidents detected by the Falcon platform, automating intelligence so security operations teams can make better, faster decisions. All security teams, regardless of size or sophistication, can learn from the attacks in their environment, and can apply that knowledge to proactively prevent future attacks.

CrowdStrike shuts down attacks before they can start by delivering powerful capabilities like identity-based security, comprehensive indicators of attack (IOAs), machine learning, automated orchestration and Falcon X threat intelligence through a unified, cloud-native platform. This integrated approach provides analysts with the right tools and threat intelligence to understand and defend against future attacks — and demonstrated excellent value throughout the MITRE Engenuity ATT&CK Enterprise Evaluation.

Additional Resources

CrowdStrike Falcon Spotlight Fuses Endpoint Data with CISA’s Known Exploited Vulnerabilities Catalog

20 April 2022 at 12:42

In this blog you will:

  1. Learn how to leverage the CrowdStrike Falcon Spotlight™ integrated threat and vulnerability management module to fuse your endpoint telemetry with CISA’s Known Exploited Vulnerabilities Catalog
  2. Learn how to use the CrowdStrike Falcon® console to further investigate and take action

The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA) has been quite busy this year. It recently issued a “Shields Up” advisory, highlighting that “Russia’s invasion of Ukraine could impact organizations both within and beyond the region,” including the threat of malicious activity against U.S. interests and companies.

CISA selected CrowdStrike to be a founding partner of its Joint Cyber Defense Collaborative (JCDC) in order to help develop proactive and rapid responses in the face of cyber threats and intrusions. This led to the announcement of the Critical Infrastructure and Defense Program, a joint partnership between CrowdStrike, Cloudflare and Ping Identity.

Most recently, CISA today published a Cybersecurity Advisory (CSA) jointly with the UK, Canada, Australia and New Zealand, warning of Russian state-sponsored and criminal threats to critical infrastructure. This latest CSA builds on the earlier “Shields Up” advisory while demonstrating that the JCDC is working and already effective. CrowdStrike’s commitment to threat intelligence, finding adversaries in the wild, and making use of this data to enable us and our customers to defend themselves is second to none.

In some cases, this threat intelligence and industry and government collaboration can lead to identifying new vulnerabilities or increasing the priority of previously disclosed common vulnerabilities and exposures (CVEs).

Somewhat less talked about in all this progress is CISA’s Known Exploited Vulnerabilities Catalog, a list of CVEs that CISA has prioritized based on observed active exploitation in the wild. This indicates a much greater relevance and urgency in mitigating, as these CVEs could indicate a nation-state-level attack. Although CISA mandates the patching of these vulnerabilities for the federal executive branch, all organizations should consider following this guidance. This is especially true for those in the Defense Industrial Base (DIB), healthcare, water, energy and other sectors that are part of critical infrastructure. 

Thanks to Falcon Spotlight’s Expert Prediction Rating Artificial Intelligence (ExPRT.AI) feature, which we will double-click on shortly, all CVEs in CISA’s Known Exploited Vulnerabilities Catalog are prioritized and assigned a critical rating This data source is one of many that CrowdStrike taps into, including its own threat intelligence.

Enter CrowdStrike Falcon Spotlight

As CrowdStrike expands its customer base within the U.S. government, accelerated by new authorizations of its cloud services, customers have been asking how they can assess against the CISA Known Exploited Vulnerabilities Catalog. With Falcon Spotlight, CrowdStrike’s integrated threat and vulnerability management solution, we can easily assess an environment’s exposure to vulnerabilities in CISA’s catalog, both in the Falcon console as well as programmatically via APIs. 

Falcon Spotlight’s CVE data integrates the CISA Known Exploited Vulnerabilities Catalog out of the box, requiring no extra configuration or manual effort. Spotlight collects endpoint vulnerability data through the same single lightweight agent that powers CrowdStrike’s entire suite of endpoint security offerings, allowing customers to reap the benefits without any additional software deployment, overhead, reboots or scans. This scanfree solution provides visibility in near real time and also takes in data from additional data sources, prioritizing vulnerabilities via Falcon Spotlight ExPRT.AI, an advanced artificial intelligence (AI) model that produces greater accuracy and value by prioritizing what’s most important to customers.

CrowdStrike’s impressive database of threat and exploit intelligence is what makes ExPRT.AI possible. Other vendors’ solutions can apply data science to vulnerability prioritization, but they lack the data that CrowdStrike has across endpoint detection and response (EDR), vulnerability management, intelligence and threat hunting services.

This constantly adapting model uses historical and new data to predict the likelihood of vulnerability exploitation. The beauty of the ExPRT.AI model is that by using the inputs, the AI provides a probability adjustment, offering a dynamic score that changes over time, giving Falcon Spotlight customers the ability to proactively respond to vulnerabilities before they become an issue. And because ExPRT.AI is always learning, it predicts what might happen ahead of time so patching teams can proactively address their risk.

ExPRT.AI allows SecOps the ability to focus on what truly matters while deprioritizing those vulnerabilities that pose little to no risk.

Accessing the CISA Known Exploited Vulnerabilities Catalog via Falcon Spotlight APIs

CrowdStrike has two major API clients: PsFalcon, a PowerShell-based client, and Falconpy, a Python-based client.

We are happy to announce that we have leveraged Falconpy to provide a new publicly available sample on GitHub. This sample allows Falcon Spotlight customers to quickly: 1) authenticate to the CrowdStrike Security Cloud, 2) consume the current CISA Known Exploited Vulnerabilities Catalog and 3) leverage APIs to compare Falcon Spotlight data against this catalog, providing a comma separated value (CSV) list of results.

You’ll need Python to get started. The readme provides instructions on how to get started, including setting up the Python environment with the right dependencies.

After pulling the code from GitHub, you’ll need to first ensure, in the CrowdStrike API page, that the right Client ID is given the correct privileges. The APIs leveraged require Spotlight vulnerabilities read-access:

Without this, you won’t be able to grab the data you need.

Using that Client ID and Client Secret, we can quickly launch the Python code, fusing Falcon Spotlight data with that of CISA’s Known Exploited Vulnerabilities Catalog:

./python main.py –client_id <client_id> –client_secret <secret>

If you’re using CrowdStrike’s GovCloud-1 environment, which as of this writing is FedRAMP Moderate and Impact Level 4 (IL-4) authorized, add the base_url usgov1 tag:

./python main.py –client_id <client_id> –client_secret <secret> –base_url usgov1

Note that this code can take some time to execute since it’s actively assessing your environment against every CVE on the CISA list against every asset with Falcon Spotlight installed.

Upon completion, the sample Python code will generate CSV files that can help prioritize what to do next.

Figure 1. CrowdStrike Falcon Spotlight Most Urgent CSVs, sorted by when CISA requires it to be patched within the U.S. Federal Government

For example, you will see the most pressing CISA known exploited vulnerabilities in your environment based on the date CISA requires the specific CVE to be patched. These dates are a “minimum,” meaning the recommendation for any actively exploited CVE is to patch it as soon as possible.

It also produces a list of top offending assets.

Figure 2. CVEs identified by Falcon Spotlight to prioritize (based on numerous data sources) (Click to enlarge)

As shown in Figure 2, Falcon Spotlight includes all of the CVEs, the details of each CVE, the date by which CISA requires each vulnerability to be patched, the total assets impacted by that CVE, and the specific CrowdStrike Agent ID (AID) exhibiting the issues. Importing this into a spreadsheet, we can quickly adjust and reorder this data to prioritize it to our liking. This is very helpful when coordinating across teams, sharing via email and automating workflows on top of this data.

Figure 3. Falcon Spotlight data imported into a spreadsheet to prioritize patching (Click to enlarge)

In Figure 3, you’ll see that the list is in ascending order based on the total number of assets impacted by the given vulnerability. This helps identify the most offending and vulnerable assets based on their CrowdStrike AID.

Accessing the CISA Known Exploited Vulnerabilities Catalog via Spotlight User Interface (UI)

Note that the Python code above does not provide you with the applications causing the issue or exposure. This is where the Falcon Spotlight UI can come in on top to augment the workflow.

Knowing the vulnerable application is helpful if you have a Program of Record (PoR) where applications are maintained by an outside team. It also can help prioritize which applications to patch across the fleet.

For example, let’s look at one of the CVEs we have a finding for in our environment: CVE-2013-3900, classified as a critical vulnerability.

Figure 4. Falcon Spotlight dashboard (Click to enlarge)

If we click on the Falcon Spotlight ExPRT rating (top left), we can filter based on the priority of the finding, and we see there are two products causing 39 distinct vulnerabilities across our endpoints.

Why Falcon Spotlight ExPRT.AI?
Organizations relying on CVSS scoring often struggle, as severity scoring leaves IT staff with large quantities of severely ranked vulnerabilities. Falcon Spotlight’s Expert Prediction Rating Artificial Intelligence (ExPRT.AI) addresses that challenge by offering an ever-adapting AI model that rates the vulnerabilities posing the most relevant risk to an organization. Static ratings don’t offer the context needed by IT staff — and still leave staff with a large quantity of vulnerabilities that need further manual analysis to determine if they are critical to their organization. ExPRT.AI offers a rich output of data formulated through the dynamic ExPRT Rating, streamlining and simplifying the vulnerability management process.

Figure 5. Falcon Spotlight ExPRT.AI drilldown (Click to enlarge)

Clicking on the “Vendor & product” value, we can further drill in and see that CrowdStrike Falcon has near real-time visibility that this CVE is being actively exploited in the wild. Falcon Spotlight ExPRT.AI is fed data from multiple sources in addition to CISA’s Known Exploited Vulnerabilities Catalog including other vulnerability catalogs, CrowdStrike’s threat intelligence, dark web intelligence and what is being seen in the wild through incident response engagements. This essentially means anything CISA pushes to its Known Exploited Vulnerabilities Catalog will automatically trigger CrowdStrike to tag that respective CVE as “Actively used,” raising its priority, if it wasn’t already flagged via other means.

CrowdStrike Falcon data includes additional relevance and context, like the date when it was first seen being actively exploited in the wild.

We can see in this example that the reason we tag this as actively used is due to the CISA Known Exploited Vulnerabilities Catalog, which is noted as the source.

And we are presented with attributing artifacts, such as Microsoft’s Security Response Center (MSRC) link on the exploit itself. This is helpful information when reviewing the vendor’s notes on the vulnerability and their recommended mitigation, which may often involve additional steps beyond simply deploying a patch or hotfix.

There you have it.

In addition, it’s worth highlighting two other Falcon Spotlight Features: 1) real-time notifications — we recommend setting up Falcon Spotlight Scheduled Reports, alerting you any time a CVE is actively being used in your technology environment, and 2) Falcon Spotlight’s Emergency Patching feature, which provides one-click patching for Windows Updates against hosts. These two capabilities increase operational tempo and aid in the discovery of critical vulnerabilities, prioritizing them appropriately and helping resolve exposures quickly.

This blog introduced CISA’s Known Exploited Vulnerabilities Catalog and demonstrated how to compare it with Falcon Spotlight’s data for near real-time situational awareness via APIs and the Falcon UI. We were able to grab additional context on the vulnerability, see how it’s tagged as an “actively used” exploit, and grab additional data to aid our prioritization and remediation phases.

Conclusion

Between CISA’s ever-growing list of known exploited vulnerabilities and the increasing advisories from various government agencies, the alert fatigue and time spent researching the right vulnerabilities to patch can become daunting, even for the most robust team within SecOps. To successfully manage the profusion of vulnerabilities and to maintain your organization’s security posture, you need to utilize a robust vulnerability management program and couple that with the right solutions that will help you accurately identify those vulnerabilities that pose the most critical risk. Vulnerability management is a game of timing — patching vulnerabilities before an attacker can gain access to your environment’s systems could make a dramatic difference in business operations. 

Additional Resources

LemonDuck Targets Docker for Cryptomining Operations

21 April 2022 at 08:23
  • LemonDuck, a well-known cryptomining botnet, is targeting Docker to mine cryptocurrency on Linux systems. This campaign is currently active.
  • It runs an anonymous mining operation by the use of proxy pools, which hide the wallet addresses.
  • It evades detection by targeting Alibaba Cloud’s monitoring service and disabling it.
  • CrowdStrike customers are protected from this threat with the Falcon Cloud Workload Protection module. 

