Threat Advisory *CRITICAL* – CrowdStrike Causing Widespread Global Outages

Threat Advisory *CRITICAL* – CrowdStrike Causing Widespread Global Outages

by | Jul 19, 2024 | Threat Advisories

CrowdStrike Causing Widespread Global Outages

DOWNLOAD PDF

Summary

An update pushed out by CrowdStrike within the past 12 hours has caused widespread outages to Windows environments where CrowdStrike is installed.  This was not an elective update and therefore was applied to every endpoint with internet connectivity.  The impact of this update caused the infamous Blue Screen of Death (BSOD) and will require manual intervention on every device.

QUICK REFERENCE PROTOCOL

Impact

Millions of endpoints globally were rendered inoperable, ranging from the 3 largest airlines, delaying flights, hospital networks, government agencies, and news networks.  Any endpoint with CrowdStrike installed with internet connectivity within the past 12 hours is likely affected.

  • Endpoints running older Windows 7 and 2008 R2 were not impacted
  • Endpoints running Mac or Linux were not impacted.

The channel file “C-00000291*.sys” with a timestamp of 0409 UTC is the problem.

 

Solution

Windows Endpoint (BitLocker not enabled)

  1. “Boot Windows into Safe Mode or the Windows Recovery Environment
  2. Use Windows Explorer or the Command Prompt to “Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
  3. “Locate the file matching ‘C-0000029*.sys’, and delete it.
  4. “Boot the host normally.”

Windows Endpoint (BitLocker enabled)

  1. Boot Windows into Safe Mode or the Windows Recovery Environment
  2. Navigate to Troubleshoot > Advanced Options > Startup Settings
  3. Press “Restart”
  4. Skip the BitLocker recovery key prompt by pressing “Esc”
  5. Skip the next BitLocker recovery key prompt by selecting “Skip This Device”, in the bottom right
  6. Navigate to Troubleshoot > Advanced Options > Command Prompt
  7. Type “bcdedit /set {default} safebook minimal”, then press “Enter”
  8. Go back to the WinRE main menu and select “Continue”
  9. The device may cycle 2 to 3 times
  10. If booted into Safe Mode, log in as usual
  11. Use Windows Explorer to “Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
  12. “Locate the file matching ‘C-00000291*.sys’, and delete it.
  13. Open Command Prompt as Administrator
  14. Type “bcdedit /deletevalue {default} safeboot”. Then Press “Enter”
  15. Restart as normal

Cloud Environment

Option 1

  1. Detach the operating system disk volume from the impacted virtual server
  2. Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes
  3. Attach/mount the volume to to a new virtual server
  4. Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
  5. Locate the file matching “C-00000291*.sys”, and delete it.
  6. Detach the volume from the new virtual server
  7. Reattach the fixed volume to the impacted virtual server

 

Option 2

  1. Roll back to a snapshot prior to 0409 UTC

 

References

  1. https://mashable.com/article/crowdstrike-crash-microsoft-outage-bsod-fix
  2. https://www.wired.com/story/microsoft-windows-outage-crowdstrike-global-it-probems/
  3. https://www.crowdstrike.com/blog/statement-on-windows-sensor-update/

 

 

 

 

Threat Advisory *CRITICAL* – CrowdStrike Causing Widespread Global Outages

Exim Mail Server Flaw

by | Jul 18, 2024 | Threat Advisories

Exim Mail Server Flaw

DOWNLOAD PDF

Summary

A critical security vulnerability has been identified in the Exim mail transfer agent, potentially allowing attackers to send malicious attachments to users’ inboxes. This flaw (CVE-2024-39929) has a CVSS score of 9.1. The issue was resolved in version 4.98.

THREAT ADVISORY

Technical Details

The vulnerability stems from an improper parsing of multiline RFC2231 header filenames, enabling remote attackers to deliver malicious executable attachments to end users’ mailboxes by bypassing the $mime_filename extension-blocking protection mechanism. Exim, a free mail transfer agent used on Unix and Unix-like operating systems, was first released in 1995 at the University of Cambridge.

