Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • Netizen Cybersecurity Bulletin (July 31st, 2024)

    Netizen Cybersecurity Bulletin (July 31st, 2024)

    Overview:

    • Phish Tale of the Week
    • Meta Faces EU Scrutiny Over “Pay or Consent” Model
    • Federal Recovery Underway After CrowdStrike Outage; Congress Demands Accountability
    • How can Netizen help?

    Phish Tale of the Week

    Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as Amazon. The message tells us that our membership has expired, and that our monthly payment has failed, so we have to take action in order to update our payment details. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.

    Here’s how we can tell not to click on this link:

    1. The first warning sign for this email is the formatting. Immediately, it’s apparent that different text boxes in the email have different alignments and different sizes, as well as strange spacing. The “confirm” button is a great example of this strange lettering: the text varies between sizes, switches between all-capital and regular format, and just overall looks unprofessional. It’s important to be wary of small inconsistencies such as this as they can be key indicators that the sender of the email may not be who they seem.
    2. The second warning signs in this email is the messaging. This message tries to create a sense of opportunity and urgency in order to get you to take action by using language such as “Available ONLY TODAY” and “Your membership has expired!” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attachment sent through email.
    3. The final warning sign for this email is the fact that it informs us that we’re going to insert our credit card details for the validation of our account once we click the link. The email informs us that they “will not” withdraw any amount, which is very curious for a number of reasons. Firstly, it contradicts their earlier statement that they need to charge us for renewing the prime membership, and additionally a Fortune 500 company should have to need to insist upon their customers that they “won’t” withdraw any money from their credit cards. All of these factors point to the above being a phishing email, and a very unsophisticated one at that.


    General Recommendations:

    phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

    1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    2. Verify that the sender is actually from the company sending the message.
    3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    4. Do not give out personal or company information over the internet.
    5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this month’s Cybersecurity Brief:

    Meta Faces EU Scrutiny Over “Pay or Consent” Model

    Meta, the parent company of Facebook and Instagram, is under scrutiny from the European Commission over its advertising model dubbed “pay or consent.” This model gives users a choice between paying for an ad-free experience or consenting to their personal data being used for targeted advertising.

    The European Commission, through its Consumer Protection Cooperation Network, has raised concerns that this approach may violate consumer protection laws. Authorities argue that users might feel pressured into making a quick decision under the impression that refusing consent could result in losing access to their accounts or network connections.

    Under the EU Digital Markets Act (DMA), companies designated as gatekeepers must obtain users’ explicit consent before utilizing their data for targeted ads. The Commission alleges that Meta’s model does not adequately inform users of their options and misleads them with unclear terms, including describing services as “free” despite the requirement for data consent.

    Meta defends its model, citing a previous ruling from the Court of Justice of the European Union that allows companies to offer a paid, ad-free alternative. However, critics argue that Meta’s implementation lacks transparency and fails to provide a genuine choice to users.

    This regulatory challenge adds to Meta’s ongoing global scrutiny over data privacy practices. Recently, the company faced fines in Nigeria for data sharing violations and penalties in Turkey over data practices across its platforms.

    As the deadline approaches for Meta to address the EU concerns by September 1, 2024, the outcome will likely shape future regulatory standards for tech giants operating within the European Union.

    To read more about this article, click here.

    Federal Recovery Underway After CrowdStrike Outage; Congress Demands Accountability

    The U.S. federal government and various sectors are recuperating from a significant outage caused by a flawed update to CrowdStrike’s Falcon security software, impacting Microsoft Windows systems globally. The incident led to disruptions in essential services including federal agencies, airlines, banks, and hospitals.

    Social Security Administration (SSA) offices, which closed on Friday due to the outage, resumed public services on July 22nd. The Federal Communications Commission (FCC) reported disruptions to 911 services in some states.

    CrowdStrike and Microsoft are actively addressing the issue. Microsoft estimates that 8.5 million Windows devices were affected and has provided remediation solutions. CrowdStrike is testing new methods to expedite system recovery and has promised updates through their Tech Alerts.

    In response to the outage, lawmakers are demanding transparency and preventive measures from both CrowdStrike and federal agencies. Rep. Ritchie Torres (D-N.Y.) called for a Department of Homeland Security investigation into the incident, emphasizing the critical impact on national infrastructure.

    The House Committee on Homeland Security and Sen. Eric Schmitt (R-Mo.) have also voiced concerns over national security implications and the need for robust cybersecurity measures.

    As recovery efforts continue, stakeholders await comprehensive explanations and assurances to prevent future disruptions of such magnitude.

    To read more about this article, click here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Netizen: July 2024 Vulnerability Review

    Netizen: July 2024 Vulnerability Review

    Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five vulnerabilities from July that should be immediately patched or addressed if present in your environment. Detailed writeups below:

    CVE-2024-38080

    CVE-2024-38080 describes a high-severity elevation of privilege vulnerability found in Microsoft’s Windows Hyper-V. This vulnerability arises from an issue in the system that could potentially allow a malicious actor with local access to a virtual machine to execute arbitrary code on the host machine with elevated privileges. This type of vulnerability is particularly concerning in environments where multiple users share virtualized resources, as it could allow an attacker to gain unauthorized control over the host system, impacting the confidentiality, integrity, and availability of all virtual machines on the host. The vulnerability has been given a CVSS v3 base score of 7.8, with a vector of CVSS:3.1/AV/AC/PR/UI/S/C/I/A, indicating it has high impacts on confidentiality, integrity, and availability, requires low privileges and low attack complexity, and does not require user interaction. This score suggests that the vulnerability is severe and could have widespread implications if exploited. Given the potential implications of this vulnerability, it is listed in CISA’s Known Exploited Vulnerabilities Catalog, which mandates that affected organizations apply the necessary mitigations or updates provided by Microsoft before the specified due date to prevent possible exploits. The patches to address this vulnerability were included in Microsoft’s July 2024 Patch Tuesday release, which addressed multiple vulnerabilities across various products. Organizations using affected versions of Windows 11 and Windows Server 2022 are advised to review the specific versions and configurations listed as vulnerable and ensure that they apply the updates provided by Microsoft promptly. Regularly updating systems and following vendor guidelines for security are critical measures to protect against known vulnerabilities and potential attacks. For detailed instructions and further guidance, users should refer to the official Microsoft Security Response Center (MSRC) advisory.