Summary

The recent cryptocurrency boom has driven crypto prices through the roof in the last couple of years. As a result, cryptomining activities have increased significantly as attackers are looking to get immediate monetary compensation. According to the Google Threat Horizon report published Nov. 29, 2021, 86% of compromised Google Cloud instances were used to perform cryptocurrency mining.

The CrowdStrike Cloud Threat Research team detected LemonDuck targeting Docker to mine cryptocurrency on the Linux platform. This campaign is currently active. 

LemonDuck is a well-known cryptomining botnet involved in targeting Microsoft Exchange servers via ProxyLogon and the use of EternalBlue, BlueKeep, etc. to mine cryptocurrency, escalate privileges and move laterally in compromised networks. This botnet tries to monetize its efforts via various simultaneous active campaigns to mine cryptocurrency like Monero.

What Is the Exposed Docker API?

Docker is the platform for building, running and managing containerized workloads. Docker provides a number of APIs to help developers with automation, and these APIs can be made available using local Linux sockets or daemons (the default port is 2375).

Since Docker is primarily used to run container workloads in the cloud, a misconfigured cloud instance can expose a Docker API to the internet. Then an attacker can exploit this API to run a cryptocurrency miner inside an attacker-controlled container. Additionally, an attacker can escape a running container by abusing privileges and misconfigurations, but also by exploiting multiple vulnerabilities found in the container runtime like Docker, Containerd and CRI-O.

Cr8escape is an example of one such vulnerability discovered by CrowdStrike in container runtime CRI-O.

Initial Compromise via Docker

LemonDuck targets exposed Docker APIs to get initial access. It runs a malicious container on an exposed Docker API by using a custom Docker ENTRYPOINT to download a “core.png” image file that is disguised as Bash script. In Figure 1, you can see the initial malicious entrypoint.

Figure 1. Malicious entrypoint downloading disguised Bash file as an image

The file “core.png” was downloaded from a domain t.m7n0y[.]com, which is associated with LemonDuck. By further analyzing this domain, CrowdStrike found multiple campaigns being operated via the domain targeting Windows and Linux platforms simultaneously.

As shown in Figure 2, the domain has a self-signed certificate installed, generated in May 2021 with expiration in May 2022. It further indicates that this domain is currently being used.

Figure 2. LemonDuck domain certificate

The unique certificate signatures lead investigation to other domains that are actively used by this actor to potentially identify other command and control (C2) used in this campaign. As shown in Figure 3, investigation found a few domains that were using the same certificate at the moment. But we did not find a “core.png” file being distributed by other related domains at the time of this writing. As shown in Figure 4, historical data collected by CrowdStrike suggests “core.png” was distributed on multiple domains used by this actor in the past.

Figure 3. Domain sharing the same Certificate

Figure 4. Core.png like files being distributed in the past

Attackers usually run a single campaign from a single C2 server, but interestingly, on multiple C2 used by LemonDuck, there are multiple campaigns running that target Windows as well as the Linux platform. Figure 5 shows various dropper files used in multiple campaigns.

Figure 5. Dropper files used in multiple campaigns targeting Windows and Linux

Disguised Scripts to Set Up a Miner

As shown in Figure 6, the “core.png” file acts as a pivot by setting a Linux cronjob inside the container. Next, this cronjob downloads another disguised file “a.asp,” which is actually a Bash file.

Figure 6. Core.png adds cronjob to download a.asp

The “a.asp” file is the actual payload in this attack. It takes several steps before downloading and starting a mining operation once it is triggered by a cronjob, as follows.

  • Kills processes based on names. Kills the number of processes based on names of known mining pools, competing cryptomining groups, etc.
  • Kills known daemons. Daemons like crond, sshd and syslog are killed by grabbing daemon process ids.
  • Deletes known indicator of compromise (IOC) file paths. The known IOC file paths of competing cryptomining groups are deleted to disrupt any existing operation.
  • Kills known network connections. Connections that are ESTABLISHED or in progress (SYN_SENT) to known C2 of competing cryptomining groups are killed.

Disables Alibaba Cloud Defense

Alibaba Cloud’s monitoring service monitors cloud instances for malicious activities once the agent is installed on a host or container. LemonDuck’s “a.asp” file has the capability to disable aliyun service in order to evade detection by the cloud provider, as shown in Figure 7.

Figure 7. Disable Cloud monitoring service

Cryptominer Startup and Use of Proxy Pools

As a final step, LemonDuck’s “a.asp” file downloads and runs XMRig as “xr” file that mines the cryptocurrency as shown in Figure 8. Further, Figure 9 shows the version of XMRig being used in mining (version 6.14.0 released in August 2021). The config file used by XMRig indicates the use of a cryptomining proxy pool. Proxy pools help in hiding the actual crypto wallet address where the contributions are made by current mining activity. You can see the pool address in Figure 9.

Figure 8. Binary named “xr” running as a mining process

Figure 9. XMRig version in use and pool address

Lateral Movement via SSH

Rather than mass scanning the public IP ranges for exploitable attack surface, LemonDuck tries to move laterally by searching for SSH keys on filesystem. This is one of the reasons this campaign was not evident as other mining campaigns run by other groups. Once SSH keys are found, the attacker uses those to log in to the servers and run the malicious scripts as discussed earlier. Figure 10 shows the search for SSH keys on the filesystem.

Figure 10. Key search

CrowdStrike Detection

The CrowdStrike Falcon® platform protects its customers with its runtime protection and cloud machine learning models from any post-exploitation activities. As shown in Figure 11, a malicious mining process was killed by the CrowdStrike machine learning model. Figure 12 additionally shows the origin of the process and container information using CrowdStrike Threat Graph®.

Figure 11. CrowdStrike cloud-based machine learning killing a malicious container process

Figure 12. CrowdStrike Threat Graph for the malicious process

Conclusion

Due to the cryptocurrency boom in recent years, combined with cloud and container adoption in enterprises, cryptomining is proven to be a monetarily attractive option for attackers. Since cloud and container ecosystems heavily use Linux, it drew the attention of the operators of botnets like LemonDuck, which started targeting Docker for cryptomining on the Linux platform.

As you can see in this attack, LemonDuck utilized some part of its vast C2 operation to target Linux and Docker in addition to its Windows campaigns. It utilized techniques to evade defenses not only by using disguised files and by killing monitoring daemon, but also by disabling Alibaba Cloud’s monitoring service.

At CrowdStrike, we expect such kinds of campaigns by large botnet operators to increase as cloud adoption continues to grow.

Securing containers need not be an overly complex task. Using the Falcon platform, you can easily identify security issues in your environment in real time. You can use built-in features of Kubernetes and best practices to keep your container environment safe. For enhanced security, you can use integrated container security products such as CrowdStrike Falcon Cloud Workload Protection that can protect your Kubernetes environment seamlessly.  

CrowdStrike strives to support organizations that allow their users to stay ahead of the curve and remain fully protected from adversaries and breaches.

Additional Resources

UX Writer Michelle Handelman on Giving Customers the Information They Need to Succeed

22 April 2022 at 12:37

When you get an error message on a website or app, do you wonder where it comes from? In most cases, a person writes every bit of copy in apps, websites, notifications, alerts and more. At CrowdStrike, that person may be UX Writer Michelle Handelman. 

Here we sit down with Michelle to discuss her role, what drew her to CrowdStrike and how she is making the CrowdStrike voice helpful, consistent and, most of all, human.

Michelle Handelman

Q. Tell us about your role and what drew you to CrowdStrike.

I’m a UX writer for the CrowdStrike Falcon® Identity Protection product group. I write text for products and web experiences at CrowdStrike. I collaborate with design teams, conduct research, understand best UX practices and create entire user experiences from end to end.

When I was looking for a role as a UX writer, one of the things I prioritized was being part of a team. In previous roles, I was sometimes the sole person in my role. I found that when I had a position like that, there was less room for creativity and other opportunities. 

What I really liked about the position at CrowdStrike was that there was an entire team of UX writers, all working toward the same goal. Even though we aren’t all in the same product group, we’re still collaborating and working together to define the company’s voice.

Q. Why is it important to you to be part of a bigger team?

Working on a larger team, there are more developed resources you can use. For example, we have a UX content library and a list of content guidelines that help shape what we produce. This helps ensure that we produce content that is consistent and reliable. For example, if I need to write an error message, then my first step is to find out how other members of the team who work on other products wrote those in the past. I’m able to go through either the guidelines or collaborate with my fellow UX writers.

There’s also the added benefit of peer review that comes from working on a team. Another UX writer and I meet on a regular basis. We do a peer review of our projects, which always helps improve the quality of our work. The collaboration and support from across the team make for a stronger product that you don’t necessarily get when you’re working on your own.

Q. What’s something you enjoy about your job?

I really like that our team is focused on making improvements that our customers need and want. For example, we do usability testing to better understand customer needs. As a UX writer, it’s my job to advocate for the customer. We have an incredible customer base, and our customers provide us with critical feedback that is then translated into the product. It can be anything from simplifying technical terms, creating microcopy for feature requests or adding helper text to improve the user experience. We’re always looking for better ways to provide customers with the information they need. 

Q. Tell us a little bit about how you work remotely.

First, I appreciate that the company trusts us to work remotely. In my previous jobs, there was a lot of micromanaging and checking in with remote employees. At CrowdStrike, they really understand that we are human, that we are adults. People get sick, personal things come up, you need to get to a doctor’s appointment. It’s a really flexible environment — that trust is such a good quality to find in an employer.

 I also feel like CrowdStrike respects the balance between your personal life and your work life. I think that’s really important for a lot of people, especially in Israel, because historically that hasn’t been the culture. Here, I find that people respect your time and boundaries.

Q. Why do you think CrowdStrike is a great place to work?

In Israel, CrowdStrike may not have as much name recognition as some other tech companies, so people might not be aware of how competitive the company is in terms of the total benefits and compensation package. You’re rewarded for your work.

 I also think recognition is always a factor. CrowdStrike is a place that shows appreciation for its employees, and you don’t get that everywhere.

 Do you want to work for a company that recognizes and rewards high-performers? Browse our job listings and internship program today and join our global team.

Navigating the Five Stages of Grief During a Breach

22 April 2022 at 08:30

Every security professional dreads “The Phone Call.” The one at 2 a.m. where the tired voice of a security analyst on the other end of the line shares information that is soon drowned out by your heart thumping in your ears. Your mind races. There are so many things to do, so many people to contact. You jump out of bed. For a moment, you stare into the mirror longing for yesterday — when your network hadn’t been breached.

In our world of incident response, The Phone Call happens often. It may not be at 2 a.m., if you’re lucky. And if you’re unlucky, it’s not a security analyst, but rather your favorite federal law enforcement agency on the other end of the phone.

It is an emotional time when a potential existential crisis threatens your business, your company’s reputation and your career. Like when we experience other great losses in our lives, the loss of your network can leave you with a real sense of grieving. You can expect to feel the five stages of grief in much the same way Elisabeth Kübler-Ross explains them in her famous book, “On Death and Dying.” While a breach cannot compare in severity to what we experience in our personal lives, we can learn from Kübler-Ross’s descriptions of denial, anger, bargaining, depression and acceptance to manage an extremely stressful event.  

In 2018, CrowdStrike’s Mark Goudie wrote about how he had seen these emotions in his customers throughout his career as an incident responder. Since then, the world has dealt with the explosion of ransomware, supply chain attacks creating risk for hundreds of thousands of customers, and a Java vulnerability that threatened the internet. Here we revisit Mark’s reflections on data breach grief and pair them with practical advice on how to cope. This is your guide on what to expect and how to best get through your incident from the “grief counselor” of the security industry: your incident response firm.

Denial

“There’s no way this problem is as bad as my security team says it is.”

Denial sets in at the very beginning when you’re simply trying to survive what happened, and, as Kübler-Ross writes, the world around you becomes “meaningless and overwhelming.” For some, it’s believing that the incident is a false positive or maybe mistaken legitimate activity. A good security leader drives their team to get to the ground truth. Swiftly conquering denial is critical to effectively executing your incident response plan in times of crisis. Denial wastes necessary time, delaying recovery.