According to Censys, there are approximately 4,830,719 public-facing SMTP mail servers running Exim. As of July 12, 2024, 1,563,085 of these Exim servers are running vulnerable versions (4.97.1 or earlier). Most of these vulnerable instances are in the U.S., Russia, and Canada. Censys stated, “The vulnerability could allow a remote attacker to bypass filename extension blocking protection measures and deliver executable attachments directly to end-users’ mailboxes. If a user were to download or run one of these malicious files, the system could be compromised.”

For the attack to succeed, targets must click on an attached executable file. Although there are no reports of active exploitation, users must promptly apply patches to mitigate potential threats. This development comes almost a year after the maintainers of Exim addressed a set of six vulnerabilities that could lead to information disclosure and remote code execution.

 

Recommendations

  • Immediately upgrade to Exim version 4.98 or later to address the vulnerability (CVE-2024-39929).
  • Identify and audit all Exim servers within your network to determine which ones are running vulnerable versions (4.97.1 or earlier).
  • Apply the latest security patches to all identified Exim servers to mitigate the vulnerability.
  • Enable detailed logging and monitoring on Exim servers to detect any unusual activity that may indicate exploitation attempts.
  • Educate users about the risks of downloading and executing attachments from unknown or untrusted sources, emphasizing the importance of cautious behavior.
  • Ensure that email security policies, such as attachment filtering and extension blocking, are properly configured and enforced to prevent similar vulnerabilities from being exploited in the future.

 

References

 

 

 

 

Threat Advisory *CRITICAL* – CrowdStrike Causing Widespread Global Outages

EstateRansomware Threat Group Exploiting Veeam Backup Software Vulnerability (CVE-2023-27532)

by | Jul 17, 2024 | Threat Advisories

EstateRansomware Threat Group Exploiting Veeam Backup Software Vulnerability (CVE-2023-27532)

DOWNLOAD PDF

Summary

A flaw in Veeam Backup & Replication software (CVE-2023-27532) is being exploited by the EstateRansomware group, as observed by Group-IB through a dormant Fortinet FortiGate SSL VPN account. The attackers establish RDP connections, deploy backdoors, and disable defenses before executing ransomware.

 

Threat Intelligence

Exploits actively observed.

 

Technical Details

EstateRansomware is exploiting a security flaw (CVE-2023-27532) in Veeam Backup & Replication software. Initial access is obtained via a dormant account named ‘Acc1’ on a Fortinet FortiGate firewall SSL VPN appliance, then pivoting laterally and establishing RDP connections to a failover server. They then deploy a persistent backdoor named “svchost.exe” connected to a command-and-control (C2) server, enabling the execution of arbitrary commands.

The Veeam flaw is exploited to enable xp_cmdshell on the backup server, create a rogue user account named “VeeamBkp,” and conduct network discovery, enumeration, and credential harvesting using tools like NetScan, AdFind, and NitSoft. They then move laterally across the network, disable Windows Defender using DC.exe, and deploy the ransomware with PsExec.exe.

The attack follows a double extortion model, where data is exfiltrated before encryption. This requires long-term access to explore the environment, elevate privileges, and identify valuable data.

Indicators of Compromise (IOCs)

Executable files:
• DC.exe: CB704D2E8DF80FD3500A5B817966DC262D80DDB8
• DC.ini: 2C56E9BEEA9F0801E0110A7DC5549B4FA0661362
• Svchost.exe: 5E460A517F0579B831B09EC99EF158AC0DD3D4FA
• LB3.exe: 107EC3A7ED7AD908774AD18E3E03D4B999D4690C
• netscan.exe
• veeam-creds-main
• CVE-2023-27532.exe
• VeeamHax
• BulletsPassView64.exe
• netpass64.exe
• PasswordFox64.exe
• ChromePass.exe
• WirelessKeyView64.exe
• mspass.exe
• VNCPassView.exe
• WebBrowserPassView.exe
• mailpv.exe
• RouterPassView.exe
• PstPassword.exe
• OperaPassView.exe
• Dialupass.exe
• BulletsPassView64.exe
• ExtPassword.exe
• pspv.exe
• iepv.exe
• SniffPass64.exe • rdpv.exe

IPv4:

  • 28.106[.]252
  • 28.99[.]61
  • 76.232[.]205
  • 238.245[.]11:30001

 

