Friday Five: The Wake of the Crowdstrike Debacle, a North Korean Hacker Hired to a Security Firm, & More

CROWDSTRIKE BLAMES TESTING BUGS FOR SECURITY UPDATE THAT TOOK DOWN 8.5M WINDOWS PCS BY ANDREW CUNNINGHAM

CrowdStrike released a preliminary report on a faulty update to its Falcon security software that crashed up to 8.5 million Windows PCs, causing widespread disruption. The issue stemmed from a Content Validator bug that failed to detect problematic data in a Rapid Response Content update. CrowdStrike plans to enhance its testing and deployment processes, including additional validation checks and a staggered deployment strategy. Customers will gain more control over update timing and access to release notes. Recovery efforts include multiple reboots and tools from Microsoft to remove the faulty update. A full Root Cause Analysis will follow the ongoing investigation.

Read more

LOW-LEVEL CYBERCRIMINALS ARE POUNCING ON CROWDSTRIKE-CONNECTED OUTAGE BY AJ VICENS

Five days after a faulty update to CrowdStrike’s Falcon software disrupted millions of Windows computers, cybercriminals and hacktivists are exploiting the situation. CrowdStrike reported multiple criminal activities, including malware-laden documents and phishing emails containing wiper malware. Researchers identified over 2,000 CrowdStrike-related domains registered recently, with many appearing suspicious. CrowdStrike's CEO warned customers to engage only with official representatives. The malicious activity persists as CrowdStrike customers continue recovering, affecting at least 8.5 million devices and causing significant disruptions, including flight cancellations by Delta Airlines. CISA and other international agencies are working to mitigate the impact.

Read more

SECURITY FIRM ACCIDENTALLY HIRES NORTH KOREAN HACKER, DID NOT KNOWBE4 BY ELIZABETH MONTALBANO

KnowBe4, a security awareness and training firm, discovered a North Korean threat actor infiltrating its AI team as a principal software engineer. Despite thorough pre-hiring checks and video interviews, the actor used a stolen identity with an AI-enhanced photo. Upon receiving his workstation, the individual immediately loaded malware. KnowBe4's security operations quickly detected suspicious activities, quarantined the device, and contacted authorities. No data breach occurred, as the malware was blocked and the actor had limited access, but nonetheless, the incident highlights the risks of state-sponsored operatives posing as IT workers. KnowBe4 has since tightened its hiring processes, including shipping workstations to verified UPS locations and enhancing security measures to prevent similar incidents.

Read more

CHINA'S APT41 TARGETS GLOBAL LOGISTICS, UTILITIES COMPANIES BY JAI VIJAYAN

APT41, a prolific Chinese threat group, is conducting a cyber espionage campaign targeting sectors like global shipping, media, technology, and automotive industries, per Google's Mandiant security group. Since early 2023, APT41 has infiltrated multiple networks, maintaining prolonged access, especially in the UK, Italy, Spain, Taiwan, Thailand, and Turkey. Known for espionage, supply chain attacks, and cybercrime since 2012, APT41 includes subgroups like Wicked Panda and Winnti, who use custom tools such as AntsWord, BlueBeam, DustPan, and DustTrap to deploy malware and exfiltrate data. The group's current focus reflects Chinese government priorities, though no evidence of monetization has been found.

Read more

US SANCTIONS RUSSIAN HACKTIVISTS WHO BREACHED WATER FACILITIES BY BILL TOULAS

The US government has sanctioned two Russian cybercriminals, Yuliya Pankratova and Denis Degtyarenko, two key members of the Cyber Army of Russia Reborn (CARR), for cyberattacks on critical infrastructure. Pankratova, known as 'YuliYA,' leads CARR and acts as its spokesperson, while Degtyarenko, aka 'Dena,' was identified as the primary hacker. Since 2022, CARR has targeted Ukraine and its allies with DDoS attacks, escalating in late 2023 to attack industrial systems in the US and Europe. In January 2024, they compromised a US energy firm's SCADA system. The sanctions block US-based assets and prohibit US transactions with them, aiming to isolate and pressure the cybercriminals.

Read more