this post was submitted on 23 Jul 2024
12 points (75.0% liked)

Asklemmy

44152 readers
731 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy πŸ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
 

The CrowdStrike cyber event affected 8.5 million Windows machines and was the biggest IT outage in history. It has "beaten" even the cyber attacks of WannaCry and NotPetya.

https://www.bbc.com/news/articles/cpe3zgznwjno

Can/will this method be used by hackers? What would they need to do to take advantage of that vulnerability?

EDIT: typo

all 12 comments
sorted by: hot top controversial new old
[–] [email protected] 36 points 5 months ago* (last edited 5 months ago) (1 children)

The "vulnerability" here was basically just having Kernel level access, which CrowdStrike is intended to have. If hackers had that, they've already won anyway. The difficulty lies in actually getting that level of access. So no, it doesn't change a thing for hackers.

[–] Blizzard 1 points 5 months ago (1 children)

So how about hacking CrowdStrike and obtaining that access? I'm guessing it might be easier than hacking Microsoft?

Are there other companies having the same access level as CrowdStrike? How vulnerable are they?

[–] [email protected] 13 points 5 months ago (1 children)

So how about hacking CrowdStrike and obtaining that access? I’m guessing it might be easier than hacking Microsoft?

Maybe. CrowdStrike is a company which specializes in security and has some pretty smart folks in that area. They also live and die by the perceived value of their security products. So, security is pretty important to the company. Microsoft is a conglomerate, and while it does have some arms which specialize in (and are pretty good at) security, the company's continued existence doesn't depend on their performance. So, the Microsoft President can go in front of Congress and promise to do better, and we all know this is bullshit and Microsoft will continue to be Microsoft.

As for an attacker actually leveraging the CrowdStrike platform as part of an attack. It's entirely possible. Security products have been found to have vulnerabilities in the past. IIRC, McAfee's ePO server was vulnerable to Log4j. And given CrowdStrike's engine runs in Ring 0 on the endpoints, it's certainly an attractive target. Finding a Remote Code exploit in it seems like something an APT like the NSA or PLA Unit 61398 might get up to. That said, as I mentioned above, CrowdStike also employs a lot of smart folks and is likely doing it's level best to find those vulnerabilities first and fix them.

Are there other companies having the same access level as CrowdStrike? How vulnerable are they?

Ya. Really, any EDR or A/V product is going to run in Ring 0. And any such kernel level driver crashing is going to cause a BSOD. That's just the way Windows is designed. I have personally dealt with bad updates from several other products causing BSODs. Including one which brought down the entire site I was working at, at the time. I believe it also took down a number of other sites as well. Since, once I figure out how to get the bad update out of our system, the folks responsible for the update actually reached out and asked me what I did.

Ultimately, products like these exist in a very trusted state on systems, because they have to. if and when they crash, you can expect a BSOD. In this case, I suspect CrowdStrike is going to receive (and they deserve) a lot of shit for the way this one went down. The reporting I've seen states that the update file was just a mass of null bytes. And it seems there was no sanity checking or error handling for a corrupt update being pushed by CrowdStrike. I suspect that's gonna get fixed pretty quick, but it was a pretty bad oversight for a product with regular, live updates.

[–] Blizzard 3 points 5 months ago

Great comment. And cool story about your fix!

[–] [email protected] 14 points 5 months ago

if gamers keep allowing companies to install kernel level anti-cheat, i fear the answer is sooner rather than later.

[–] [email protected] 5 points 5 months ago (1 children)

"Hackers" (rather, malicious actors) rarely look to take down IT resources as their goal. Instead, they want to access it for their own purposes. The closest example would be ransomware, where it gets taken down as part of the threat/punishment. But if the victim pays, their resources must be restored.

Plus, I would be surprised if Crowd Strike doesn't have any protections on its own files. I also expect there will be additional verification checks (hash/etc) on their updates going forward.

[–] Blizzard 0 points 5 months ago (2 children)

malicious actors rarely look to take down IT resources as their goal

Could be a hostile government sponsored group or idealists (Microsoft has more haters than fans) or simply someone could do it just because they can - if they could. Some men just want to see the world burn.

[–] [email protected] 2 points 5 months ago

They could also DDOS essentially anything with root access to that many devices.

Its like taking all the armies guns to throw them in a volcano 'cause you want to see the world burn'

[–] [email protected] 3 points 5 months ago (1 children)

A Crow Strike sounds both glorious and terrifying.

[–] Blizzard 2 points 5 months ago* (last edited 5 months ago)

Haven't noticed the typo until now and I made it twice...!

(οΌβ€Έαƒš)

[–] [email protected] 2 points 5 months ago* (last edited 5 months ago)

Can? Probably. Will? No. They would need access to Crowdstrike's update distribution system and if they had that they could do much more interesting things than crashing a bunch of systems.