Security Roundup July 2024

July 2024: “That” CrowdStrike Issue, Microsoft Suffers DDoS Attack, Cyber Security in the King’s Speech, and More!

CrowdStrike Rapid Response Update Causes Global Outage

At 04:08 UTC on Friday, 19 June, CrowdStrike pushed out a Rapid Response Update globally to millions of devices running its Falcon Endpoint Detection and Response (EDR) software. Rapid Response Updates keep the EDR software aware to the latest security threats, which can happen multiple times daily. Unfortunately, a bug in the update caused Windows devices online at the time to crash and present a “Blue Screen of Death” (BSOD). Initial news reports identified IT issues across Australasia and the Far East, as it was the middle of their working day. However, it soon became apparent that this was a global incident severely impacting airlines, finance, healthcare and many other critical sectors.

Protos Networks was impacted by the incident, as we are a CrowdStrike Falcon Managed Security Services Provider (MSSP). Our SOC started receiving unexpected reboot alarms and phone calls from customers just before 6 am. Whilst working with some of our IT partners and customers, we noticed that if we booted into safe mode and renamed the “C:\windows\system32\drivers\crowdstrike” folder, the computer would boot, but without CrowdStrike protection. CrowdStrike then advised impacted organisations to delete the offending “C-00000291*.sys” file; this enabled us to get critical servers and workstations online for most of our customers before 9 am. However, work to rectify the issue went on over the weekend and early into the following week.

Other organisations were less fortunate. The incident cost Delta Air Lines around $500 million, and the outage cost the Fortune 500 an estimated $5.4 billion in damage. Investors, led by the Plymouth County Retirement Association, have already filed a lawsuit in Austin, Texas, where CrowdStrike is headquartered. Other organisations may follow suit.  

In its Post-Incident Review (PIR), CrowdStrike said that a bug in its validation software meant that the update passed validation checks despite containing problematic data. CrowdStrike has implemented safeguards to prevent such a recurrence, including enhanced testing, refined deployment strategies, and third-party validations.

Microsoft Suffers DDoS Attack

On Tuesday, 30 July, Microsoft 365 and Azure services globally suffered a nine-hour outage due to a distributed denial-of-service (DDoS) attack.

In a Preliminary Post-Incident Review (PIR) published on 30 July, Microsoft stated that multiple Azure Front Door (AFD) and Content Deliver Network (CDN) locations began to suffer TCP SYN flood attacks between 10:15 and 10:45 UTC—an indication that a DDoS attack was underway. By 11:45 UTC, Microsoft stated its DDoS protection service was disengaging and resuming regular activity.

However, an unrelated network configuration routed traffic from outside Europe to the DDoS protection system in Europe, causing high latency and connectivity failures across multiple regions. The impact of the incident was largely mitigated by 15:38 UTC.

Microsoft has yet to mention who it believes carried out the attack. However, in June 2023, a threat actor known as Anonymous Sudan, who is believed to be linked to Russia, brought down services, including Azure, OneDrive, and Exchange Online, in a DDoS attack.

Cyber Security Mentioned in the King’s Speech

Amongst the pomp and pageantry of the State Opening of Parliament, His Majesty the King announced that the new Labour government planned to bring a new Cyber Security and Resilience Bill. The previous Conservative administration had planned to strengthen cyber security regulations, but none ever made it onto the books.

The bill’s announcement has been brought forward due to a significant increase in hostile actors and cyber attacks hitting British institutions. The UK’s existing regulations had previously been inherited as part of the European Union’s Network and Information Systems (NIS) Regulations but need updating in an increasingly hostile global environment.

The new Cyber Security and Resilience Bill aims to make crucial updates to the UK’s regulatory framework in several ways. First, it will expand the remit of regulations to protect more digital services and supply chains, including IT service providers. The bill also gives regulators more teeth and could open the door to more stringent fines. Lastly, it will mandate better incident reporting to provide the government with better data on cyber-attacks; this includes stricter rules around reporting ransomware attacks.

Some of This Month’s Other Vulnerabilities

Microsoft Patch Tuesday

Microsoft’s latest Patch Tuesday rollout, in July 2024, contained security updates for 142 vulnerabilities, including two actively exploited (CVE-2024-38080 and CVE-2024-38112) and two publicly disclosed zero-days. Of all the vulnerabilities, 137 are classified as Important or Moderate, while five are classified as Critical in severity.

Docker Authentication Bypass Flaw

Docker has released security updates to address a vulnerability in Docker Engine that allows attackers to bypass authorisation plugins (AuthZ) under certain circumstances. The flaw, initially discovered in 2019 but not fixed in later versions, resurfaced in April 2024, and patches were finally released at the end of this month. The vulnerability affects Docker Engine versions up to v19.03.15, v20.10.27, v23.0.14, v24.0.9, v25.0.5, v26.0.2, v26.1.4, v27.0.3, and v27.1.0 for users who use authorisation plugins for access control. Those affected are advised to move to v23.0.14 and v27.1.0 as soon as possible. Docker Desktop’s latest version, 4.32.0, also includes a vulnerable Docker Engine, but the impact is limited there as the exploit requires access to the Docker API. Users are advised to turn off AuthZ plugins and restrict trusted users’ access to the Docker API until a patch is released.

Critical Cisco Secure Email Gateway Bug

Cisco has fixed a critical vulnerability that allows attackers to add new users with root privileges and permanently crash Security Email Gateway (SEG) appliances using malicious emails. The vulnerability, CVE-2024-20401, is caused by an absolute path traversal weakness that allows replacing any file on the underlying operating system. The attack can lead to adding users with root privileges, modifying device configuration, executing arbitrary code, or causing a permanent denial of service condition. The fix is delivered to affected devices with the Content Scanner Tools package versions 23.3.0.4823 and later. Cisco advises customers to contact its Technical Assistance Centre to return appliances online, which will require manual intervention.

One of the most eventful months we’ve had in quite a while!