    CVE-2024-38094

    CVE-2024-38094 is a remote code execution vulnerability in Microsoft SharePoint, caused by the deserialization of untrusted data, identified under CWE-502. This vulnerability, released on July 9, 2024, primarily affects Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Microsoft classifies the severity of this issue as important, with a CVSS v3 base score of 7.2 and a vector of AV/AC/PR/UI/S/C/I/A, indicating that the vulnerability is network exploitable, has low attack complexity, requires high privileges, and involves no user interaction, leading to high impacts on confidentiality, integrity, and availability. The CVSS v2 score is 8.3, with a vector of AV/AC/Au/C/I/A, showing its critical impact through network access, low complexity, and medium level of required authentication. Security updates to address this vulnerability have been released, with specific patches for each affected SharePoint version: Version 16.0.17328.20424 for the SharePoint Server Subscription Edition, Version 16.0.10412.20001 for SharePoint Server 2019, and Version 16.0.5456.1000 for SharePoint Enterprise Server 2016. Given the severity and potential impact of this vulnerability, organizations are urged to apply these updates immediately to protect their systems from possible exploitation. The likelihood of exploitation is considered more likely, emphasizing the necessity for timely patch management and ongoing vigilance in system monitoring. For more information, refer to the official MSRC advisory.

    CVE-2024-23692

    CVE-2024-23692 marks a critical security breach concerning the Rejetto HTTP File Server (HFS), specifically targeting versions up to and including 2.3m. This vulnerability stems from a template injection flaw, enabling remote, unauthenticated attackers to execute arbitrary commands on the compromised system. Attackers exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable server. This issue has garnered significant attention due to its inclusion in the CISA Known Exploited Vulnerabilities Catalog, affirming its active exploitation in the wild. The severity of this vulnerability is underscored by its CVSS v3 base score of 9.8, delineated by the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which indicates that the vulnerability can be exploited remotely with minimal complexity and without any user interaction. This poses high risks to the confidentiality, integrity, and availability of affected systems. The CVSS v2 scoring also highlights its critical impact with a score of 10 and a vector of AV:N/AC:L/Au:N/C:C/I:C/A:C, reflecting the comprehensive and severe impact across all three CIA (Confidentiality, Integrity, Availability) metrics. Given that Rejetto HFS 2.3m is no longer supported and therefore not receiving security updates, users are strongly advised to upgrade to the patched version, Rejetto HFS 3. This new version addresses the current vulnerability alongside other potential security issues that could compromise system security. For those using the affected versions, the update to Rejetto HFS 3 is crucial to mitigate the risk posed by CVE-2024-23692 and to protect against potential exploits that could leverage this vulnerability to gain unauthorized access or control over the systems. Immediate action is recommended to prevent any exploitation attempts that could lead to data breaches or further network compromise. For more information, refer to the NIST documentation here.

    CVE-2024-38086

    CVE-2024-38086 pertains to a remote code execution vulnerability in the Azure Kinect SDK, identified by Microsoft and released on July 9, 2024. The vulnerability stems from a numeric truncation error (CWE-197) that could potentially allow attackers to execute arbitrary code remotely. However, the maximum severity of this issue is classified as Important rather than Critical. According to the CVSS v3.1 scoring, this vulnerability has a base score of 6.4, with a vector of CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. This scoring reflects the impact on confidentiality, integrity, and availability as high, with the attack vector requiring physical access (AV:P) to the target system. The attack complexity is high (AC:H), meaning that exploitation demands specific environmental information and preparation. No privileges or user interaction are required for an attacker to exploit the vulnerability. The CVSS v2 score for this vulnerability is 6.2, represented by the vector CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C, indicating a medium severity level. This assessment underscores the high impact on the system but acknowledges the need for physical access to carry out the exploit. Microsoft has confirmed the vulnerability and provided an official fix in Azure Kinect SDK version 1.4.2. Security experts like VictorV (Tang Tianwen) with Kunlun Lab have been acknowledged for their contributions to identifying and disclosing this vulnerability.For more information, including the official security update, refer to Microsoft’s security update guide.

    CVE-2024-6387

    CVE-2024-6387, also known as the “Regresshion” vulnerability, is a significant security flaw discovered in OpenSSH’s server component (sshd). This vulnerability is characterized by a race condition that leads to unsafe signal handling by sshd. The issue was first identified as a regression of an earlier vulnerability, CVE-2006-5051. This race condition occurs when an unauthenticated remote attacker attempts to authenticate within a specific time frame and triggers unsafe signal handling in sshd. The vulnerability is rated with a CVSS 3.x base score of 8.1, categorized as “High” severity. The CVSS vector string for this vulnerability is CVSS:3.1/AV/AC/PR/UI/S/C/I/A, indicating that it is exploitable over a network with high impact on confidentiality, integrity, and availability. The flaw stems from a race condition that affects how sshd processes certain signals. In this scenario, if an unauthenticated attacker interacts with the sshd service, they might exploit the race condition to cause sshd to handle signals in an unsafe manner. This can result in unauthorized remote code execution. The vulnerability is a regression from an earlier fixed issue, CVE-2006-5051, which had previously addressed similar problems with signal handling in sshd. The specific nature of the regression means that while the vulnerability was known and addressed before, it has reappeared in a different form. The vulnerability impacts various configurations of OpenSSH across multiple operating systems. Notable affected configurations include versions of OpenSSH from 8.6 up to but not including 9.8, and it affects systems across different distributions such as Red Hat, Debian, Ubuntu, FreeBSD, NetBSD, and others. The issue is not confined to a single operating system but spans across several, indicating a broad potential impact. To mitigate CVE-2024-6387, users are advised to update their OpenSSH installations to the latest versions that include patches addressing this vulnerability. The OpenSSH development team and various operating system vendors have released patches and updates to rectify the issue. For detailed guidance, affected users should refer to advisories from their specific operating system vendors, such as Red Hat, Ubuntu, FreeBSD, and others. Additionally, resources such as the OpenSSH release notes and security advisories provide further instructions for mitigating the risk.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • GXC Team: Elevating Malware-as-a-Service with AI-Powered Phishing Kits