Recommendations

  • Regularly update and patch all software, especially public-facing applications and critical systems.
  • Implement multi-factor authentication (MFA) for all remote access points to prevent unauthorized access.
  • Regularly review and disable dormant or unused accounts to minimize potential entry points.
  • Segment networks to limit lateral movement and isolate critical systems from general user access.
  • Implement application control on hosts to prevent execution of unauthorized programs.
  • Deploy endpoint detection and response (EDR) solutions to monitor and respond to malicious activities in real-time.
  • Maintain regular, secure backups and test restoration processes to ensure data recovery.
  • Implement strict access controls and least privilege principles to limit access to critical systems.
  • Use intrusion detection systems (IDS) to monitor network traffic for signs of intrusion and unauthorized activity.
  • Conduct regular security awareness training for employees to recognize phishing attempts and other social engineering attacks.
  • Turn off unnecessary services, ports, and protocols to reduce attack surfaces.
  • Continuously monitor and audit network activity for suspicious behavior and signs of compromise.
  • Implement advanced defensive measures, such as deception technologies, to detect and mislead attackers.
  • Ensure network edge devices are securely configured and regularly updated.
  • Restrict the use of built-in administrative tools and monitor their usage to detect living-off-the-land (LotL) techniques.

 

References

 

 

 

Threat Advisory *CRITICAL* – CrowdStrike Causing Widespread Global Outages

FakeBat Loader Malware Spreading Rapidly

by | Jul 11, 2024 | Threat Advisories

FakeBat Loader Malware Spreading Rapidly

DOWNLOAD PDF

Summary

FakeBat, a loader-as-a-service (LaaS) utilizes the drive-by download technique to download and execute payloads like IcedID, Lumma, RedLine, SmokeLoader, SectopRAT, and Ursnif.

 

Technical Details

Drive-by attacks involve methods like search engine optimization (SEO) poisoning, malvertising, and injecting malicious code into compromised websites to trick users into downloading fake software installers or browser updates.

FakeBat (aka EugenLoader and PaykLoader) has been available as a loader-as-a-service (LaaS) on underground forums by a Russian-speaking threat actor named Eugenfest (aka Payk_34) since at least December 2022. FakeBat is designed to evade security controls and allows customers to generate trojanized builds of legitimate software. It includes an administration panel to monitor installations over time. FakeBat initially used an MSI format for its malware builds, transitioning to an MSIX format in 2023 that incorporates a digital signature with a valid certificate to bypass Microsoft SmartScreen protections.

List of software targeted by FakeBat malveritsing campaigns:

  • 1Password
  • Advanced SystemCare
  • AnyDesk
  • Bandicam
  • Craavos
  • Cisco Webex
  • Epic Games
  • Google Chrome
  • Inkscape
  • MS OneNote
  • MS Teams
  • Notion
  • OBS Studio
  • OpenProject
  • Pay WGT Golf
  • Python
  • Shapr3D
  • Todoist
  • Trading View
  • Trello
  • VMware
  • Webull
  • WinRAR
  • Zoom

 

The malware is priced at $1,000 per week or $2,500 per month for the MSI format, $1,500 per week or $4,000 per month for the MSIX format, and $1,800 per week or $5,000 per month for a combined MSI and signature package. According to reaserchers at Sekoia, different activity clusters have been detected disseminating FakeBat through three primary approaches: impersonating popular software via malicious Google ads, fake web browser updates on compromised sites, and social engineering schemes on social networks. These campaigns are likely associated with groups such as FIN7, Nitrogen, and BATLOADER. Additionally, FakeBat’s command-and-control servers likely filter traffic based on characteristics such as User-Agent value, IP address, and location.