Anger

“I want them arrested!” 

Now is not the time to push for action against the offender. This will come later as you’ve collected all of the information you can while investigating the breach.

Being angry at your team isn’t going to solve the issue, either. Evaluating negligence will be important after the business is secure and operating normally. But derailing vital efforts to resume business operations to chastise personnel will only cause a schism in the rest of the team working the issue and will reflect negatively upon you during the aftermath when personnel decisions will be made.

Stay focused instead. Maintain a task-oriented approach with the information available. Push individuals to identify answers. Don’t belittle them to the point of ineffectiveness or you won’t succeed in solving the problem.  

Bargaining

“What will it take for this to go away? I’ll do anything.” “If only we had done x, y, z.”

We know you want to return your network to the way it was before. No amount of negotiation is going to change the situation. But you have an amazing opportunity! Document the “if onlys.” That’s a great roadmap to what the organization needs to improve upon after an incident. One word of caution: Don’t get hung up on the “if onlys” while you’re still actively investigating and recovering from the incident. You need that energy for the response activity, and bargaining can become a distraction. Quickly document what could be done better and save it for when you have time for a full postmortem.

Depression

“We’re going out of business.” “Our reputation is ruined.” “This will never end…”

Once the full gravity of the situation settles in, a sadness can begin to overwhelm you. The many consequences of a single breach will begin to unravel before you: real impact to your customers’ lives and livelihoods, fear for your own position and guilt over what happened. Lean on your colleagues, mentors, peers and significant others to help you through the emotional trauma of your network being breached. You will get through it, and you will recover.

Acceptance

“This is never happening again.”

Don’t get acceptance confused with being okay, as this isn’t the case. This is about understanding and living with the knowledge of the situation and what it means. You’ll never forget you were breached, but by accepting it, you and your organization will be better suited to reduce the likelihood that it will happen again. This is the mindset you need in order to best accomplish the recommendations offered in the next section. 

How to Accelerate the Grieving Process

As Kübler-Ross wrote, it’s important to experience these stages of grief. By knowing about these stages and possible experiences, coping mechanisms can be developed quickly to move you and your organization through the process. Other methods, highlighted below, can give you further leverage in accelerating through the stages.

Leverage Incident Response Service Providers

You’re not the first organization to have experienced a breach. Due to this unfortunate circumstance, the cybersecurity service industry has blossomed, with seasoned technology and consulting companies that deal with similar issues that you’re currently experiencing on a daily basis. Use the inherent knowledge in those organizations to your benefit. They can show you what the finish line looks like in this marathon and the strategy to get you there.

Practice Your Breach Response

Conduct tabletop and live-fire exercises to allow your teams to experience a breach in a safe environment. An annual tabletop exercise cements your incident response plan, exposes gaps in response processes and defenses, and, most importantly, best prepares you to respond effectively and efficiently — even through the five stages of grief.

Know Your Legal and Regulatory Reporting Requirements

Many legal firms now carry a digital security practice, with teams familiar with legal and contractual obligations due to a breach. Discuss partnering with a firm before the inevitable breach occurs. You can have a law firm specializing in cybersecurity on retainer to guide you through everything from preserving privilege during an investigation to reviewing external communications. 

Carry an Insurance Policy and Review It Annually

Just like drivers have car insurance, cyber liability insurance can provide protection for your business’s digital assets and keep you focused on defensible practices. Also, understand which cybersecurity consulting companies work with your particular insurance carrier, and allow that to aid your decision on which security vendor you’d like to partner with. This will allow for a cohesive ecosystem of proactive, reactive and recovery services your organization can leverage and benefit from. 

Hire a Crisis Communication Firm

When in the fight and moving through these stages, it may seem daunting to come up with communication strategies to your customers, partners, shareholders, the media and regulatory bodies. Crisis communication firms are there to help with exactly that.

Conduct a Postmortem

The investigation should have identified all of the factors that contributed to the root cause of the breach. All of the gaps within your people, processes and technologies should be identified. Conduct a postmortem review and implement strategies to address those gaps.

After you’ve implemented those changes, make sure they are effective by putting them to the test, via Red Team or Adversary Emulation, before the next bad guy does. You can also evaluate your progress through proactive security reviews, such as Cybersecurity Maturity Assessments and Security Operations Center Assessments

Conclusion

You are likely to experience the five stages of grief when faced with a serious cybersecurity incident. How you react will directly influence your team’s success in responding to the incident. As you cycle through the stages of grief, remember how you can respond to reach recovery faster: overcome denial, avoid anger, don’t be distracted by bargaining, lean on others during depression, and finally use acceptance to establish clarity of purpose in resolving the breach.  

Additional Resources

CrowdStrike Delivers Adversary-Focused, Platform Approach to CNAPP and Cloud Security

27 April 2022 at 06:30
  • CrowdStrike Falcon® delivers comprehensive cloud security, combining agent-based and agentless protection in a single, unified platform experience
  • Integrated threat intelligence delivers a powerful, adversary-focused approach to stopping cloud breaches

Cloud-based services have revolutionized business processes and emerged as the backbone of the modern enterprise. According to analyst firm Gartner®, “more than 85% of organizations will embrace a cloud-first principle by 2025 and will not be able to fully execute on their digital strategies without the use of cloud-native architectures and technologies.”

As organizations have embraced the cloud revolution, so too have today’s adversaries. As noted in the CrowdStrike 2022 Global Threat Report, organizations face malicious threats to cloud environments as cloud-based services are “increasingly abused by malicious actors in the course of computer network operations (CNO), a trend that is likely to continue in the foreseeable future as more businesses seek hybrid work environments.”

Defending the cloud requires securing a rapidly growing attack surface. IT and security teams must enforce continuous monitoring and security from the development process to runtime. Legacy and siloed security tools don’t provide the granular visibility into cloud-based events that organizations need. To protect hybrid environments, IT and security leaders need cloud-native technologies and a cloud-focused mindset. They need integrated threat intelligence to understand and stay ahead of modern adversaries. They need adaptable capabilities that enable them to adjust and meet the needs of their own IT environment.  

That’s why I’m excited to announce that CrowdStrike today unveiled new Cloud Native Application Protection Platform (CNAPP) capabilities, providing customers with comprehensive visibility, detection and remediation to secure cloud workloads with coverage from development to runtime.  The new capabilities empower customers to stop adversaries from exploiting modern enterprise cloud environments. 

These latest additions highlight the critical importance of adversary-focused protection and the powerful combination of agent-based and agentless solutions to combat cloud security threats. They also emphasize the importance of visibility for security teams: as part of today’s updates, cloud security posture management (CSPM) insights from Falcon Horizon™ will be shown alongside Falcon cloud workload protection (CWP) in a single user experience.

Bringing an Adversary-Focused Approach to Cloud Security

Understanding how adversaries are targeting cloud environments is critical to stopping breaches. Powered by our industry leading threat intelligence, CrowdStrike is bringing this adversary-focused approach to CNAPP by combining continuous monitoring of misconfigurations with the deep understanding of the tactics, techniques and procedures (TTPs) attackers employ to exploit vulnerabilities and infiltrate cloud environments. 

The need for an adversary-focused approach to security has intensified as attackers exploit gaps in a constantly expanding attack surface. Traditional boundaries around work have dissolved as organizations adopt multi-cloud environments and hybrid work models. Developers spin clouds up or down in minutes without noting potential misconfigurations; similarly, public cloud instances are made available for quick work without multifactor authentication (MFA) or other measures. Organizations struggle to protect many cloud resources that could be at risk. 

All it takes is one second for an adversary to exploit a security gap and begin a fast-moving lateral breach. Defenders must think like attackers in order to safeguard their cloud environments. 

CrowdStrike’s adversary-focused CNAPP capabilities fight modern attack techniques organizations are worried about, such as hands-on-keyboard activity, living-off-the-land binaries and runtime threats. A proactive security strategy for today’s cloud includes automation, deep visibility, runtime detection and prevention, and basic cloud hygiene — all of which are addressed in the CNAPP capabilities now added to Falcon Horizon and CWP.

Falcon Horizon CSPM now includes custom indicators of misconfigurations (IOMs) for Google Cloud Platform (GCP) — extending Falcon Horizon’s existing custom IOM functionality for AWS and Azure — to ensure cloud deployments are secure with custom policies that align with enterprise goals. A new identity access analyzer for Azure prevents identity-based threats and ensures Azure AD groups, users and apps enforce permissions based on least privilege; this extends Falcon Horizon’s existing Identity Access Analyzer functionality for AWS.  

An adversary-focused approach includes giving security and incident response teams additional context about the situation they’re facing. Another addition to Falcon Horizon is automated remediation workflow for AWS, which provides context and guidance to address issues and reduce the time needed to resolve incidents. 

As the evolution of security threats demands a comprehensive approach to cloud security, CNAPP is designed to provide a deep and accurate view of the cloud threat landscape to give security teams the information they need. 

Agentless and Agent-Based Security: Why You Need Both

The CrowdStrike Falcon platform was purpose-built with a cloud-native architecture so that we could scale and extend our industry-leading protection across our customers’ greatest areas of risk. We built the platform to cover all workloads from the outset and because of this, can offer deep visibility at runtime for cloud workloads. CrowdStrike stands alone in an increasingly crowded market by delivering agent-based (Falcon CWP) and agentless (Falcon Horizon) solutions delivered natively from the Falcon platform. This approach gives organizations flexibility to determine how they can best secure their cloud applications across the continuous integration/continuous delivery (CI/CD) pipeline and cloud infrastructure across AWS, Azure and GCP. 

The added benefit of an agent-based CWP solution is it enables pre-runtime and runtime protection, compared to the agentless-only solutions that only offer partial visibility and lack remediation capabilities. An approach that combines agentless scanning with agent-driven protection can ensure security and DevOps teams are able to deploy the type of protection needed regardless of their environment. 

New capabilities for Falcon CWP are designed to protect the ever-changing modern cloud as workloads evolve into various types such as containers, serverless, containers-as-a-service and more. Falcon CWP now has container detection to automatically defend against malware and advanced threats targeting containers with machine learning, artificial intelligence, indicators of attack, deep kernel visibility, custom indicators of compromise and behavioral blocking. 

Another new addition is rogue container detection, which maintains an up-to-date inventory as containers are deployed and commissioned. Falcon CWP can scan rogue images, and identify and stop containers launched as privileged or writable — which can be used as entry points for an attack. Drift container protection, a third new capability in Falcon CWP, can discover new binaries created or modified at runtime to protect the immutability of the container. These newly added capabilities ensure the security of containers by stopping software that doesn’t belong. 

A new cloud activity dashboard brings together CSPM insights from Falcon Horizon and workload protection from Falcon CWP into a single user experience that will prioritize critical issues, address runtime threats and enable cloud hunting to enable faster investigation and response time. 

As organizations accelerate their move to the cloud, many will find their traditional security tools aren’t enough to keep pace with the changing nature of cloud environments — or the attackers targeting them. The new capabilities CrowdStrike is announcing this week provide the visibility, automation and cloud hygiene necessary to defend against today’s adversaries.

Additional Resources 

Falcon Fusion Accelerates Orchestrated and Automated Response Time

28 April 2022 at 08:12
  • CrowdStrike Falcon Fusion automates and accelerates incident response by orchestrating sandbox detonations to automatically analyze related malware samples and enrich the results with industry-leading threat insights
  • Falcon Fusion enables analysts to build real-time active response and notification capabilities with customized triggers based on detection and incident disposition 
  • The CrowdStrike Falcon® platform leverages critical context, visibility and response capabilities when defending against persistent adversaries with unified endpoint, workload and identity protection

In the recent MITRE Engenuity ATT&CK Enterprise Evaluation — which emulated today’s two most sophisticated Russian-based adversaries, WIZARD SPIDER and VOODOO BEAR (Sandworm Team) — CrowdStrike Falcon achieved 100% automated prevention across all of the evaluation steps. This not only demonstrates the power of the Falcon platform to stop breaches, but also provides a clear demonstration of the dynamic nature of Falcon Fusion, delivering the automated workflows customers require to stop today’s most sophisticated threats.