    GXC Team: Elevating Malware-as-a-Service with AI-Powered Phishing Kits

    A Spanish-speaking cybercrime group named GXC Team has been observed elevating the standard of phishing attacks by bundling phishing kits with malicious Android applications. This innovative approach has taken malware-as-a-service (MaaS) offerings to the next level. Singaporean cybersecurity firm Group-IB has been tracking this e-crime actor since January 2023, describing their solution as a “sophisticated AI-powered phishing-as-a-service platform” targeting users of more than 36 Spanish banks, various governmental bodies, and 30 institutions globally.

    The phishing kit alone is priced between $150 and $900 per month. However, the bundle that includes both the phishing kit and Android malware is available for approximately $500 per month. This subscription model has widened their target base, including users from Spanish financial institutions, governmental services, e-commerce platforms, banks, and cryptocurrency exchanges in countries like the United States, United Kingdom, Slovakia, and Brazil. To date, 288 phishing domains linked to this campaign have been identified.

    Combining Phishing Kits and Android Malware

    What sets the GXC Team apart is their innovative method of combining phishing kits with SMS OTP stealer malware, deviating from traditional phishing attack scenarios. Instead of simply using bogus web pages to capture credentials, victims are persuaded to download a malicious Android banking app. This app, once installed, requests permissions to become the default SMS app, enabling it to intercept OTPs and other messages, which are then exfiltrated to a Telegram bot controlled by the attackers.

    Security researchers Anton Ushakov and Martijn van den Berk highlighted this novel approach in their report, noting that the malicious app opens genuine bank websites in WebView, allowing users to interact normally. However, when an OTP is requested, the malware silently intercepts and forwards the SMS messages containing the OTP codes to the attackers’ Telegram chat. This mechanism enhances the credibility of the scam, making it more convincing for victims.

    AI-Powered PaaS

    Among the services advertised by the GXC Team on a dedicated Telegram channel are AI-powered voice calling tools. These tools enable their customers to generate voice calls based on a series of prompts from the phishing kit, making the scams even more convincing. These calls typically impersonate bank representatives, instructing targets to provide 2FA codes, install malicious apps, or perform other actions.

    The use of AI in cybercrime is not new, but its integration into phishing-as-a-service platforms is a recent development. AI-powered voice cloning can mimic human speech with “uncanny precision,” facilitating authentic-sounding phishing (vishing) schemes that aid in initial access, privilege escalation, and lateral movement within networks. This technological advancement enables threat actors to impersonate executives, colleagues, or IT support personnel, manipulating victims into revealing confidential information or taking harmful actions.

    AI-powered PaaS platforms utilize machine learning algorithms to generate realistic and personalized phishing emails, which can mimic legitimate communications from trusted sources. These emails are tailored based on data gathered from social media profiles, email addresses, and other publicly available information, increasing the likelihood of deceiving the recipient. By automating the creation and distribution of phishing content, AI-powered PaaS significantly lowers the barrier to entry for cybercriminals, enabling them to launch large-scale phishing campaigns with minimal effort.

    The Mechanics of AI-Powered PaaS

    AI-powered PaaS platforms incorporate several advanced technologies to enhance their phishing capabilities:

    1. Natural Language Processing (NLP): NLP algorithms analyze and generate human-like text, creating convincing phishing emails that are contextually relevant and grammatically correct. This makes it harder for recipients to distinguish phishing emails from legitimate communications.
    2. Machine Learning (ML): ML models analyze past phishing campaigns to identify patterns and strategies that are most successful. These insights are used to continuously refine and improve the effectiveness of new phishing attacks.
    3. Automation: AI-powered PaaS platforms automate the entire phishing process, from email generation and distribution to data collection and analysis. This allows cybercriminals to launch and manage multiple campaigns simultaneously, increasing their reach and impact.
    4. Deep Learning: Deep learning techniques are employed to create deepfake videos and audio, which can be used in spear-phishing attacks. These realistic forgeries can impersonate trusted individuals, making social engineering attacks more convincing and effective.

    AI is also used to generate vast amounts of unique content for phishing websites, automating the creation process and making it harder for security measures to detect and block these sites. The automation of content generation using large language models (LLMs) allows threat actors to create phishing content more efficiently and at a scale that would be impossible for humans to achieve.

    Advanced Phishing Techniques and AI Integration

    The rise of AI in phishing campaigns has introduced more sophisticated attack vectors. AI-driven phishing kits can create personalized, highly convincing lures that are difficult for both individuals and automated systems to detect. These kits can leverage AI to analyze social media profiles and other publicly available information to craft tailored phishing emails, increasing the likelihood of successful attacks.

    Furthermore, AI enhances the adaptability of phishing campaigns. Attackers can use AI to monitor the effectiveness of their phishing attempts in real time, adjusting their strategies to improve success rates. This dynamic approach makes traditional defense mechanisms less effective, as the phishing tactics continually evolve.