 

Indicators of Compromise (IoCs)

FakeBat C2 servers:

  • 0212top[.]online
  • 0212top[.]site
  • 0212top[.]top
  • 0212top[.]xyz
  • 0909kses[.]top
  • 11234jkhfkujhs[.]online
  • 11234jkhfkujhs[.]site
  • 11234jkhfkujhs[.]top
  • 11234jkhfkujhs[.]xyz
  • 1212stars[.]online
  • 1212stars[.]site
  • 1212stars[.]top
  • 1212stars[.]xyz
  • 2311foreign[.]xyz
  • 2311forget[.]online
  • 2311forget[.]site
  • 2311forget[.]xyz
  • 2610asdkj[.]online
  • 2610asdkj[.]site
  • 2610asdkj[.]top
  • 2610asdkj[.]xyz
  • 2610kjhsda[.]online
  • 2610kjhsda[.]site
  • 2610kjhsda[.]top
  • 2610kjhsda[.]xyz
  • 3010cars[.]online
  • 3010cars[.]site
  • 3010cars[.]top
  • 3010cars[.]xyz
  • 3010offers[.]online
  • 3010offers[.]site
  • 3010offers[.]top
  • 3010offers[.]xyz
  • 343-ads-info[.]top
  • 364klhjsfsl[.]top
  • 465jsdlkd[.]top
  • 756-ads-info[.]site
  • 756-ads-info[.]top
  • 756-ads-info[.]xyz
  • 875jhrfks[.]top
  • 98762341tdgi[.]online
  • 98762341tdgi[.]site
  • 98762341tdgi[.]top
  • 98762341tdgi[.]xyz
  • 999-ads-info[.]top
  • ads-info[.]ru
  • ads-info[.]site
  • aipanelnew[.]ru
  • aipanelnew[.]site
  • cdn-ads[.]ru
  • cdn-ads[.]site
  • cdn-dwnld[.]ru
  • cdn-dwnld[.]site
  • cdn-new-dwnl[.]ru
  • clk-brom[.]ru
  • clk-brom[.]site
  • clk-brood[.]online
  • clk-brood[.]top
  • clk-info[.]ru
  • clk-info[.]site
  • cornbascet[.]ru
  • cornbascet[.]site
  • dns-inform[.]top
  • fresh-prok[.]ru
  • fresh-prok[.]site
  • ganalytics-api[.]com
  • gotrustfear[.]ru
  • gotrustfear[.]site
  • infocdn-111[.]online
  • infocdn-111[.]site
  • infocdn-111[.]xyz
  • new-prok[.]ru
  • new-prok[.]site
  • newtorpan[.]ru
  • newtorpan[.]site
  • prkl-ads[.]ru
  • prkl-ads[.]site
  • test-pn[.]ru
  • test-pn[.]site
  • topttr[.]com
  • trust-flare[.]ru
  • trust-flare[.]site
  • trustdwnl[.]ru
  • ads-analyze[.]online
  • ads-analyze[.]site
  • ads-analyze[.]top
  • ads-analyze[.]xyz
  • ads-change[.]online
  • ads-change[.]site
  • ads-change[.]top
  • ads-change[.]xyz
  • ads-creep[.]top
  • ads-creep[.]xyz
  • ads-eagle[.]top
  • ads-eagle[.]xyz
  • ads-forget[.]top
  • ads-hoop[.]top
  • ads-hoop[.]xyz
  • ads-moon[.]top
  • ads-moon[.]xyz
  • ads-pill[.]top
  • ads-pill[.]xyz
  • ads-star[.]online
  • ads-star[.]site
  • ads-star[.]top
  • ads-star[.]xyz
  • ads-strong[.]online
  • ads-strong[.]site
  • ads-strong[.]top
  • ads-strong[.]xyz
  • ads-tooth[.]top
  • ads-tooth[.]xyz
  • ads-work[.]site
  • ads-work[.]top
  • ads-work[.]xyz
  • cdn-inform[.]com
  • udr-offdips[.]com
  • urd-apdaps[.]com
  • usm-pontic[.]com
  • utd-corts[.]com
  • utd-forts[.]com
  • utd-gochisu[.]com
  • utd-horipsy[.]com
  • utm-adrooz[.]com
  • utm-adschuk[.]com
  • utm-adsgoogle[.]com
  • utm-adsname[.]com
  • utm-advrez[.]com
  • utm-drmka[.]com
  • utm-fukap[.]com
  • utm-msh[.]com
  • utr-gavlup[.]com
  • utr-jopass[.]com
  • utr-krubz[.]com
  • utr-provit[.]com
  • amydlesk[.]com
  • notilon[.]co
  • notliion[.]com
  • notlon[.]top
  • notlilon[.]co
  • findreaders[.]com
  • findreaders[.]com
  • ilusofficial[.]com