Natively integrated into the Falcon platform, Falcon Fusion is a unified and extensible security orchestration, automation and response (SOAR) framework. In the MITRE Engenuity ATT&CK Enterprise Evaluation, Falcon Fusion enabled multiple autonomous workflows — including using indicators of attack (IOAs) as triggers for additional malware analysis or updating the identity watchlist based on compromised credentials — to essentially stop the attackers cold. 

Falcon Fusion is able to leverage the power of Falcon Identity Protection, Falcon X™ threat intelligence with comprehensive IOAs, and machine learning (ML) to enable security operations center (SOC) teams to make faster and better decisions with the right insights and tools by reducing time to hunt through data and autonomously responding to sophisticated threats. 

Using Falcon Fusion Against Credential-based Attacks 

In the Initial Access step during the VOODOO BEAR emulation scenario (step 11.A.1), stolen access credentials were used to initiate the attack. Using Falcon Fusion workflows, the stolen credentials were added to an identity watchlist along with the device, blocking the use of that credential for the attacker to leverage again. In a real-world configuration, Falcon Fusion could have been used to trigger a multifactor authentication (MFA) challenge if those credentials were used in any subsequent attacks.

Falcon Fusion, in conjunction with Falcon Identity Protection capabilities, was able to automatically alert on the use of compromised credentials for the monitored accounts and auto-classify the accounts as a valuable target, enabling additional security controls based on risk levels and behaviors during an ongoing attack.

Figure 1. A Falcon Fusion workflow adding a user with noted stolen credentials, based on detection using lateral movement tactics, to the Falcon Identity Protection watchlist, which in turn can enforce MFA action based on repeated usage

Throughout Round 4 of the MITRE Engenuity ATT&CK Enterprise Evaluation, Falcon Fusion increased the time-to-value in driving automated workflows based on custom IOA detections. In real-world scenarios, Falcon Fusion dramatically reduces alert fatigue and frees up resources so analysts can focus on other critical and strategic tasks. This integrated approach provides analysts with a powerful cloud-delivered platform to defend against future attacks, as demonstrated throughout the evaluation.

Using Falcon Fusion for Custom IOA Monitoring and Falcon X Malware Analysis

The WIZARD SPIDER Initial Compromise emulation scenario (substep 1.A.2) showcased a potential workflow that involved immediately sending files to the CrowdStrike Falcon X malware sandbox for detonation if dropped via remote desktop sessions. In real-world scenarios, the Falcon platform sends all suspicious files to the Falcon X automated sandbox, driven by CrowdStrike Falcon Prevent™ next-generation antivirus security policies. For custom IOAs based on different file types (e.g., documents, PE .exe files, PE DLL files, or scripts), Falcon Fusion helps drive the Falcon X sandbox detonation automatically using the IOAs as trigger, ensuring further analysis occurs as part of a layered defense approach without any manual intervention.

Figure 2. A Falcon Fusion workflow retrieving an auto-submit file, which triggers the submission of behavioral detections to the Falcon X sandbox for further analysis

Detonating binaries in the Falcon X sandbox uncovers the behavior of suspicious files and extracts more information than is possible on the endpoint. This provides analysts with optimized threat intelligence and context allowing them to identify indicators of compromise (IOCs) and hunt for secondary payloads, making it difficult for adversaries to bypass detections by changing the initial dropper component. 

Scenario: Falcon Fusion workflows for Custom IOA monitors allow indicators to be generated to the cloud without generating detections that will show up in the Falcon detections UI. 

  • Custom IOA monitors can be created for Domain name, Network connection, File creation, Process execution or all four items and used as a trigger. In this example, File creation — when a file writes a process to disk — was chosen as the workflow trigger.
  • For the first action, the following can be chosen under the Intelligence category: Check for sample, Get sandbox quota, Submit SHA256 to sandbox or Submit URL to sandbox. In this example, Check for sample was chosen to check — using the condition “sample exists = false” — that a sample hasn’t already been uploaded from an endpoint to the cloud.
  • A Falcon Real Time Response (RTR) script can be used to get the target file name that was written to disk. Custom RTR scripts can be used with Falcon Fusion to directly access distributed systems and run a variety of commands to investigate, conduct forensic analysis or completely remediate remote systems.
  • The “Submit file to sandbox” sequential action was chosen, with Windows 7 64-bit selected as the setting needed for sandbox analysis and Tor enabled. Post-detonation, the link to the sandbox report will become available for additional investigation and new workflow creation from the Falcon dashboard. 
  • Post-remediation actions — such as running checks on the system to ensure it is clean; issuing automated notifications via collaboration channels like email, Slack or Microsoft Teams; and updating ticket status on IT management systems like ServiceNow or Jira  — can be performed to ensure full-cycle incident response.

Falcon Fusion demo

Modernize Your SOC and IT Operations 

Falcon Fusion’s native integration with the Falcon platform makes it unique among SOAR frameworks. Running in a software-as-a-service (SaaS) environment and requiring no custom integrations to be developed and available at no additional cost, Falcon Fusion delivers high performance and immediate time-to-value.  

The native integration of Falcon Fusion within the Falcon platform allows you to collect contextually enriched data and automate security operations, threat intelligence and incident response to mitigate cyber threats and vulnerabilities — all through the same console. In addition to its power, Falcon Fusion’s automation is easy to use and can simplify complex security workflows, optimizing SOC performance. 

Start your free Falcon platform trial now and realize the benefits of the Falcon Fusion SOAR framework. Access Falcon Fusion from your Falcon console to see how you can simplify your SOC and IT workstreams, while achieving speed and precision against sophisticated adversaries.  

Additional Resources

CVE-2022-23648: Kubernetes Container Escape Using Containerd CRI Plugin and Mitigation

3 May 2022 at 08:37

CVE-2022-23648, reported by Google’s Project Zero in November 2021, is a Kubernetes runtime vulnerability found in Containerd, a popular Kubernetes runtime. It lies in Containerd’s CRI plugin that handles OCI image specs containing “Volumes.” The attacker can add Volume containing path traversal to the image and use it to copy arbitrary files from the host to container mounted path.

The vulnerability was reported by Felix Wilhelm on Nov. 22, 2021, and a patch was released with 1.6.1, 1.5.1 and 1.4.13 versions of Containerd on March 2, 2022.

Technical Analysis

Let’s take a closer look at how the vulnerability resides in an unexpected layer of the container ecosystem and can result in container escape in your Kubernetes cluster.

Understanding OCI Image Specifications

There are two specifications for a container image defined by Open Container Initiative (OCI). These standards were first made available by Docker and then developed by the community.

  1. Image specifications (image-spec). This specification defines how a container image should be packed and various components of the image, primarily image manifest, index and layout. This is where the image file system blob resides.
  2. Runtime specifications (runtime-spec). This is the configuration required to run the image as a container.

When a runtime like Containerd needs to start a container with an image, it converts the given image configuration blob to a runtime configuration blob. Here Containerd’s CRI plugin fails to validate paths in the Config.Volumes field before being used in the runtime field mounts. Containerd further copies the data to those mount paths. It is possible to look at the Config.Volume field from the OCI configuration blob with tools like buildah, as shown below in Figure 1 in addition to build steps for the image.

Figure 1. Build vulnerable image

Containerd’s Handling of Volume

The vulnerability resides in the following Containerd code, as shown below in Figure 2, where an attacker-controlled volume path is used as a source in the copyExistingContents function. This function copies the files from the attacker-controlled volume path to a temporary folder that is later mounted inside a container. At this point, an attacker just needs to use path traversal to trick the copyExistingContents function into copying arbitrary files from the host filesystem.

The following is the simple attacker pod that uses our proof-of-concept image shown in Figure 1. Once this pod is created on the cluster, you can see the files from the host are copied to the container filesystem on a mounted path, as shown in Figures 3 and 4. 

In this attack, without the use of actual Kubernetes volumes, an attacker with pod creation privileges on the cluster is able to read arbitrary files from the Kubernetes node, resulting in a container escape.

Figure 3. Attacker pod

Figure 4. Host files copied to the container filesystem

Mitigation

CrowdStrike recommends upgrading to the latest version of Containerd to mitigate this issue. A patch was released with 1.6.1, 1.5.1 and 1.4.13 versions of Containerd.

In case patching is not possible, the CrowdStrike Falcon® platform’s image scanning protects customers from this vulnerability by identifying the image blob configuration with path traversal in a Volume path, as shown in Figure 5. Customers can also stop malicious images from being deployed to the cluster.

CrowdStrike Falcon Horizon™ cloud security posture management (CSPM) implements CIS benchmarks to identify any indicators of misconfiguration (IOMs) in your clusters and uncover a weakness in cloud environment. At the same time, CrowdStrike Falcon Cloud Workload Protection (CWP) prevents and detects malicious activity — including by eCrime and nation-state adversaries — in real time.

Figure 5. CrowdStrike Falcon detecting path traversal in image blob Volume configuration

Conclusion

Kubernetes is composed of a number of software layers, and any misconfiguration or security issue at any layer can be used by an attacker to gain necessary privileges and take over the cluster. As discussed, CVE-2022-23648 is one more example of the ongoing weakness in container runtime being used for Kubernetes container escape. DevOps practitioners need to be on top of such issues and keep the environment up-to-date when patches are available.

Securing containers need not be an overly complex task. Using the Falcon platform, you can easily identify security issues in your environment in real time. You can use built-in Kubernetes features and implement best practices to keep your container environment safe. For enhanced security, you can use integrated container security products, such as CrowdStrike Falcon Cloud Workload Protection, that can protect your Kubernetes environment seamlessly.  

CrowdStrike strives to support organizations that allow their users to stay ahead of the curve and remain fully protected from adversaries and breaches.

Additional Resources

VP of Humio Marketing Cinthia Portugal on the Role of Marketing in Achieving the CrowdStrike Mission

3 May 2022 at 19:57

At CrowdStrike, we often say that every team and every person plays a role in helping our company achieve our mission to stop breaches. VP of Humio Marketing Cinthia Portugal is no exception. In this latest installment in our 5 Questions series, Cinthia sits down to talk about her leadership role and how her team helps CrowdStrike live the mission.

Cinthia Portugal

Q. Tell us about your role as VP of Humio Marketing and how you came to CrowdStrike.

About a year ago, CrowdStrike acquired Humio, an advanced, purpose-built log management platform. I joined CrowdStrike as VP of Humio Marketing, and I work with a team of professionals to bring Humio technologies to the market and establish a Tier 1 brand in the industry. 

Humio enables companies to have complete observability of their distributed systems. What makes Humio different is that customers have total access to all of their data in real time. We have a unique and compelling competitive advantage in the log management market. Our technology lets companies retain and search all of their data without breaking the bank. It’s our job in marketing to tell that story and highlight how Humio contributes to the CrowdStrike platform.  

Q. Tell us more about what it’s like to be part of the Humio Marketing Team.

As a team, we’re constantly creating new approaches to reach and engage our audiences. Every day is different, as we’re always trying to address customer challenges, which is what I find exciting. We collaborate with different business functions to determine how marketing efforts can drive business and company goals, whether that’s related to launching a new product, driving sales leads, displacing competitors, attracting talent or finding opportunities to drive growth at speed for the business and the company.

We continuously evaluate our performance to determine how we need to evolve our tactics and campaigns to ensure we’re delivering results or tracking toward providing those results. That means we spend a lot of time reviewing data and metrics to determine how we can improve.

It’s a really rewarding job, and I love what I do. In fact, I enjoy it so much that my twin boys don’t think I work. I work remotely, and they hear me laughing and talking and see it as me having a good time — and that’s true, I am!

Q. What do you enjoy about working at CrowdStrike?

One thing I’ve been impressed with and pleasantly surprised by is the leadership team’s level of engagement with the marketing group. It’s not often the case that the leadership team takes such a deep interest in a company’s marketing success. The level of involvement and investment is impressive, and it’s very powerful for the success of the company.  

Also, as a Latina in technology, I value the way CrowdStrike embraces diversity. CrowdStrike doesn’t just talk about being diverse or inclusive — it amplifies diverse voices, which makes us stronger as an organization. The CrowdStrike culture supports my long-term goals to achieve success in this arena. 