    AI also facilitates the deployment of deepfake technology in phishing attacks. Deepfakes, which are hyper-realistic digital forgeries created using AI, can be used to impersonate trusted individuals in voice or video communications. This can lead to more convincing social engineering attacks, where victims are tricked into performing actions they would not ordinarily undertake, such as transferring funds or disclosing sensitive information.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Operation Endgame: Multinational Cyber Operation Dismantles Criminal Network

    Operation Endgame: Multinational Cyber Operation Dismantles Criminal Network

    The Federal Bureau of Investigation (FBI) has announced the successful execution of Operation Endgame, a groundbreaking multinational cyber operation aimed at dismantling a sophisticated network of cybercriminals. This unprecedented initiative involved coordinated efforts from law enforcement agencies across the United States, Denmark, France, Germany, the Netherlands, the United Kingdom, and other countries, with crucial support from Europol and Eurojust.

    Key Highlights of Operation Endgame

    Operation Endgame marked a significant milestone in the fight against global cybercrime. Beginning on May 28, 2024, this first-of-its-kind operation saw law enforcement agencies in a dozen countries execute searches, make arrests, conduct interviews, and take down or disrupt more than 100 servers involved in various malware operations. The operation specifically targeted the infrastructure of several notorious malware groups, including IcedID, Smokeloader, Pikabot, and Bumblebee. These groups had been responsible for infecting millions of computers worldwide and causing hundreds of millions of dollars in damages.

    FBI Director Christopher Wray emphasized the importance of this operation, stating, “Operation Endgame demonstrates the FBI’s continued fight against cybercrime and malware-as-a-service models. Through joint and sequenced actions, we were able to disrupt the criminal infrastructure of multiple malware services that had been causing extensive damage globally.”

    The Scope and Impact of the Operation

    Operation Endgame involved a series of synchronized actions that spanned multiple countries. Law enforcement agencies in Ukraine, Portugal, Romania, Lithuania, Bulgaria, and Switzerland played pivotal roles in supporting the operation by conducting searches, interviewing or arresting suspects, and seizing or taking down servers.

    The malware groups targeted by this operation were responsible for deploying “droppers” and “loaders” to gain unauthorized access to victims’ computers. These tools were used to drop ransomware or other malicious software designed to steal personal and financial information. Among the notable impacts of these malware attacks was the infection of a hospital network in the United States, which not only resulted in significant financial losses but also posed a serious risk to patient care by compromising critical systems.

    Collaborative Efforts and Global Reach

    The success of Operation Endgame was attributed to the extensive collaboration between various law enforcement agencies and cybersecurity experts. Key participants included the FBI Charlotte, FBI Indianapolis, FBI Jacksonville, FBI Los Angeles, and FBI Cleveland Field Offices, as well as international partners such as the Defense Criminal Investigative Service, the United States Secret Service, the Danish National Police National Special Crime Unit, the French National Police and National Gendarmerie, Germany’s Federal Criminal Police, the Dutch National Police National Hi-Tech Crime Unit, and the United Kingdom’s National Crime Agency.

    Robert M. DeWitt, the FBI Charlotte special agent in charge, highlighted the critical role played by FBI employees from field offices across the country, noting, “The results of Operation Endgame send a strong message to cybercriminals around the world. The FBI’s expertise in science and technology, combined with the determination to attack cybercriminal networks, has been instrumental in this massive international takedown.”

    Conclusion

    Operation Endgame represents a significant victory in the global effort to combat cybercrime. By dismantling the infrastructure of several major malware groups, this operation has not only disrupted ongoing criminal activities but also sent a clear message about the capabilities and resolve of international law enforcement agencies. As cyber threats continue to evolve, the FBI and its partners remain committed to protecting critical infrastructure and pursuing justice against those who seek to exploit technology for malicious purposes.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • What is MIB (Management Information Base)?

    What is MIB (Management Information Base)?

    The Management Information Base (MIB) is a critical component of network management, particularly within systems that utilize the Simple Network Management Protocol (SNMP). A MIB serves as a hierarchical database that defines the information SNMP management systems can request from agents. This structured data is essential for monitoring and managing networked devices efficiently.

    How MIB Works

    A Management Information Base (MIB) functions as a collection of manageable network objects, representing both physical and logical components of a network that are SNMP-enabled. These components include a variety of devices such as computers, hubs, routers, switches, and networking software. Each object within a MIB corresponds to specific configuration parameters or statuses of these devices, like software versions, IP addresses, port numbers, and available storage.

    The MIB hierarchy allows each MIB object to be uniquely identified using a standardized dotted naming system. For example, the root of the LAN Manager MIB II can be represented as:

    • iso.org.dod.internet.private.enterprises.lanmanager
    • 1.3.6.1.4.1.77

    This hierarchical structure is tree-like, encompassing branches for both public networking standards and proprietary implementations by various vendors. These vendors can apply to the Internet Assigned Numbers Authority (IANA) to reserve specific MIB numbers for their products. The LAN Manager MIB II, for instance, includes over 90 objects that SNMP management systems use to gather information about network users, sessions, shares, and more.

    By using SNMP commands, administrators can retrieve or modify the values of MIB objects. This capability enhances the manageability of network resources, allowing for real-time monitoring and adjustments.

    Example MIBs in Microsoft’s Implementation

    Microsoft’s SNMP implementation in Windows NT and Windows 2000 includes several important MIBs, each serving different aspects of network management:

    • Internet MIB II: This MIB provides objects for analyzing the configuration of TCP/IP networks, offering insights into network performance and configuration.
    • LAN Manager MIB II: This MIB contains objects related to the management of sessions, shares, and users associated with LAN Manager software, including Windows NT and Windows 2000.
    • DHCP MIB: This MIB is used for monitoring Dynamic Host Configuration Protocol (DHCP) statistics, providing vital information about IP address allocation and usage in Windows NT and Windows 2000 environments.
    • WINS MIB: This MIB monitors Windows Internet Name Service (WINS) statistics, helping manage the resolution of NetBIOS names to IP addresses in Windows NT and Windows 2000.