 

Fake web browser updates:

  • brow-ser-update[.]top
  • hxxps://brow-ser-update[.]top/download/dwnl.php
  • hxxps://brow-ser-update[.]top/GoogleChrome-x86.msix
  • photoshop-adobe[.]shop
  • hxxps://photoshop-adobe[.]shop/download/dwnl.php
  • c336d98d8d4810666ee4693e8c3a2a34191bad864d6b46e468a7eed36e7085f4 (GoogleChrome[1]x86.msix)
  • b5ed2f42359e809bf171183a444457c378355d07b414f5828e1e4f7b35bb505f (boci.ps1)

 

Social engineering schemes on social networks:

  • getmess[.]io
  • hxxps://app.getmess[.]io/
  • hxxps://app.getmess[.]io/download/dwnl.php
  • hxxps://getmess[.]download/Getmess.msix
  • utd-corts[.]com • hxxp://utd-corts[.]com/buy/
  • 12ea41f2dfa89ad86f082fdf80ca57f14cd8a8f27280aca4f18111758de96d15 (Getmess.msix)
  • 72a1f6e7979daae38d8e0e14893db4c182b8362acc5d721141ed328ed02c7e28 (ynwje.ps1)

 

Hashes:

  • c336d98d8d4810666ee4693e8c3a2a34191bad864d6b46e468a7eed36e7085f4
  • 7265ffdbe31dd96d6e6c8ead5a56817c905ff012418546e2233b7dce22372630
  • 9aa39f017b50dcc2214ce472d3967721c676a7826030c2e34cb95c495dba4960
  • 1bb51d62457f606e947a4e7ce86198e9956ae1fe4e51e4e945370cc25fe6bfff
  • 400277618bd2591efb2eb22ac0041c1c5561d96c479a60924ef799de3e2d290c
  • f3ebb23bdcc7ac016d958c1a057152636bc2372b3a059bf49675882f64105068
  • 12ea41f2dfa89ad86f082fdf80ca57f14cd8a8f27280aca4f18111758de96d15
  • 3bd95eadb44349c7d88ea989501590fb3652ae27eded15ab5d12b17e2708969f
  • 67663233f9e3763171afd3a44b769dc67a8a61d4a159f205003c5fdb150e2ca1
  • f0e0aea32962a8a4aecd0c4b0329dc7e901fa5b103f0b03563cf9705d751bbe1
  • 8f88a86d57b93cd7f63dfdf3cb8cc398cdce358e683fb04e19b0d0ed73dd50ee
  • 3d3a9cd140972b7b8a01dde2e4cd9707913f2eba09a3742c72016fd073004951
  • 96bd6abb1c8ec2ede22b915a11b97c0cd44c1f5ed1cda8bee0acfee290f8f580
  • f1d72a27147c42a4f4baf3e10a6f03988c70546bb174a1025553a8319717ba95
  • 806d08e6169569eb1649b2d1f770ad30a01ff55beedfe93aebccac2bc24533c0
  • 763bdd0b5413bb2e0e3c4a68a7542586bbd638665b7ca250dbd9c7558216e427
  • 9a2268162982113c12d163b1377dc4e72c93f91e26bd511d16c1b705262ca03c
  • e5b94c001fc3c1c1aa35c71a3d1e9909124339e0ade09f897b918fe0729c12e1
  • 9e800a05e65efe923a35815157129652980f03cbcf95cf0d64676f6da73471de
  • f312e59be5ddbf857d92de506d55ae267800b0cbc2b82665ce63c889a7ae9414
  • 7c7dc62ed7af2f90aeafdd5c3af5284c5539aeded7d642d39f5fd5f187d33c87
  • 409a2a2a4e442017e6d647524fdec11507515a9f58a314e74307e67059bd8149
  • 1d5d671bf680d739ded1e25e78970b38d00e8182816171a7c6a186504a79eeee
  • aa998fde06a6a6ab37593c054333e192ce4706a14d210d8fc6c0de3fd2d74ce2
  • 767dd301dc5297828a35eaba81f84bd0f50d61fe1a9208b8d89b5eaba064d65e
  • 7d0aaf734f73c1cf93e53703e648125bba43e023203be9a938f270dfe3492718
  • 6e0179344ca0bbc42dce77027f5a6a049844daf34595fd184d9f094e8c74325c