Q. What do you look for in a new hire?

Trust above all. I hire for excellent judgment and lead from a place of trust. With trust comes transparency. For candidates and talent, I believe it’s extremely powerful and enabling to know that management will trust you, your ideas and your capabilities — trust you to deliver projects on time and trust your judgment. That’s a critical part of CrowdStrike’s culture and my philosophy. And teams need to trust each other and their leaders as well. 

If someone on my team comes to me with a project idea, I will let them run with it and support them. If it fails, I’m going to back them up 100% because I have that trust, and we will all learn from the experience. It’s okay to experiment because if we don’t take risks, we’re not going to grow.

Q. What do you enjoy doing outside of work?

I often joke that my hobby is chasing my twin boys in opposite directions.

Other than that, I like to kayak and explore the waterways around Seattle and the Puget Sound. We spend a lot of time on Whidbey Island, just north of Seattle, and I really enjoy being on the water and exploring the parks and open spaces.  

Are you interested in joining Cinthia’s team of trusted leaders? Browse our job listings and internship program positions today.

Compromised Docker Honeypots Used for Pro-Ukrainian DoS Attack

4 May 2022 at 05:45
  • Container and cloud-based resources are being abused to deploy disruptive tools. The use of compromised infrastructure has far-reaching consequences for organizations who may unwittingly be participating in hostile activity against Russian government, military and civilian targets. 
  • Docker Engine honeypots were compromised to execute two different Docker images targeting Russian, Belarusian and Lithuanian websites in a denial-of-service (DoS) attack.
  • Both Docker images’ target lists overlap with domains reportedly shared by the Ukraine government-backed Ukraine IT Army (UIA). 
  • The two images have been downloaded over 150,000 times, but CrowdStrike Intelligence cannot assess how many of these downloads originate from compromised infrastructure. 
  • CrowdStrike customers are protected from this threat with the CrowdStrike Falcon Cloud Workload Protection module.

Between February 27 and March 1, 2022, Docker Engine honeypots were observed to have been compromised in order to execute two different Docker images targeting Russian and Belarusian websites in a denial-of-service (DoS) attack. Both Docker images’ target lists overlap with domains reportedly shared by the Ukraine government-backed Ukraine IT Army (UIA). The UIA previously called its members to perform distributed denial-of-service (DDoS) attacks against Russian targets. There may be risk of retaliatory activity by threat actors supporting the Russian Federation, against organizations being leveraged to unwittingly conduct disruptive attacks against government, military and civilian websites.

Initial Compromise via Exposed Docker Engine

The honeypot was compromised via an exposed Docker Engine API, a technique that is commonly used by opportunistic campaigns such as LemonDuck or WatchDog to infect misconfigured container engines.

Technical Analysis

The first Docker image that was observed — called abagayev/stop-russia— is hosted on Docker Hub. This image has been downloaded over 100,000 times, but CrowdStrike Intelligence cannot assess how many of these downloads originate from compromised infrastructure. The Docker image contains a Go-based HTTP benchmarking tool named bombardier with SHA256 hash

6d38fda9cf27fddd45111d80c237b86f87cf9d350c795363ee016bb030bb3453

that uses HTTP-based requests to stress-test a website. In this case, this tool was abused as a DoS tool that starts automatically when a new container based on the Docker image is created. Upon starting, the target-selection routine picks a random entry from a hard-coded target list. Later versions of this Docker image alternatively pick one of the first 24 entries of the target list, based on the current hour.

Figure 1. Excerpt of targeted websites

The deployed image was updated once on March 1, 2022. The most significant difference between the two versions of this image is that the target list was expanded. The target list contains Russian websites from the following sectors: government, military, media, finance, energy, retail, mining, manufacturing, chemicals, production, technology, advertisements, agriculture, transportation and political parties. Also on March 1, 2022, Belarusian websites from the media, retail, government and military sectors were added to the target list. CrowdStrike Intelligence assesses the activity deploying this Docker image as very likely automated based on closely overlapping timelines in the interaction with the Docker API. This assessment is made with moderate confidence, based on three separate incidents showing analogous timelines.

The second Docker image is named erikmnkl/stoppropaganda. This image has been downloaded over 50,000 times from Docker Hub. Again, the portion of these downloads that originated from compromised machines is unknown. The image contains a custom Go-based DoS program named stoppropaganda that has the following SHA256 hash

3f954dd92c4d0bc682bd8f478eb04331f67cd750e8675fc8c417f962cc0fb31f

that sends HTTP GET requests to a list of target websites that overloads them with requests. The attack focused on Russian and Belarusian websites in the same sectors: government, military, energy, mining, retail, media and finance. Furthermore, three Lithuanian media websites fell victim to the attack.

Figure 2. Excerpt of targeted websites

CrowdStrike Detection

The CrowdStrike Falcon® platform protects its customers with its runtime protection and cloud machine learning models from any post-exploitation activities. As can be seen in Figure 3, the malicious DoS process from the erikmnkl/stoppropaganda image gets terminated by Falcon’s cloud-based machine learning model, when running the Docker container on a host with the Falcon Sensor for Linux installed.

Figure 3. CrowdStrike’s cloud-based machine learning model kills the malicious process (Click to enlarge)

Assessment

Both Docker images’ target lists overlap with domains reportedly shared by the Ukraine government-backed UIA that called its members to perform DDoS attacks against Russian targets. CrowdStrike Intelligence assesses these actors almost certainly compromised the honeypots to support pro-Ukrainian DDoS attacks. This assessment is made with high confidence based on the targeted websites.

CrowdStrike Intelligence Confidence Descriptions

High Confidence – Judgments are based on high-quality information from multiple sources.  High confidence in the quality and quantity of source information supporting a judgment does not imply that that assessment is an absolute certainty or fact. The judgment still has a marginal probability of being inaccurate. 

Moderate Confidence – Judgments are based on information that is credibly sourced and plausible, but not of sufficient quantity or corroborated sufficiently to warrant a higher level of confidence. This level of confidence is used to express that judgments carry an increased probability of being incorrect until more information is available or corroborated. 

Low Confidence – Judgments are made where the credibility of the source is uncertain, the information is too fragmented or poorly corroborated enough to make solid analytic inferences, or the reliability of the source is untested. Further information is needed for corroboration of the information or to fill known intelligence gaps.

Indicators of Compromise (IOCs)

Image Name Image Digest
abagayev/stop-russia af39263fe21815e776842c220e010433f48647f850288b5fe749db3d7783bcb0
abagayev/stop-russia f190731012d3766c05ef8153309602dea29c93be596dcde506e3047e9ded5eae
erikmnkl/stoppropaganda aacbb56f72616bbb82720cb897b6a07168a3a021dd524782ee759bbec3439fda
Filename SHA256 Hash
bombardier 6d38fda9cf27fddd45111d80c237b86f87cf9d350c795363ee016bb030bb3453
stoppropaganda 3f954dd92c4d0bc682bd8f478eb04331f67cd750e8675fc8c417f962cc0fb31f

Snort

The following Snort rule can be used to detect HTTP requests sent by erikmnkl/stoppropaganda:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "Detects DoS HTTP request sent by erikmnkl/stoppropaganda tool"; flow:to_server, established; content:"Mozilla/5.0 (Windows NT 10.0|3B| Win64|3B| x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36"; http_header; content:"GET"; http_method; classtype:trojan-activity; metadata:service http; sid:8001951; rev:20220420;)

Additional Resources

How Falcon OverWatch Spots Destructive Threats in MITRE Adversary Emulation

5 May 2022 at 06:45

In the recent ​​MITRE Engenuity ATT&CK Enterprise Evaluation, CrowdStrike demonstrated the power of its unified platform approach to stopping breaches. Facing attack emulations from the highly sophisticated WIZARD SPIDER and VOODOO BEAR (Sandworm Team) adversaries, the CrowdStrike Falcon® platform:

The results show that CrowdStrike stands alone in providing a unified approach to stopping adversaries from progressing attacks. But, as adversaries continue to advance their tradecraft, human skill and expertise are critical force multipliers for stopping hands-on-keyboard activity. According to the CrowdStrike 2022 Global Threat Report, 62% of cyberattacks now involve non-malware, hands-on-keyboard activity.  

The CrowdStrike Falcon OverWatch™ managed threat hunting service operates 24/7 with the primary mission of pinpointing malicious activities at the earliest possible stage to provide customers with timely, accurate and relevant notifications and context to inform a swift and decisive response. The speed with which OverWatch can deliver rich insights into a threat actor’s movements and tactics, techniques and procedures (TTPs) buys victim organizations valuable time in responding to an intrusion.

While OverWatch was not a formal part of this year’s MITRE Engenuity ATT&CK validation testing, the OverWatch team actively tracked this emulation from the sidelines to demonstrate how it would defend against similar intrusions in the real world.

In this writeup, we review some of the context and insights that our expert team of human threat hunters would have delivered had the MITRE evaluation’s simulated adversary attacks occurred in a real-world environment.

OverWatch vs. WIZARD SPIDER: Patented Tooling Enables Rapid Detection and Correlation of Malicious Behaviors

Within minutes of the malicious activity beginning, OverWatch rapidly built out the scope of the intrusion and was ready to alert on the actor’s activities. The actor began by delivering an implant via phishing, and then moved laterally to two hosts. OverWatch was able to identify the overlapping bursts of suspicious activity to successfully confirm lateral movement and the expanded scope of the intrusion.

OverWatch can identify overlapping malicious behaviors in near real time thanks to its high-fidelity patented tooling, which supports cardinality-based visualization of likely linked events and employs artificial intelligence to more accurately predict whether a single event is malicious or not.

OverWatch’s Patented Tooling

OverWatch’s patented hunting tool for cardinality-based activity pattern detection looks for related bursts of potentially malicious activity patterns and then surfaces these for further human analysis. To support rapid analysis by threat hunters, the tool presents data visually, grouping together activity patterns with a graphical representation of the fidelity value to illustrate the degree to which each of the activity patterns indicates possible malicious activity.

Some events are so common within enterprise environments that including them in the bursts would create more noise than insight. But these same events can also be key to identifying a potential intrusion. OverWatch’s patented hunting tool for security-violation detection was built to use artificial intelligence to predict whether an event is malicious on the basis of the ancestry of the command line. This tool classifies hunting leads before they go to hunters, helping to funnel only the relevant data for human analysis.

OverWatch vs. WIZARD SPIDER: The Human Element Delivers Critical Context

Crucially, the outputs of OverWatch’s tooling are augmented by human analysis. This provides two clear benefits for victim organizations: identifying stealthy and novel behaviors, and deep and timely context-rich notifications. 

Threat hunters often go head-to-head with adversaries  that are agile and creative in navigating automated defenses. The expert OverWatch team hunts relentlessly to identify, detect and disrupt sophisticated adversary tradecraft. The second benefit comes from the timely and context-rich notifications delivered by OverWatch’s highly skilled hunters, who quickly and accurately reconstruct intrusion activity to provide victim organizations with a comprehensive picture of an adversary’s movements that can inform a decisive response. 

In intrusions that follow known patterns of adversary behavior, such as the MITRE WIZARD SPIDER emulation, OverWatch’s ability to quickly contextualize this information delivers real value. The following details illustrate how OverWatch hunters can tie together disparate events into a clear narrative to inform action. The activity notices included below represent the types of notifications a victim organization could expect to receive during an interactive intrusion.

(Click to enlarge)

(Click to enlarge)

(Click to enlarge)

(Click to enlarge)

(Click to enlarge)

OverWatch Returns Time to Your Side

When OverWatch investigates an intrusion in your environment, your security team gets more than an alert. OverWatch combines the power of patented tooling with deep expertise to compile comprehensive context about a threat actor’s movements and motivations. As a result, an OverWatch notification is not just an alert — it is a detailed blueprint of the intrusion lifecycle that provides a solid foundation for building a response.  

In the MITRE WIZARD SPIDER test scenario, a context-rich OverWatch analysis and notification would have been received within minutes of the initial activity. With the Falcon platform actively preventing the actor’s attempts to advance, the OverWatch notification would have provided the critical information needed to evict the actor from the environment before they could do damage. 