    These MIBs, along with extensions for other SNMP-manageable devices from vendors like Apple, Cisco, and Novell, ensure comprehensive network management capabilities.

    Conclusion

    The Management Information Base (MIB) is a fundamental element of SNMP-based network management systems. By providing a structured and hierarchical database of network objects, MIBs enable detailed monitoring and management of various network components. This ensures that network administrators have the tools they need to maintain optimal network performance and security.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Researchers Uncover Unfixable Vulnerability in All ARM CPUs

    Researchers Uncover Unfixable Vulnerability in All ARM CPUs

    In recent developments, a significant vulnerability has been identified in ARM’s Memory Tagging Extension (MTE), a security feature designed to mitigate memory corruption issues in the ARMv8.5-A architecture. This vulnerability exploits speculative execution, a performance optimization feature in modern CPUs, to bypass MTE’s protections and leak sensitive information.

    Understanding Memory Tagging Execution (MTE)

    MTE aims to prevent memory corruption by tagging memory locations and validating these tags during access. Each 16-byte memory block is assigned a 4-bit tag, and the CPU checks if the tag associated with a memory address matches the tag embedded in the pointer during access. If the tags do not match, the CPU raises a fault, thus preventing potential memory corruption. MTE operates in three modes: synchronous, asynchronous, and asymmetric. Synchronous mode raises faults immediately during memory access, asynchronous mode raises faults during context switches to prioritize performance, and asymmetric mode combines features of both for a balance between security and performance.

    Speculative Execution

    Speculative execution allows CPUs to predict and execute future instructions to enhance performance. This feature, while beneficial for speed, can be manipulated to access and leak sensitive information by bypassing security checks that are usually enforced during regular execution. Two specific gadgets, termed TIKTAG-v1 and TIKTAG-v2, have been identified to exploit MTE through speculative execution.

    Exploiting MTE with Speculative Execution

    Two specific gadgets, termed TIKTAG-v1 and TIKTAG-v2, have been identified to exploit MTE through speculative execution.

    TIKTAG-v1 Gadget

    TIKTAG-v1 exploits branch prediction and data prefetching. It relies on speculative execution to access memory based on predicted branch outcomes, which affects the cache state. The gadget repeatedly dereferences a guessed pointer, causing speculative tag checks. Differences in cache state between tag match and mismatch reveal the correct tag, as speculative execution does not immediately enforce tag checks, allowing an attacker to infer the tag from observed cache behavior. In real-world applications, such as Google Chrome and the Linux kernel, TIKTAG-v1 can leak MTE tags with high accuracy within seconds, enabling attackers to exploit memory corruption vulnerabilities effectively.

    TIKTAG-v2 Gadget

    TIKTAG-v2 exploits store-to-load forwarding. When speculative execution performs a store followed by a load operation, the CPU may forward data without completing the store operation if the tags match. By using store and load instructions to check for tag matches, differences in cache hits and misses can indicate tag correctness. This method relies on the CPU’s behavior to forward data during speculative execution paths. Demonstrated in the V8 JavaScript engine and Chromium, TIKTAG-v2 can leak MTE tags effectively, showing how speculative execution can be used to bypass security mechanisms.

    Implications for ARM MTE Security

    The vulnerability reveals that speculative execution can undermine MTE’s intended protections by leaking tags and allowing unauthorized memory access. This bypasses the fault-raising mechanism of MTE, enabling attackers to execute malicious code or manipulate data undetected. In Google Chrome’s V8 engine, TIKTAG-v2 achieved nearly 100% success in leaking MTE tags, demonstrating the feasibility of such attacks in high-profile software. A TIKTAG-v1 gadget found in the Linux kernel’s snd_timer_user_read() showed potential for leaking tags in kernel space, highlighting the vulnerability’s impact on core system components.

    Mitigation Strategies

    While MTE is a robust mechanism against traditional memory corruption, the discovery of these speculative execution vulnerabilities calls for additional security measures. Potential mitigations include inserting speculative barriers to prevent speculative execution from accessing sensitive data, adding non-essential instructions to delay speculative execution paths, and redesigning CPUs to handle tag checks consistently, regardless of speculative execution states. These findings emphasize the need for continuous advancements in security protocols and hardware design to counteract sophisticated exploitation techniques leveraging speculative execution.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • CDK Global’s $25 Million Ransomware Payment and its Auto Industry Disruption

    CDK Global’s $25 Million Ransomware Payment and its Auto Industry Disruption

    In June 2024, CDK Global, a crucial software provider for auto dealerships, experienced a severe cyberattack by the ransomware group BlackSuit. The attack began on June 19 and led to the shutdown of CDK’s systems until July 5, significantly impacting dealership operations across North America. This incident left approximately half of the nation’s car dealerships struggling to maintain operations, forcing many to revert to manual processes.

    Operational Disruptions and Financial Impact

    The cyberattack resulted in significant financial losses. Anderson Economic Group estimated the total impact at over $1 billion, revising their initial estimate of $944 million. This revised figure includes revenue losses from approximately 56,200 new car sales, earnings losses on parts and services, additional staffing and IT costs, and increased floor plan interest costs on unsold inventory. The disruption forced dealerships to return to pen-and-paper methods, significantly slowing operations and reducing efficiency.

    Ransom Payment

    CDK Global paid a $25 million ransom in cryptocurrency to the attackers. This payment, equivalent to 387 bitcoins, was confirmed by multiple sources, including Chris Janczewski of TRM Labs, as well as through on-chain data. Although CDK has not officially confirmed the payment, evidence suggests it was facilitated by a firm specializing in ransomware response.

    Impact on the Auto Industry

    The attack had widespread repercussions across the auto industry. Major publicly traded dealership groups such as Group 1 Automotive, Lithia Motors, AutoNation, Sonic Automotive, and Asbury Automotive Group reported significant disruptions. J.D. Power and GlobalData projected a 5.4% decline in U.S. retail sales for June 2024 due to the attack.

