The CrowStrike cyber event affected 8.5 million Windows machines and was the biggest IT outage in history. It has “beaten” even the cyber attacks of WannaCry and NotPetya.
https://www.bbc.com/news/articles/cpe3zgznwjno
Can/will this method be used by hackers? What would they need to do to take advantage of that vulnerability?
Can? Probably. Will? No. They would need access to Crowdstrike’s update distribution system.
“Hackers” (rather, malicious actors) rarely look to take down IT resources as their goal. Instead, they want to access it for their own purposes. The closest example would be ransomware, where it gets taken down as part of the threat/punishment. But if the victim pays, their resources must be restored.
Plus, I would be surprised if Crowd Strike doesn’t have any protections on its own files. I also expect there will be additional verification checks (hash/etc) on their updates going forward.
malicious actors rarely look to take down IT resources as their goal
Could be a hostile government sponsored group or idealists (Microsoft has more haters than fans) or simply someone could do it just because they can - if they could. Some men just want to see the world burn.
Im not sure you have a grasp of what actually happened.
They could also DDOS essentially anything with root access to that many devices.
Its like taking all the armies guns to throw them in a volcano ‘cause you want to see the world burn’
A Crow Strike sounds both glorious and terrifying.
Haven’t noticed the typo until now and I made it twice…!
(-‸ლ)
The “vulnerability” here was basically just having Kernel level access. If hackers had that, they’ve already won anyway. So no, it doesn’t change a thing for hackers.
So how about hacking CrowdStrike and obtaining that access? I’m guessing it might be easier than hacking Microsoft?
Are there other companies having the same access level as CrowdStrike? How vulnerable are they?
So how about hacking CrowdStrike and obtaining that access? I’m guessing it might be easier than hacking Microsoft?
Maybe. CrowdStrike is a company which specializes in security and has some pretty smart folks in that area. They also live and die by the perceived value of their security products. So, security is pretty important to the company. Microsoft is a conglomerate, and while it does have some arms which specialize in (and are pretty good at) security, the company’s continued existence doesn’t depend on their performance. So, the Microsoft President can go in front of Congress and promise to do better, and we all know this is bullshit and Microsoft will continue to be Microsoft.
As for an attacker actually leveraging the CrowdStrike platform as part of an attack. It’s entirely possible. Security products have been found to have vulnerabilities in the past. IIRC, McAfee’s ePO server was vulnerable to Log4j. And given CrowdStrike’s engine runs in Ring 0 on the endpoints, it’s certainly an attractive target. Finding a Remote Code exploit in it seems like something an APT like the NSA or PLA Unit 61398 might get up to. That said, as I mentioned above, CrowdStike also employs a lot of smart folks and is likely doing it’s level best to find those vulnerabilities first and fix them.
Are there other companies having the same access level as CrowdStrike? How vulnerable are they?
Ya. Really, any EDR or A/V product is going to run in Ring 0. And any such kernel level driver crashing is going to cause a BSOD. That’s just the way Windows is designed. I have personally dealt with bad updates from several other products causing BSODs. Including one which brought down the entire site I was working at, at the time. I believe it also took down a number of other sites as well. Since, once I figure out how to get the bad update out of our system, the folks responsible for the update actually reached out and asked me what I did.
Ultimately, products like these exist in a very trusted state on systems, because they have to. if and when they crash, you can expect a BSOD. In this case, I suspect CrowdStrike is going to receive (and they deserve) a lot of shit for the way this one went down. The reporting I’ve seen states that the update file was just a mass of null bytes. And it seems there was no sanity checking or error handling for a corrupt update being pushed by CrowdStrike. I suspect that’s gonna get fixed pretty quick, but it was a pretty bad oversight for a product with regular, live updates.
Great comment. And cool story about your fix!
if gamers keep allowing companies to install kernel level anti-cheat, i fear the answer is sooner rather than later.