Every minute an actor is in your environment is a minute too long. In order to prevent an actor from burrowing deep into your environment, it is paramount that a response is swift and decisive. OverWatch notifications provide the detail and context that makes this possible. As an added layer of defense, customers can use the natively integrated Falcon Fusion capability to orchestrate and automate complex workflows. This provides the ability to trigger host containment in near real time in response to OverWatch’s high-fidelity notifications. Customers can also use Falcon Fusion to set up and configure notifications via plugin applications to customize how they receive OverWatch notifications to enable timely response. 

The deep expertise of threat hunters, alongside our patented workflows and tooling, enable OverWatch to deliver rich context to your security team quickly — when minutes matter.

Additional Resources

How Senior Manager for Learning and Talent Lowell Doringo Helps CrowdStrikers Excel

5 May 2022 at 11:22

CrowdStrike employees may be at the very forefront of their respective fields, but it takes a culture of constant learning and development to maintain their edge. Here to talk about how he helps develop programs to build and enhance skills of all types is CrowdStrike Senior Manager for Learning and Talent Lowell Doringo.

Lowell Doringo

Q. Tell us about your role and what drew you to CrowdStrike.

I am a Senior Manager for Learning and Talent. My primary role is to lead and deliver learning and development (L&D) opportunities for all CrowdStrikers and make sure they have the knowledge and skills they need to do their jobs. That can be any number of things: leadership training, developing technical skills, team building exercises, remote work strategies, and standard workplace training like compliance, and health and safety. 

While my background has been in entertainment and hospitality, my passion has always been in the learning and development space. I was drawn to CrowdStrike because I could see that the company post-IPO was really investing in employee development as it was growing. It’s an exciting opportunity as an L&D industry professional to join a company making that kind of commitment and be on the team that builds out the practice from scratch. It’s especially exciting in a place like CrowdStrike, where the pace is fast, the technology is changing and the mission matters.  

Q. Tell me about your typical day.

I usually begin and end most days by teaching a class on Zoom. I lead our Falcon Forward: Managing CrowdStrikers program, which is a three-month program designed to train and develop people managers up to the director level to gain key leadership and management skills, specifically around CrowdStrike managerial processes.

When I’m not teaching, I take part in a lot of meetings. Some of them are creative, where we brainstorm future courses and content. Others are very strategic, where we’re thinking about issues like how to incorporate our company’s core values into L&D programs.   

Finally, a lot of my day is spent heads down building and designing courses. That means writing out scripts, creating PowerPoint presentations, putting together e-learnings, literally anything that goes into creating learning at CrowdStrike. Our team is relatively small, which means we do it all. While the pace and scope can sometimes be challenging, it’s also fun because you have creative license for how to build and operate your programs. 

Q. What do you like most about your job?

The most rewarding part of my job is when a CrowdStriker sends me a message telling me that they were able to apply something they learned in class in their day-to-day life — or, even better, that they’re not just using the skills in their role but teaching other people how to do it. It’s the transfer of knowledge that keeps me motivated. There’s no greater satisfaction than seeing the impact of your work. That tells me I did my job. 

Another thing that I love about working at CrowdStrike is that we continuously iterate and improve our programs. We want to make sure that from a data perspective, we’re hitting our goals and using participant feedback to raise the bar. That’s a really important quality because the world is changing rapidly. 

For example, when in-person gatherings were limited over the past two years, you couldn’t just bump into somebody in the break room and strike up a conversation. So we found ways to use L&D offerings as a catalyst for building connections through classes, breakouts, Slack channels — all kinds of places since in-person learning and interaction were limited. We really had to rethink our programs so that they not only worked in a remote environment but they also fulfilled that need for personal connection.

Q. As a Learning and Talent professional, what is something you’ve learned and implemented for yourself since joining CrowdStrike? 

CrowdStrike is a remote-first company, and this is my first time working in such an environment. I’m the first to admit I had some difficulty adjusting. I’m used to being around people — I get energy from being with others. Being alone in a room all day was definitely an adjustment for me. Working at CrowdStrike, I’ve developed ways to adjust to this new way of thinking and manage those issues and find new sources of connection. I’ve also learned to create boundaries for myself so that I can be productive and present, but also know when to sign off and make sure I take time for myself. 

Q. How would you describe the culture at CrowdStrike?

Fast. Things here are fast! I’ve never worked in an environment that moves as quickly as CrowdStrike. That can present opportunities as well as challenges. It’s a blessing because when you have ideas, one of the best things that can happen is to see it quickly come to fruition. The amount of projects that I’ve helped launch in just the past year outnumbers what I’ve done in other companies over the course of many years. At CrowdStrike, it’s incredible to see the speed with which we make action happen, which in turn accelerates our reach and impact. That’s a great feeling! 

Are you interested in learning and growing with CrowdStrike? Browse our job listings to review open positions at CrowdStrike today.

Start Logging Everything: Humio Community Edition Series

5 May 2022 at 11:48

This blog was originally published January 24, 2022 on humio.com. Humio is a CrowdStrike Company.

In this blog, we’ll show you, step by step, how to download stock data and then upload it to Humio. You can then search that data and build a dashboard for fast insights. Subsequent blog posts will expand on this dashboard and show you how to move from analyzing historical data to live data. To get started, you’ll need to access Humio Community Edition, which is available at no cost.

Step 1: Download stock price data

After you’ve created an account for Humio Community Edition, you’ll need a dataset to analyze. While the possibilities are endless, for this blog post, we’ll use the Python script below to download stock prices for the past week.

Copy the script below and save it where you can execute a Python script.

#!/usr/bin/Python3

from datetime import datetime
import yfinance as yf
import json
import sys

# Take ticker symbols from the command line arguments
tickers = sys.argv[1:]
stockData = []

for ticker in tickers:

data = yf.download(tickers=ticker,period="7d", interval = "1m", progress=False)
data.index = data.index.astype(str) #convert from DateTime to string
jdata = data.to_dict(orient='index')

for item in jdata:

#add ticker and timestamp to flatten data

jdata[item].update( {"ticker":ticker} )
jdata[item].update( {"MyTimestamp":item} )
stockData.append(jdata[item])

for item in stockData:

print(json.dumps(item))

If this is your first time working with the yfinance Python module, you’ll need to install it.

$ pip3 install yfinance

You can execute this script like this:

$ stocks.py CRWD > crwd.json

Essentially, this command takes stock ticker symbols as command line arguments and prints the price data for the past week JSON format. The command above gets the price data for CrowdStrike, and then saves it to a file called ‘crwd.json.’

Check the data from the command line to verify it worked:

$ tail crwd.json 

{"Open": 268.989990234375, "High": 269.17999267578125, "Low": 268.9599914550781, "Close": 269.1700134277344, "Adj Close": 269.1700134277344, "Volume": 81464, "ticker": "CRWD", "timestamp": "2021-11-01 15:59:00-04:00"}

{"Open": 269.1700134277344, "High": 269.1700134277344, "Low": 269.1700134277344, "Close": 269.1700134277344, "Adj Close": 269.1700134277344, "Volume": 0, "ticker": "CRWD", "timestamp": "2021-11-01 16:00:00-04:00"}

Since you’re running this at a different time, it won’t have the same values, but it should have the same data structure.

Now, to accommodate this data, we’re going to quickly assemble a parser.

Step 2: Parse the data

Humio does not require data to be parsed, and it can easily allow you to store and search unstructured data. But for the sake of the exercise, we want to be able to graph this data, so it’s best to start by parsing the various fields. Because the data is in JSON format, this should be fairly straightforward.

While in Humio Community Edition, click into your repository (you named this when you signed up) and then click Parsers at the very top menu and then the + New Parser button. Name this new one “stocks” and then click Create Parser.

For this parser, we’re copying the default JSON parser with minor modifications:

parseJson() | findTimestamp(field=MyTimestamp, timezone="America/New_York")

This tells the parser to read the field labels from JSON and where to find the timestamp.

Step 3: Create an ingest token

The next step is to prepare Humio to accept this data. We need to create an ingest token and assign it to the Parser we just created.

From the top menu, select Settings. Then, from the left-side menu, click Ingest Tokens. Click the + Add Token button. Set the Token Name to “StocksJSON” and then from the Assigned Parser drop-down, select the “stocks” parser you just created.

From the Ingest Tokens page, click the eye icon next to your newly created token to reveal the token key. Click the copy button.

Step 4: Send the data to Humio

Now that we have our ingest token, we can ship our stock data to Humio.

From the command line, run the following curl command, but paste in your ingest token from above.

curl https://cloud.community.humio.com/api/v1/ingest/hec/raw -X POST -H "Authorization: Bearer TOKEN" -T "crwd.json"

Step 5: Verify the data

You can quickly see if any data has arrived from your Settings page by selecting Data Sources from the left-side menu. It should look just like this.

We can see the data has been collected here. But let’s explore it directly and start working with it.

Step 6: Explore the data

From the top menu, select Search. You should see data from today, but click the time picker on the top and select “Last 7 days.”

(Click to enlarge)

Now, we can plainly see our data in the main pane but also the various fields that have been parsed on the left side panel. Let’s start by finding the week’s high. From that left side panel, select ticker. From the field pop-up box, you’ll see the CRWD row. From there, click the `=` button. The search bar at the top will now read:

ticker = CRWD

Since we only have one stock, this doesn’t change our returned dataset in any way. But assuming you may add additional ticker datasets, we’ll include it now. Similarly, if you are working with separate datasets, you may want to include Type, which will have the name of the parser used. You can select it from the menu just like we did with ticker or manually edit the Search to read as shown below. You can type the following query as one line, but for legibility, I’ve used two. You can use shift-enter while typing in the Search bar to move to the next line (and then press enter to execute it).

ticker = CRWD

| #type = stocks

If this is your first dataset imported, nothing will have changed with these search filters, but if you add additional data sources later, it will ensure you’re still focused on this one.

Step 7: High/low queries

Now, let’s start calculating some interesting stats from our data. To find the week’s high, run the following search:

ticker = CRWD

| #type = stocks

| max(High)

To stylize this result, use the drop-down in the upper left corner to select Gauge.

Now that we have a data point of interest, let’s save it to a dashboard. On the right side of your screen, find and click the Save as… button. Select Dashboard Widget.

Fill out the dialogue box to add this to the “Stock” dashboard you created previously, then add a Widget Title and click Save.

This will bring you to your new dashboard.

For the sake of symmetry, let’s round out this dashboard with the week’s low as well. Return to the Search page and enter this query.

ticker = CRWD

| #type = stocks

| min(Low)

Once again click Save as… and then Dashboard Widget and name this appropriately. It should default to selecting the Dashboard you already created.

Your dashboard should now look like this:

Step 8: Graph the stock price

Now let’s graph this stock’s price over the week. To do this, we will use the timeChart function, which allows us to bucket up the data we’re analyzing and apply a function to it. For simplicity’s sake, we will use one day as the bucket span. Since we’re interested in the close price at the end of the data, the function we’ll use is SelectLast to choose the latest value in that bucket. Enter the following query and ensure that you change the time picker to the Last (7d) seven days.

#type=stocks |ticker="CRWD"

| timeChart(series=ticker, function=SelectLast(Close), span=15m)

Our graph looks like this:

If you mouse over any data point you can view the data for that day.

Save this widget to your new dashboard!

We named this widget “Price Chart.” In this case, we unchecked Open dashboard after save and then clicked Save.

This leaves me at the same search screen. But given the setup here, quickly edit to extend our analysis here by simply changing “Close” to “Volume” in the query window.

Save this as a widget named “Volume Chart.”

Your dashboard should now look just like this:

Additionally, we can do some extra work to enhance the visibility and aesthetics. In the upper right corner, click the pencil icon. Now you can rearrange your widgets. Start by dragging the Price Chart widget to the top. Then drag the edge to the right to resize it across the page. Drag the Volume widget up to below the price one, and resize it to the right edge as well. The price is far more interesting, so drag the Price widget down to enlarge it, and resize the Volume widget to be shorter.

Finally, move the High and Low widgets to the bottom and resize them to be a bit smaller.