    Automakers also felt the impact. General Motors acknowledged potential delays in deliveries and sales impacts, with a 0.6% gain in the second quarter and a 0.4% decline for the first half of 2024. Stellantis reported a 21% drop in U.S. sales for the second quarter, while Ford managed a 0.8% increase in sales but noted broader industry challenges due to the attack.

    Detailed Breakdown of the Attack

    On-chain investigator ZachXBT revealed that CDK Global transferred approximately $25 million worth of Bitcoin to a cryptocurrency account controlled by BlackSuit on June 21. This transaction was corroborated by blockchain intelligence platform TRM Labs. The use of cryptocurrency facilitated the ransom payment outside the traditional banking system, although blockchain’s transparency allowed for tracking the transaction.

    The ransom was paid through a firm specializing in handling ransomware demands. Despite paying the ransom promptly, CDK Global waited a week to fully restore services, likely to enhance security measures and address any residual vulnerabilities.

    Federal Guidance and Ransomware Trends

    Federal officials generally advise against paying ransoms, as it can encourage further attacks. However, some companies, like CDK Global, feel compelled to pay to recover data or restore systems. The $25 million ransom paid by CDK highlights the growing threat and impact of ransomware attacks. BlackSuit, the group behind the CDK attack, has a history of ransomware operations under various names since 2019. In 2023, cybercriminals extorted a record $1.1 billion from organizations worldwide.

    Response from CDK and Future Outlook

    The cyberattack on CDK Global and the subsequent ransom payment exemplify the escalating threat landscape faced by industries reliant on third-party software providers. This incident not only disrupted thousands of dealerships but also demonstrated the vulnerabilities in centralized systems. The automotive sector, heavily dependent on seamless software operations, experienced significant operational and financial strains. As organizations navigate these challenges, the importance of rigorous cybersecurity measures and resilient response strategies becomes ever more critical.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Atlassian Patches High-Severity Vulnerabilities in Bamboo, Confluence, and Jira

    Atlassian Patches High-Severity Vulnerabilities in Bamboo, Confluence, and Jira

    Atlassian has recently released a series of security updates to address several high-severity vulnerabilities in its Bamboo, Confluence, and Jira products. These updates are crucial for maintaining the security and integrity of these widely-used software solutions.

    Key Vulnerabilities in Bamboo

    The most urgent updates pertain to Bamboo Data Center and Server, where two high-severity vulnerabilities have been resolved. The first, tracked as CVE-2024-22262, is a server-side request forgery (SSRF) vulnerability caused by a flaw in the UriComponentsBuilder dependency. This bug affects Bamboo versions 9.0.0 through 9.6.0 and has been addressed in versions 9.6.3 LTS and 9.2.14 LTS. This vulnerability has a CVSS v2 score of 9.4 and a CVSS v3 score of 8.1, indicating high severity.

    The second issue, CVE-2024-21687, is a file inclusion vulnerability that allows an authenticated attacker to display the contents of a local file or execute a different file already stored on the server. This vulnerability, which also affects Bamboo versions 9.0.0 through 9.6.0, was fixed in Bamboo Data Center and Server versions 9.6.4 LTS and 9.2.16 LTS. The CVE-2024-21687 has a high impact on confidentiality and integrity but no impact on availability. It has a CVSS v2 score of 8.5 and a CVSS v3 score of 8.1.

    Updates in Confluence

    Atlassian has also addressed several high-severity vulnerabilities in Confluence Data Center and Confluence Server. Notably, five denial-of-service (DoS) flaws were found in the Apache Commons Compress dependency. Although the vulnerable version of this library exists in Confluence, it is not actively used, which reduces the immediate risk. However, updates were made to ensure future upgrades incorporate newer, safer versions of the library. These fixes were implemented in Confluence Data Center versions 8.9.4, 8.5.12 LTS, 7.19.25 LTS, and Confluence Server versions 8.5.12 LTS and 7.19.25 LTS. Additionally, a stored cross-site scripting (XSS) vulnerability was patched, which could allow an authenticated attacker to execute arbitrary HTML or JavaScript in a victim’s browser.

    Jira Vulnerabilities

    Jira Software Data Center and Server, along with Jira Service Management Data Center and Server, received updates to fix a high-severity vulnerability in the XStream dependency, tracked as CVE-2022-41966. This vulnerability could be exploited to cause a denial-of-service condition. The fixes were included in Jira Software Data Center and Server versions 9.8.0, 9.12.0 LTS, and 9.4.18 LTS, and Jira Service Management Data Center and Server versions 5.8.0, 5.12.0 LTS, and 5.4.18 LTS.

    Detailed CVE Information

    One of the most critical vulnerabilities addressed is CVE-2024-22262. This SSRF vulnerability involves the UriComponentsBuilder used to parse externally provided URLs, which could lead to an SSRF attack if the URL is used post-validation. Detailed information and references for this CVE can be found on platforms like SecurityWeek and Spring.io. Another significant vulnerability, CVE-2024-21687, is a file inclusion flaw that allows an authenticated attacker to display the contents of a local file or execute a different file already stored on the server. This vulnerability has a high impact on confidentiality and integrity but no impact on availability. Further details and references for this CVE can be found on Atlassian JIRA, Atlassian Confluence, and the NVD.