  • 49a7668d60e8df9d0a57ba9e0e736c1eb48700da19711cc0ec0f3c94a56ce507
  • 2e8a82f07de254848615f81272f08e0cf9af474d1c20f67d9ddbdf439f1d8fde
  • f0f77c85c7da4391e34d106c4b5f671eb606ba695dc11401a6ee8ae53e337cbe
  • d1da457b0891b68df16ce86e2a48a799b9528c1631bccc379623551f873c0eed
  • 175fcb7495c0814a5c18afa6244d467f0daeb0f02ad93c0ab4d3af8cbbacb537
  • 7316ed0cb0fdbede33a0b6d05d0be1fe3c616ef7c1098dfcc9a2339c793e7020
  • 90641a72a4ea6f1fca57ec5e5daec4319ec95bec53dd2bf0fa58d1f9ade42ad4
  • 6fb502d83b7b5181abcb53784270239cc3e4143344e1f64101537aa3848c8c95
  • 2b033fc28ad12cb57c7c691bd40911ca47dd2a8e495a2d253557d2c6bcd40c5e
  • 4029e194864e2557786e169c7f2c101b9972164de7b4f1ffadf89382317cf96c
  • 020cd2e4ec27185550bf736b490d8ace0d244fe09315f9f7e18362de659bc7ad
  • b5ed2f42359e809bf171183a444457c378355d07b414f5828e1e4f7b35bb505f
  • 5ee273180702a54f32520be02c170ad154588893b63eefe2062cdb34ad83712c
  • 1c5cadde01f10a730cd8f55633c967c3a7259f4906f961477b7e095e7db326b7
  • 72a1f6e7979daae38d8e0e14893db4c182b8362acc5d721141ed328ed02c7e28
  • 00e7e8a0e8495189bb7feca21864fbd6c61a5aa680462186504de02536e0c2f9
  • 088ed84658a7c3bef4401601ef67a6953492fb0200a3b580bfabb21cd3ac8236
  • b7aa4697e16bbafe0df02ab3b8d0be8ec6e4abf6e6ca7d787d3d3684ca8f4b63
  • f138728ce2cc87201a51c9250fa87cbab20354012a8f566e1b2cd776cc1a66af
  • 0c4cef985c90ed764f041c2ccab6820fdbe38edaaddebe01a5b8d31d93204b88
  • f8ab48848ab915d1b23e3ee51dd20a2699bd4f277bde218a727d7a55a572d174
  • 07a0986ab43f717e181a32d6742b11f788403ce582ad5fcbb9d20d0bd40d410b
  • 5e5c134cea48e57da9604981c0a7fd6ef1704c4151b540f29de685e0017fa730
  • e3f18df1d8f5e27a41221246cc63236487c56354ba0c926a3fdaea70db901adb
  • 4e39fa74e49be2bf26fbfbbcea12d1374fa2f1607ff7fa2a0c8c323e697959ad
  • d069437eda843bd7a675a1cca7fd4922803833f39265d951fa01e7ad8e662c60
  • 904ce1b1ffa601f9aeb0a6d68bc83532c5e76b958029bd1c889937fa7cf1867f
  • 00ea5d43f2779a705856a824a3f8133cb100101e043cb670e49b163534b0c525
  • cea1c4f2229e7aa0167c07e22a3809f42ec931332da7cc28f7d14b9e702af66b
  • ae641dda420f2cf63ac29804f7009ba1c248c702679fbccef35e4d9319d77d2d

 

Recommendations

  • Ensure that all software and systems are kept up to date with the latest security patches.
  • Implement comprehensive security solutions that include anti-malware, anti-phishing, and firewall protection.
  • Use MFA for accessing sensitive systems and data to add an extra layer of security.
  • Conduct regular training sessions on recognizing phishing and social engineering attacks.
  • Continuously monitor network traffic for unusual activity and signs of malicious behavior.
  • Implement URL filtering to block access to known malicious websites.
  • Allow only approved applications to run on your systems.

 

References