Looking at the dashboard now, it’s quite functional, but let’s bring more contrast between the price and volume data, aside from their relative size. In the upper right of the Price widget, click the three vertical dots and then Edit Style. From the right side panel, scroll to the bottom and expand the Series menu. In the Field text box, enter “CRWD.” Click the next box (which by default says AUTO) to open the color selector. I chose red.

Then, to highlight the value differences better, find the Min Value field and put something under the Low value we discovered earlier.

Finally, click the Save button. Here’s the final dashboard.

One final thing to check: When you save a query to a dashboard widget, it will keep the time frame you used in the original query. You can use this to have different widgets looking at different time frames. If you wish to have an overriding time frame, click the slider button next to Shared Time and choose the time window you want. It will then be applied to all widgets on the page.

Thank you for checking out Humio Community Edition! In our next post we’ll extend the dashboard and make it flexible enough to handle multiple stocks. See you then.

Additional Resources

  • Build your skills with Humio Community Edition by visiting The Nest
  • Join the Humio Community Edition quickstart workshop
  • Register for our six-part log management course to learn advanced observability skills

macOS Malware Is More Reality Than Myth: Popular Threats and Challenges in Analysis

6 May 2022 at 06:43
  • Ransomware (43% of analyzed threat data), backdoors (35%) and trojans (17%) were the most popular macOS malware categories spotted by CrowdStrike researchers in 2021
  • OSX.EvilQuest (ransomware), OSX.FlashBack (backdoor) and OSX.Lador (trojan) were the most prevalent threats in their respective categories
  • To strengthen customer protection, CrowdStrike researchers continuously build better automated detection capabilities by analyzing and understanding how macOS threats behave

Understanding the threat landscape and how threats behave is the first step CrowdStrike researchers take toward strengthening customer protection. They based the following threat landscape analysis on internal and open source data, which revealed that in 2021 the most commonly encountered macOS malware types were ransomware (43%), backdoors (35%) and trojans (17%). Each category is powered by a different motive: ransomware by money, backdoors by remote access and trojans by data theft.

Figure 1. macOS Threat Landscape in 2021

OSX.EvilQuest was the most prevalent macOS ransomware family in 2021, accounting for 98% of ransomware in the researchers’ analysis, while OSX.Flashback accounted for 31% of macOS backdoor threats and OSX.Lador accounted for 47% of macOS trojans. 

Improving the CrowdStrike Falcon® platform’s ability to detect macOS threats is a continuous process. CrowdStrike researchers constantly hunt, analyze and gain understanding of any macOS artifact that looks even remotely suspicious to improve CrowdStrike’s automated machine learning and behavior-based protection capabilities. 

The fallacies that macOS cannot be harmed by threats or is targeted by less-sophisticated malware still linger. This blog addresses some of the challenges and requirements our researchers must meet when analyzing macOS threats. The deep understanding and knowledge they gain is used both to create new features for structural parsing that augments our machine learning detection capabilities and to improve the proficiency of our behavior-based protection.  

Biting Into the Apple 

macOS malware research starts with the fundamentals, such as classifying macOS malware by file type; continues with the capabilities, intended targets and general behavior of malware; and ends with obstacles researchers encounter when analyzing macOS malware.

Threats that target macOS systems have the same goals as those targeting any other operating systems; they range from spying and reconnaissance to cryptocurrency mining, file encryption, remote access, and adware-related hijack and injection. 

File Type Classification for macOS Threats 

Malware developers often try to hide or mask file types in an attempt to trick users into executing them. File-type identification also helps in establishing the tools required in the analysis. Figure 2 offers an overview of macOS malware file types.

Figure 2. macOS malware by file types

Even though most malware are compiled binaries, many non-binary file types are commonly encountered while analyzing macOS malware; each has its own advantages and disadvantages for the adversaries that use them. Examples include: 

  • Apple Disk Images (.dmg) are favored because they’re automatically mounted on execution; both OSX.EvilQuest (Figure 3) and OSX.Shlayer malware typically use this file type.
  • Packages (.pkg, .mpkg) are another common file type abused by malware as they allow malware developers to define preinstall and postinstall scripts that automatically run through the installation process. For example, OSX.EvilQuest uses a malicious package — after mounting the .dmg file — that has a postinstall script that copies the malicious OSX.EvilQuest binary to /Library/mixednkey/ under the name toolroomd.
  • AppleScripts or AppleScript variants like Run-only that are used for automating repetitive tasks are often abused by macOS threats such as OSX.OSAMiner, a popular cryptocurrency miner.

Delivery and Infection Vectors

One of the most common methods of spreading malware involves using social engineering tactics in an attempt to trick the user into manually infecting their macOS. Fake updates, fake applications, trojanized applications and tainted versions of legitimate applications are the most common methods used to trick users into installing malicious software. 

For example, OSX.EvilQuest ransomware has been known to impersonate popular sound mixing applications (as seen in Figure 3), while trojans like OSX.Lador are distributed via spam emails that contain malicious add-ons, cracked applications, free programs and fake updates.

Figure 3. OSX.EvilQuest ransomware installing as fake Mixed In Key DJ application

Other malware variants, such as OSX.XCSSET, are distributed via either malicious documents or supply chain attacks targeting legitimate software development tools such as Xcode, Apple’s IDE. More complex attacks use exploits in different applications or in compromised OS kernels or accounts. For example, older OSX.FlashBack backdoor variants were known to use Java exploits to compromise targets.

By understanding delivery and infection vectors, researchers can take a layered approach to security, building protection capabilities to stop breaches.

Persistence and Tactics

Most threats, including macOS malware, attempt to ensure persistence to survive system reboots. Analyzing and understanding persistence tactics enables researchers to build behavior-based detections and train automated machine learning (ML) detections.

While one of the most common persistence mechanisms involves abusing Login Items in macOS, other popular persistence tactics include abusing Launch Items, adding malware to scheduled tasks, or using cronjobs to execute tasks sometime in the future. 

The hijacking of dylibs was once one of the stealthiest persistence mechanisms, especially in binaries. For example, some 2012 variants of the OSX.FlashBlack backdoor used malicious libraries injected at load time into a process via the DYLD_INSERT_LIBRARIES environment variable (i.e., at load time the dynamic loader will examine the DYLD_INSERT_LIBRARIES variable and load all specified libraries); others used the dylib hijacking technique of planting a malicious dylib for an application that tries to load dynamic libraries from multiple locations. However, Apple has long since improved security and reduced the number of use cases for abusing DYLD_INSERT_LIBRARIES. 

Challenges in Malware Analysis

Most malware, regardless of the targeted platform, make analysis difficult from the start by using anti-static analysis methods, such as string-based obfuscation or code obfuscation and encryption. Scripts usually use obfuscation tools that randomize function and variable names and insert junk and useless code, while binaries make use of packers or encryption. 

macOS malware also commonly uses debugger detection tactics, making analysis a challenge for researchers. Such tactics include using the sysctl API to check if the process is under debugging; calling the ptrace system call to prevent a debugger from attaching to the process; or even using built-in macOS commands to extract information about the machine. 

On a Quest to Understand EvilQuest

Let’s take a closer look at a mid-2020 OSX.EvilQuest ransomware sample and see how it implemented various anti-analysis methods to avoid virtual machines and debugging. 

Upon executing, OSX.EvilQuest first checked to see if it was running in a virtual machine, in particular a sandboxed environment, by looking at the is_virtual_mchn function starting at address 0x0000000100007BC0. OSX.EvilQuest performed this check by using a sleep function and calling the time function twice; the difference between the two time functions should return the time the malware used to sleep, yet because sandboxes usually patch sleep functions to quicken analysis, the differences between the two timestamps would be different and the malware would know it is running in a sandboxed environment.

Before the malware tries to ensure its persistence — as a launch daemon or a launch agent, depending on the –noroot argument passed to the binary — it implements another two anti-analysis methods. The first one (is_debugging function starting at address 0000000100007AA0) is to check if the malware is debugged, and the second one (prevent_trace function starting at address 0000000100007C20) is to prevent debugging using a ptrace call with the flag PT_DENY_ATTACH. 

Using the ptrace function call, OSX.EvilQuest uses different logics to make it more difficult for the analyst to spot the function call or to bypass the mechanism by patching the binary in the debugger. 

CrowdStrike Protection for macOS 

Continuous research into the trends and behavior of macOS malware is turned into expert input and knowledge that’s used to augment CrowdStrike’s automated detection capabilities and build better protection for customers.

Identifying the file type, understanding the behavior, targets and potential persistence mechanisms of possible threats, and knowing the possible obstacles an analyst may encounter in analyzing potential malware is crucial for building a solution that provides comprehensive protection and visibility against threats.

Fig 3. – CrowdStrike Falcon detection for OSX.EvilQuest malware sample (sha256: 5a024ffabefa6082031dccdb1e74a7fec9f60f257cd0b1ab0f698ba2a5baca6b) using cloud-based machine learning (Click to enlarge)

The CrowdStrike Falcon platform protects macOS workloads using machine learning and behavior-based indicators of attack (IOAs) to defend macOS systems against malware and sophisticated threats, while delivering complete visibility and context into attacks.

Indicators of Compromise (IOCs)

File SHA256
OSX.EvilQuest b34738e181a6119f23e930476ae949fc0c7c4ded6efa003019fa946c4e5b287a;

5a024ffabefa6082031dccdb1e74a7fec9f60f257cd0b1ab0f698ba2a5baca6b

OSX.Shlayer 852ff1b97c1155fc28b14f5633a17de02dcace17bdc5aadf42e2f60226479eaf
OSX.Lador 30ca6a13a85ac1ea7858e8163d9c08d8bbd8ed8bc6e97498b5b02d6de042b51e;

33ee40b89ee505bced8caaa4226223a0b9622b944e790fb5a704ffe6fce3eaa6

OSX.XCSSET a6141dfb0b6a242246d26afecfea00ed04dee24209f7d8d9bfef82042accd0f0;

6614978ab256f922d7b6dbd7cc15c6136819f4bcfb5a0fead480561f0df54ca6;

ceb023a95b8ee954c31bc6aa47a8f1461e246fea939a57fc59bc4b457ccb61ff

OSX.FlashBack 8d56d09650ebc019209a788b2d2be7c7c8b865780eee53856bafceffaf71502c

Additional Resources

Humio Sets the Standard for Data Ingestion with Scalability Benchmark Streaming over One Petabyte of Data per Day

10 May 2022 at 12:17

This blog was originally published March 8, 2022 on humio.com. Humio is a CrowdStrike Company.

Humio is excited to achieve another milestone in data ingestion by reaching a benchmark of over one petabyte of data ingestion per day. The Humio engineering team completed a one petabyte benchmark on only 45 nodes with 96 cores each, running 30 million events per second and delivering search results with sub-second latency through Humio’s index-free architecture. Other vendors have shown the need for 1200 nodes to reach only 100TB. This highlights Humio’s industry-leading total cost of ownership and ability to remove the limitations present in logging solutions, bringing unlimited ingest, reduced infrastructure costs, and lower operational costs.

By using the same basic architecture in existing Humio Quick Start configurations, enterprises can use the Humio platform to log everything to get answers to everything. The platform reaches 1PB/day at a fraction of the cost of traditional solutions due to unlimited ingest of log data, reduced infrastructure needs and lower operational costs. At the same time, Humio brings the benefits of a fast, flexible and powerful log management platform to aggregate, manage and use log data to make decisions across both the IT and business landscapes.

“Log management is an important but often overlooked and underfunded side of IT. While data is growing, budget pressures often cause IT groups to scale back due to increasing infrastructure and operational costs faced when trying to achieve more observability and avoid blindspots,” said Steve McMahon, CIO and VP of Operations at CrowdStrike “We are excited to demonstrate the power Humio delivers to customers’ growing data ingestion needs, with 100% data fidelity from source to target, at an industry-leading TCO.”

Humio enables complete observability to answer any question, explore threats and vulnerabilities, and gain valuable insights from all logs in real time. With this combination of massive scale and sub-second search capabilities, Humio provides a faster, more cost effective way to quickly and effectively deliver insights with a platform designed for ease of operations and stability at any scale.