    Conclusion

    Atlassian’s recent updates address critical vulnerabilities across Bamboo, Confluence, and Jira, ensuring that these popular tools are protected against potential exploits. Users are strongly encouraged to apply these patches promptly to mitigate the risk of unauthorized access, data breaches, and service disruptions. For further details on these updates, please refer to the official Atlassian release notes and security advisories.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • CrowdStrike Falcon Sensor Update Triggers Global BSOD Crisis

    CrowdStrike Falcon Sensor Update Triggers Global BSOD Crisis

    On July 19, 2024, a seemingly routine software update from cybersecurity firm CrowdStrike unleashed a cascade of disruptions across multiple industries worldwide. The update to CrowdStrike’s Falcon Sensor, intended to enhance security for mission-critical systems, instead caused Windows-based systems to crash with Blue Screens of Death (BSODs). The incident began in Australia and quickly spread globally, severely affecting sectors such as airlines, emergency services, financial institutions, and even the news.

    Skynews, a British news site, was unable to broadcast properly this morning due to the CrowdStrike incident

    Sequence of Events

    The first reports of BSODs emerged from Australia, where systems in TV networks, 911 call centers, and financial institutions began crashing. As the problem followed the dateline, similar reports surfaced from other regions, including India, South Africa, Thailand, and several European countries. The Paris Olympics and numerous airlines, including American Airlines, United, Delta, and Frontier, faced significant operational challenges due to the widespread system failures.

    In a thread within the official CrowdStrike subreddit, the moderators posted an statement detailing a manual workaround. The suggested steps involved booting affected systems into Safe Mode or the Recovery Environment, navigating to a specific directory, and deleting a .sys file before rebooting. This labor-intensive solution, requiring manual intervention, exacerbated the disruption as it could not be deployed through a network push.

    At 5:45 am Eastern time, CrowdStrike CEO George Kurtz addressed the issue on social media, confirming that the problem stemmed from a defect in a single content update for Windows hosts. He reassured that the issue had been identified, isolated, and a fix had been deployed. Kurtz emphasized that this was not a security incident or cyberattack, but rather a technical defect in the update.

    Widespread Impact

    The repercussions of the faulty update have been extensive and multifaceted. Airlines have been among the hardest hit, with numerous flights grounded or delayed due to system failures. United Airlines, Delta, American Airlines, and Frontier experienced significant disruptions, with passengers facing long delays and cancellations. The aviation sector’s reliance on interconnected IT systems meant that the outage had a profound ripple effect, causing logistical chaos and operational bottlenecks.

    Emergency services also reported major issues. In Alaska, 911 and non-emergency lines experienced outages, while similar problems were reported across other states and countries. Airports in major cities such as Amsterdam, Berlin, London, and Paris saw delays and long queues as check-in systems malfunctioned. Financial institutions in multiple countries faced operational disruptions as computers crashed, affecting banking services and financial transactions.

    A view of the various blue screens of death at the Amsterdam Airport, via X/Twitter

    Adding to the complexity, Microsoft experienced concurrent outages. Multiple Azure services went down due to a backend cluster management workflow issue, which blocked access between storage clusters and compute resources. This overlap in outages led to confusion regarding the root cause, with some attributing disruptions to Microsoft’s services and others to the CrowdStrike update.

    Microsoft issued an advisory on the BSOD issue affecting virtual machines running Windows, suggesting multiple reboots and manual deletions of the problematic file. This highlighted the intertwined nature of modern IT infrastructures, where issues in one system can have far-reaching consequences across various services.

    Analysis: Overreliance on a Single Vendor

    The CrowdStrike incident presents into the public eye a significant vulnerability in modern IT practices: the overreliance on a single vendor for critical security updates. This dependency can lead to catastrophic outcomes when a failure occurs, as demonstrated by the widespread disruptions following the faulty update.

    Key Issues Identified:

    1. Single Point of Failure: This incident has proven how a single update from one vendor could cascade into a global IT crisis. Many organizations, reliant on CrowdStrike for their security needs, were left vulnerable when the update caused system crashes. This single point of failure disrupted operations across diverse sectors, from aviation to emergency services.
    2. Lack of Redundancy and Diversification: Organizations affected by the outage lacked alternative solutions or redundant systems to mitigate the impact. The absence of diversified security measures meant that when CrowdStrike’s update failed, there were no immediate fallback options, leading to prolonged downtime and operational chaos.
    3. Complexity of Manual Interventions: The suggested manual workaround to fix the issue highlighted the challenges of relying on centralized updates. The labor-intensive process of booting systems into Safe Mode and manually deleting files was impractical at scale, especially for large organizations with thousands of affected machines.
    4. Dependency on Interconnected Systems: The concurrent outages at Microsoft illustrated the risks of interconnected IT ecosystems. The reliance on multiple vendors’ systems created a scenario where failures in one could amplify the impact of failures in another, complicating recovery efforts and prolonging disruptions.

    How Does the Faulty Falcon Sensor Driver Cause a BSOD?

    CrowdStrike Falcon requires installing a lightweight tool called “Falcon Sensor,” which includes services and, crucially, drivers that run in Kernel mode to monitor system activity at a low level—a common practice among security software. When a regular application crashes, it can simply be reopened because it operates in User Mode. However, since Falcon Sensor operates in Kernel Mode, any problem can cause a Kernel Panic, resulting in the dreaded Blue Screen of Death (BSOD) on Windows. In this case, the faulty driver, named “C-00000291*.sys,” caused a Kernel Panic due to a bad read to 0x9c as indicated by the stack trace. Because device drivers load during boot, this issue forces Windows into recovery mode. The only fix is to boot into Safe Mode and delete all files starting with “C-00000291” from the C:\Windows\System32\drivers\CrowdStrike directory. While some systems might be fixed through an update, many will require manual intervention via Safe Mode.

    How Does one Fix a BSOD Caused by the Update?

    To fix the Blue Screen of Death (BSOD) and the “Recovery” loop caused by CrowdStrike, you can follow several methods.

