this post was submitted on 23 Jul 2024
11 points (73.9% liked)

Asklemmy

43992 readers
853 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy ๐Ÿ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
 

The CrowdStrike cyber event affected 8.5 million Windows machines and was the biggest IT outage in history. It has "beaten" even the cyber attacks of WannaCry and NotPetya.

https://www.bbc.com/news/articles/cpe3zgznwjno

Can/will this method be used by hackers? What would they need to do to take advantage of that vulnerability?

EDIT: typo

you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 33 points 4 months ago* (last edited 4 months ago) (1 children)

The "vulnerability" here was basically just having Kernel level access, which CrowdStrike is intended to have. If hackers had that, they've already won anyway. The difficulty lies in actually getting that level of access. So no, it doesn't change a thing for hackers.

[โ€“] [email protected] 1 points 4 months ago (1 children)

So how about hacking CrowdStrike and obtaining that access? I'm guessing it might be easier than hacking Microsoft?

Are there other companies having the same access level as CrowdStrike? How vulnerable are they?

[โ€“] [email protected] 13 points 4 months ago (1 children)

So how about hacking CrowdStrike and obtaining that access? Iโ€™m guessing it might be easier than hacking Microsoft?

Maybe. CrowdStrike is a company which specializes in security and has some pretty smart folks in that area. They also live and die by the perceived value of their security products. So, security is pretty important to the company. Microsoft is a conglomerate, and while it does have some arms which specialize in (and are pretty good at) security, the company's continued existence doesn't depend on their performance. So, the Microsoft President can go in front of Congress and promise to do better, and we all know this is bullshit and Microsoft will continue to be Microsoft.

As for an attacker actually leveraging the CrowdStrike platform as part of an attack. It's entirely possible. Security products have been found to have vulnerabilities in the past. IIRC, McAfee's ePO server was vulnerable to Log4j. And given CrowdStrike's engine runs in Ring 0 on the endpoints, it's certainly an attractive target. Finding a Remote Code exploit in it seems like something an APT like the NSA or PLA Unit 61398 might get up to. That said, as I mentioned above, CrowdStike also employs a lot of smart folks and is likely doing it's level best to find those vulnerabilities first and fix them.

Are there other companies having the same access level as CrowdStrike? How vulnerable are they?

Ya. Really, any EDR or A/V product is going to run in Ring 0. And any such kernel level driver crashing is going to cause a BSOD. That's just the way Windows is designed. I have personally dealt with bad updates from several other products causing BSODs. Including one which brought down the entire site I was working at, at the time. I believe it also took down a number of other sites as well. Since, once I figure out how to get the bad update out of our system, the folks responsible for the update actually reached out and asked me what I did.

Ultimately, products like these exist in a very trusted state on systems, because they have to. if and when they crash, you can expect a BSOD. In this case, I suspect CrowdStrike is going to receive (and they deserve) a lot of shit for the way this one went down. The reporting I've seen states that the update file was just a mass of null bytes. And it seems there was no sanity checking or error handling for a corrupt update being pushed by CrowdStrike. I suspect that's gonna get fixed pretty quick, but it was a pretty bad oversight for a product with regular, live updates.

[โ€“] [email protected] 3 points 4 months ago

Great comment. And cool story about your fix!