Several factors contribute to Humio’s ability to deliver such performance at this cost, including:

  • Architecture built for streaming. The platform is optimized for the demands of modern log management and uses technologies like Apache Kafka to support streaming data continuous concurrent write and high-volume ingest of data in real time.
  • Index-free searches. While legacy log management platforms index their data, this leads to search bottlenecks and the requirement to use significant amounts of disk space. Through index-free logging, Humio bypasses these issues to ingest and search logs faster. Now, enterprises can search 1 PB/day using Humio without the need to define and maintain complex indexes.
  • Data compression. Humio uses advanced data compression algorithms that reduce the size of raw data by 10-20x. This drastically limits the amount of storage needed to retain log data on a massive scale.
  • Bucket storage. Humio lets you write ingested logs to a native file format stored in Amazon Web Services S3 or Google Cloud Storage. This technique, called bucket storagemarkedly increases how much data can be stored in comparison to local disks. As a result, Humio cloud deployments are cheaper, faster, more scalable, easier to run (with ephemeral disks for primary storage), and more resilient against data loss.
  • Low licensing costs and overall TCO. While other log management platforms penalize additional ingest, Humio’s licensing structure encourages it. Humio offers low licensing costs, including an unlimited ingest plan that allows enterprises to “log everything” with predictable pricing, resulting in a lower overall TCO.

To learn more about Humio’s One Petabyte Scalability Benchmark benchmark, download the white paper.

CrowdStrike Partners with Center for Threat-Informed Defense to Reveal Top Attack Techniques Defenders Should Prioritize

10 May 2022 at 14:34
  • CrowdStrike is a Research Sponsor and contributor for the new Top ATT&CK Techniques project — an initiative of the Center for Threat-Informed Defense, a non-profit, privately funded research and development organization operated by MITRE Engenuity — to provide prioritization for adversary attack techniques
  • The Center for Threat-Informed Defense will introduce three critical new components to help analysts prioritize adversary techniques: actionability, choke point and prevalence 
  • The new components are based on the ability to detect or mitigate against each technique, identify and disrupt adversary objectives, and assess the frequency of encountered techniques
  • The research reveals the most important MITRE ATT&CK® techniques for stopping ransomware — the CrowdStrike Falcon® platform automatically detects and defends against these techniques

The MITRE ATT&CK matrix revolutionized security, providing a common language and taxonomy for companies and security vendors to use when talking about and measuring cybersecurity, with an emphasis on adversary behaviors. However, building a defensive strategy using this insight can be overwhelming due to its 14 tactics, 191 techniques and 386 sub-techniques, and often thousands of implementation procedures for each technique that change constantly. 

When thinking about adopting ATT&CK into an enterprise as part of a defensive strategy, many play “ATT&CK bingo” and ensure that the capability exists across the whole matrix. But coloring in all of the boxes doesn’t necessarily equate to better security — and given the sheer volume of techniques, this approach can actually be counterproductive. Not all techniques and sub-techniques are created equal, and crafting an effective defensive strategy requires a deeper understanding of adversary tactics, techniques and procedures (TTPs) that is grounded in threat intelligence. 

At CrowdStrike, we’re on a mission to stop breaches. We know that a key component of an effective strategy for stopping breaches is prioritizing techniques that prevent an adversary from achieving their objectives. To that end, we are proud to collaborate with the MITRE Engenuity Center for Threat-Informed Defense to sponsor and contribute to the Top ATT&CK Techniques project, creating a powerful tool enabling defenders to build an effective cybersecurity strategy for their enterprise.

The Top ATT&CK Techniques project declares a methodology for prioritizing ATT&CK techniques and provides a web-based calculator that prioritizes techniques based on user input. The research also analyzed the techniques of 22 ransomware groups over the past three years to reveal the top 10 techniques defenders should focus on when protecting their organization. For example, some popular techniques associated with ransomware involve Process Injection (T1055), User Execution (T1204), Modify Registry (T1112), Impair Defenses (T1562), and Command and Scripting Interpreter (T1059), according to the research.

Ransomware Top Ten ATT&CK Techniques
Technique ID Technique Description
T1486  Data Encrypted for Impact
T1490 Inhibit System Recovery
T1027 Obfuscated Files or Information
T1047 Windows Management Instrumentation
T1036 Masquerading
T1059 Command and Scripting Interpreter
T1562 Impair Defenses
T1112 Modify Registry
T1204 User Execution
T1055 Process Injection

Figure 1. Ransomware Top Ten ATT&CK Techniques

With the three new components for prioritizing techniques — actionability, choke point and prevalence — security analysts and organizations can use the new Top ATT&CK Techniques methodology and web-based calculator to protect against, detect and mitigate cyberattacks.

Top ATT&CK Techniques Methodology

The methodology gives a different weight to the three different components (actionability, choke point, and prevalence), which combine into an overall score. Because not all techniques are created equal, the methodology is designed to help identify and prioritize techniques that defenders should focus on when building protections for their organization.

Attackers can always change their techniques and toolset when targeting an organization, making defense difficult in a live environment. The value of the Top ATT&CK Techniques research involves helping defenders identify the most frequently occurring current techniques that have a higher likelihood of being used during an incident. This helps focus defense efforts on high-priority techniques and also helps assess if existing tools can defend against, prevent and offer visibility and context around the techniques prioritized by attackers.

Actionability

Actionability, described as providing defenders with the opportunity to take action against a technique, is broken down into detections and mitigations. In essence, it’s important that a security solution provides actionable information on a given technique so that defenders can immediately take mitigation actions. 

Let’s take Application Layer Protocol HTTPs as an example. The point of modern encryption is that you can’t break into the data while it is still useful. Given that the protocol is ubiquitous, the information is only actionable if there is a man-in-the-middle proxy that can inspect the traffic. This means the technique would have a very low actionability score. Conversely, an attacker who stole credentials has a very high actionability score, which means defenders can immediately mitigate and take action — such as leveraging multifactor authentication (MFA), locking out the account or resetting the password — to disrupt the attacker. 

Choke Point

Choke point describes a technique that is a common denominator in multiple attacks, where eliminating that technique disrupts the adversary and shuts down the attack. For instance, techniques that drive lateral movement and privilege escalation are critical for an attacker to execute successfully, which makes them common in attacks. From a defender perspective, if an attacker cannot move laterally (i.e., “break out”), they will be significantly impeded in achieving their objective, whether it’s accessing the critical data infrastructure and exfiltrating data or executing a successful ransom. 

Services like Remote Desktop or Windows Management Instrumentation (WMI) often require credentials to be successful as part of an identity-based attack, meaning defenders would want to concentrate defenses on said choke points to get better outcomes. The same is true for privilege escalation where many techniques are not possible without elevated privileges.

Prevalence

Prevalence describes the current techniques observed most frequently during intrusions and is meant to help defenders adapt their detection tools based on the popularity of these techniques. For example, the Command and Scripting Interpreter (T1059) ATT&CK technique is revealed in the Top ATT&CK Techniques research as one of the most prevalent for ransomware groups, meaning defenders should prioritize this technique and deploy adequate mitigations when it’s detected. 

CrowdStrike and MITRE Partnership Advances the State of Threat-Informed Defense

CrowdStrike is a Research Sponsor of the Center for Threat-Informed Defense, partnering to advance the state of the art in threat-informed defense in the public interest. We are committed to helping organizations solve real-world problems and improve visibility and understanding of adversary tradecraft and technology to better defend their security posture. CrowdStrike’s continued and ongoing support will help improve existing Center research and solve difficult problems that the cybersecurity industry faces.

CrowdStrike continues to support ATT&CK coverage by using the ATT&CK framework throughout the Falcon platform to describe adversary tactics and techniques and by contributing to research that helps equip defenders with the right data at the right time to stop breaches. 

CrowdStrike remains committed to helping customers and organizations secure data and protect their environments from any threat, including insider risks. The Falcon platform can detect and defend against these attack techniques, providing complete visibility across workloads, threats, identities, cloud infrastructure and business applications.

Additional Resources

Proactive Threat Hunting Bears Fruit: Falcon OverWatch Detects Novel IceApple Post-Exploitation Framework

11 May 2022 at 05:39

The CrowdStrike Falcon OverWatch™ proactive threat hunting team has uncovered a sophisticated .NET-based post-exploitation framework, dubbed IceApple. Since OverWatch’s first detection in late 2021, the framework has been observed in multiple victim environments in geographically distinct locations, with intrusions spanning the technology, academic and government sectors. 

The emergence of new and evolving IceApple modules over the past year indicates that this framework remains under active development.

To date, IceApple has been observed being deployed on Microsoft Exchange server instances, however it is capable of running under any Internet Information Services (IIS) web application. As such, ensuring all web applications are fully patched is critical to ensuring IceApple doesn’t end up in your environment.

For a detailed look at IceApple download OverWatch’s research paper that explores in depth how IceApple was found, the functionality of all currently discovered modules, and how these modules interact.

IceApple Likely Intended for Long Running Campaigns

IceApple is a post-exploitation framework — this means it does not provide access, rather it is used to further mission objectives after access has already been achieved. OverWatch’s investigations have identified 18 distinct modules with functionality that includes discovery, credential harvesting, file and directory deletion and data exfiltration. OverWatch has observed evidence of adversaries repeatedly returning to victim environments to carry out their post-exploitation activities.

IceApple uses an in-memory-only framework that highlights the adversary’s priority of maintaining a low forensic footprint on the infected host. This is typical of long-running objectives aimed at intelligence collection and aligns with a targeted, state-sponsored mission. While the observed targeted intrusions align with China-nexus, state-sponsored collection requirements, at this time CrowdStrike Intelligence has not attributed IceApple to a named threat actor.

IceApple has a number of features to help it evade detection. Detailed analysis of the modules suggests that IceApple has been developed by an adversary with deep knowledge of the inner workings of IIS software. One of the modules was even found to be leveraging undocumented fields that are not intended to be used by third-party developers.

Efforts to blend into the victim environment are also seen with the assembly file names themselves. At first glance they appear to be expected IIS temporary files generated as part of the process of converting ASPX source files into .NET assemblies for IIS to load. Closer inspection is required to identify that the file names are not randomly generated as would be expected, and the way the assemblies are loaded falls outside of what is normal for Microsoft Exchange and IIS. OverWatch threat hunters’ familiarity with how systems should operate, and also how adversaries attempt to corrupt these systems is what enabled hunters to quickly identify this suspicious activity. 

How OverWatch Found IceApple

OverWatch regularly sees adversaries use .NET assemblies as a way to load additional functionality post-exploitation. Reflectively loading .NET assemblies, which involves executing the assembly directly within the memory of a process, can be a powerful and potentially stealthy way for adversaries to pursue their mission objectives. As such, OverWatch threat hunters have been actively developing detections for reflective .NET assembly loads. 

In late 2021, one of Falcon OverWatch’s in-development detections for reflective .NET assembly loads triggered on a Microsoft Exchange OWA server belonging to a customer who had recently started a trial of the Falcon platform. Eagle-eyed threat hunters identified anomalies in the assembly files and quickly reached out to the victim organization to notify them. OverWatch then worked with the customer to configure the Falcon sensor to extract the contents of reflectively loaded .NET assemblies across the customer’s endpoints giving OverWatch increased visibility and facilitating closer inspection of IceApple’s functionality.

OverWatch Provides Agile Defense in the Face of Evolving Threats

IceApple is a highly sophisticated IIS post exploitation framework, however, it is by no means alone. OverWatch regularly identifies new reflectively loaded .NET assemblies of various levels of sophistication.

The CrowdStrike Falcon® platform detects all currently known IceApple module loads, while OverWatch actively hunts new IceApple modules. Threat hunting is a crucial piece of the defensive puzzle when it comes to novel and stealthy adversary tools like IceApple. CrowdStrike threat hunters draw on their extensive experience of what “normal” looks like in enterprise environments, knowledge of adversary behavior, and up-to-the-minute threat intelligence to preempt where the next threat might emerge. This feeds the development and testing of hypotheses that enhance the hunt and curtail adversary attempts to evade technology-based defenses. OverWatch’s systematic workflows also ensure that the detailed analysis of IceApple will also feed back into continuous improvement and fine tuning of hunting leads.

The discovery of IceApple was the result of one such experimental hunting lead, and ultimately led to the discovery of attempted intrusions in multiple victim environments. 

Additional Resources

❌