    Method 1

    The first method involves using Safe Mode to delete the faulty file. Boot your computer into Safe Mode by selecting “See advanced repair options” on the Recovery screen, then navigating through “Troubleshoot” > “Advanced options” > “Startup Settings” and restarting your PC. After it restarts, press 4 or F4 to enter Safe Mode. Alternatively, you can press F8 repeatedly during startup to access Safe Mode. Once in Safe Mode, open Command Prompt (Admin) and navigate to the CrowdStrike directory by typing cd C:\Windows\System32\drivers\CrowdStrike. Use the command dir C-00000291*.sys to locate the faulty file and then delete it using del C-00000291*.sys.

    Method 2

    Another method involves renaming the CrowdStrike folder. Boot into Safe Mode as described above, open Command Prompt, and navigate to the drivers directory using cd \windows\system32\drivers. Rename the CrowdStrike folder by typing ren CrowdStrike CrowdStrike_old. This allows the system to bypass the faulty driver during startup.

    Method 3

    A third method requires using the Registry Editor to block the CSAgent service. Boot into Safe Mode and open the Registry Editor by pressing Win+R, typing regedit, and pressing Enter. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSAgent. Find the Start entry, double-click it, and change its value from 1 to 4, which disables the service. Save the changes, close the Registry Editor, and restart your computer. These steps should resolve the BSOD and recovery loop, allowing your system to boot normally.

    Conclusion

    The CrowdStrike incident serves as a critical lesson in the importance of diversification and redundancy in IT security practices. Organizations must re-evaluate their reliance on single vendors and implement comprehensive strategies to mitigate risks, ensuring resilience in the face of unforeseen disruptions.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Federal Court Ruling: Corporate Liability for Law Firm Data Breaches

    Federal Court Ruling: Corporate Liability for Law Firm Data Breaches

    A recent federal court decision has significant implications for corporate cybersecurity and third-party risk management. The court ruled that a company could be held negligent for a data breach that occurred at its law firm, allowing a negligence claim against Mondelez Global LLC to proceed following a breach at its law firm, Bryan Cave Leighton Paisner, LLP.

    Case Background

    Mondelez Global LLC, a leading snack food manufacturer, hired Bryan Cave to handle legal services. During this engagement, Mondelez provided Bryan Cave with sensitive personal information (PII) of its employees, including names, dates of birth, social security numbers, and addresses.

    In early 2023, Bryan Cave discovered unauthorized access to its systems, revealing that hackers had stolen the PII of 51,100 current and former Mondelez employees. This breach put the affected individuals at risk of identity theft, prompting them to take protective measures such as signing up for credit monitoring and securing their financial accounts.

    Legal Arguments

    Following the breach, the affected employees filed lawsuits against both Mondelez and Bryan Cave. Mondelez sought to dismiss these lawsuits, arguing that it could not be considered negligent merely for sharing employee information with its law firm. However, the plaintiffs argued that Mondelez had a duty to ensure that its law firm adhered to proper data security practices and that unnecessary personal information should have been deleted rather than shared.

    The court declined to dismiss the negligence claim against Mondelez, allowing the plaintiffs to further develop their case. This decision suggests that Mondelez will likely incur significant legal fees during the discovery phase and may ultimately settle to avoid an adverse ruling at trial. If Bryan Cave and its insurers cannot satisfy any judgment, Mondelez may be exposed to further liability.

    Implications for Corporate Cybersecurity

    This ruling underscores several critical areas for corporate cybersecurity and compliance:

    1. Third-Party Risk Management (TPRM)
      • Comprehensive Evaluations: Businesses must conduct thorough and ongoing evaluations of their third-party vendors’ data security practices, including regular audits and continuous dialogue about cybersecurity protocols.
      • Security Questionnaires and Checklists: Detailed assessments should be implemented to ensure compliance with the latest security standards.
    2. Data Minimization
      • Assessing Necessity: Companies should determine what information is essential for their operations and ensure that unnecessary PII is securely deleted.
      • Reducing Risk: Minimizing data shared with third parties reduces the exposure risk in the event of a breach.
    3. Contractual Safeguards
      • Mandating Data Protection: Contracts with third-party vendors should include clauses that mandate stringent data protection measures, including regular security audits and breach notification requirements.
      • Provisions for Updates: Contracts should allow for periodic review and updates to security provisions as threats evolve.
    4. Continuous Monitoring
      • Real-Time Visibility: Advanced monitoring tools and technologies should be deployed to provide real-time visibility into third-party vendor activities.
      • Security Information and Event Management (SIEM): Implementing SIEM systems and intrusion detection systems (IDS) can help promptly identify vulnerabilities.
    5. Incident Response and Recovery
      • Robust Plans: Companies should have clear incident response protocols for third-party breaches, including immediate action, communication with affected parties, and coordination with vendors.
      • Breach Simulations: Regular breach simulations can ensure preparedness and effective response to real incidents.

    Impact on Corporate Policy and Strategy

    The court’s decision has broader implications for corporate policy and strategy. Companies must recognize that their responsibility for data security extends beyond their internal systems to include their entire supply chain. This ruling could lead to an increase in litigation against companies whose vendors suffer data breaches, emphasizing the need for proactive third-party risk management.

    Moreover, the case highlights the importance of cross-functional collaboration within organizations. Legal, compliance, IT, and procurement departments must work together to manage third-party relationships with a focus on security. This collaborative approach can help identify potential risks early and implement appropriate safeguards.

    Recommendations

    • Vendor Assessment: Develop a comprehensive framework for evaluating third-party vendors, including detailed security questionnaires and regular audits.
    • Data Minimization: Implement strict data retention policies that mandate the deletion of unnecessary PII and limit data sharing to essential information.
    • Contractual Obligations: Include clear data security requirements in contracts, with provisions for audits, breach notifications, and penalties for non-compliance.
    • Ongoing Monitoring: Use advanced monitoring tools to maintain real-time visibility into vendor activities and ensure compliance with security standards.
    • Incident Response Planning: Develop and regularly update incident response plans to include third-party breach scenarios and conduct breach simulations to ensure preparedness.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact