Kevin Kardian’s Post

The CrowdStrike disaster and why Microsoft has to act. The below article from Kevin Beaumont is excellent and describes the various aspects that crippled IT systems a few weeks ago. "Almost every major EDR vendor has kernel access in Windows — think the highest level of ‘god mode’ — and they’re installed on hundreds of millions of systems. There’s nothing inherently wrong with this. Where it starts to get sketchy, however, is they also almost all obscure their software to prevent analysis — partly to stop crooks, but also to avoid research — and lock research and testing behind non-disclosure agreements. They’re pushing out updates constantly, often many times a day, with [ZERO] customer visibility, [ZERO] accountability and [ZERO] regulatory scrutiny. Some of these EDR vendors, including CrowdStrike, publish updates in a way which allows them to run detection code from the kernel in an [UNSAFE] way, which can trigger blue screens." It is simply astonishing how Microsoft could allow vendors to run untested code on the kernel level. And what has happened to the good practice of "Exception handling" when executing code? A matter of severe negligence on many levels. #microsoft #windows #crowdstrike #outages #leadership #security #risk

Why companies should check any update before installing it for all the company?🚨 and how any supplier can cause a huge reputational damage by himself?🚨 Yesterday, a significant outage affected Windows users globally, linked to a recent CrowdStrike update. This disruption caused widespread issues, including system crashes and productivity halts. 🔍 **What happened?** - A critical security update from CrowdStrike inadvertently triggered the outage. 🔧 **What to do next?** 1. **Stay Informed:** 📢 Follow updates from CrowdStrike and Microsoft. 2. **Update Systems:** 🖥️ Ensure all patches and updates are applied. 3. **Backup Data:** 💾 Regularly backup your data to avoid future disruptions. 4. **Check your Updates:** 🔍 The most important thing !!! Always review and check updates before installation to avoid potential conflicts !!! 🛡️ **Conclusion:** This incident underscores the importance of robust IT management and preparedness before installing any update ! 🔐 For the supplier side as CS, reputation is priceless, perform the checks on your side before sending it to your customers ! ---link to Forbes article attached below-- https://lnkd.in/djkt2HQE

Crowdstrike released its version of what happened last week. This quote from the article struck as highly ironic: "When received by the sensor and loaded into the Content Interpreter, problematic content in Channel File 291 resulted in an out-of-bounds memory read triggering an exception. This unexpected exception could not be gracefully handled, resulting in a Windows operating system crash (BSoD)." Two things come to mind with this statement: 1. Running the patch in a TEST ENVIRONMENT may have detected it, thus preventing the PRODUCTION SYSTEM from a catastrophic failure. Companies who blindly trust patches, even from respected firms, 2. No out-of-bounds checking? We handled that problem a quarter-century and more at the computer company and the manufacturing company I worked for by building callable objects to pass parameters to in order to check bounding - because we knew as far back as 30 years ago that code errors happen and boundaries get no respect. This might well have prevented it in a code test before it even got anywhere near a final test. More than anything else, I get the feeling this was a classic case of Hubris being rapidly and devastatingly followed by Nemesis. One cannot help but wonder what sort of legal/financial penalty Crowdstrike is going to incur as a result of this.

As an Auditor, if I had a dime for each time I had a finding of lack of testing, I'd have a boatload of dimes. As an IT guy, if I had a dime for each time I argued for resources for proper testing, I'd have another boatload. Management has a tendency to look at testing as a money pit, and if you know your job you should not have to waste so many resources on testing.

Please be cautious when searching for news and steps to recover from potential threats. CrowdStrike has reported that there are URLs posing as legitimate CrowdStrike sites. While some of these domains may not currently be hosting malicious content, they could be used for future social-engineering attacks. It is important to verify the authenticity of websites before interacting with them. Some of the suspicious domains include: crowdstrike.phpartners[.]org crowdstrike0day[.]com crowdstrikebluescreen[.]com crowdstrike-bsod[.]com crowdstrikeupdate[.]com crowdstrikebsod[.]com www.crowdstrike0day[.]com www.fix-crowdstrike-bsod[.]com crowdstrikeoutage[.]info www.microsoftcrowdstrike[.]com crowdstrikeodayl[.]com crowdstrike[.]buzz www.crowdstriketoken[.]com www.crowdstrikefix[.]com fix-crowdstrike-apocalypse[.]com microsoftcrowdstrike[.]com crowdstrikedoomsday[.]com crowdstrikedown[.]com whatiscrowdstrike[.]com crowdstrike-helpdesk[.]com crowdstrikefix[.]com fix-crowdstrike-bsod[.]com crowdstrikedown[.]site crowdstuck[.]org crowdfalcon-immed-update[.]com crowdstriketoken[.]com crowdstrikeclaim[.]com crowdstrikeblueteam[.]com crowdstrikefix[.]zip crowdstrikereport[.]com Read more at

#news Last week the world witnessed a historic day, as the software update from the leading cybersecurity company broker 8.5 million computers, causing massive outrage. As a result, several airlines in the USA were grounded and health facilities were halted. The faulty update was included in a configuration file known as channel 291. Since CrowdStrike's software, being WHQL-certified by Microsoft, can interact with the kernel, this caused Windows devices to encounter the Blue Screen of Death and reboot endlessly. Some C++ experts explained that the issue might be due to the creation of a null pointer without proper checks. Immediately after the faulty update, CrowdStrike released another update to rectify the issue. However, devices that were not connected to the cloud required a physical fix, which could take weeks. This process involved deleting the config file 291 in Safe Mode. Let's hope the companies affected by this incident recover quickly, and that thorough testing will be implemented for future updates to prevent similar issues.

Einmal zur Information. 8 - K Mitteilung von CrowdStrike an die SEC CrowdStrike FORM 8-K with the SEC: "On July 19, 2024, CrowdStrike Holdings, Inc. (“we” or “us”) released a sensor configuration update for our Falcon sensor software that resulted in outages for a number of our customers utilizing certain Windows systems (the “event”). The event was not caused by a cyberattack. We urgently mobilized teams to support the security and stability of our customers. Certain Windows systems that were online when the update was released at 4:09 UTC on July 19 were affected. We identified and isolated the issue and the update was reverted at 5:27 UTC. We continue to work with impacted customers to fully restore their systems. As part of that effort, we have provided remediation information through our customer support portal and published event-related updates accessible through our blog at www.crowdstrike.com/blog. This is an evolving situation. We continue to evaluate the impact of the event on our business and operations."

This is why companies cannot rely solely on SSO to protect their organization. Shadow IT is a big problem, and its very easy for a weak password (named after a cat or dog) to give an opening to a bad actor. (i,e: Microsoft) By getting employees to adopt the easiest enterprise password manager on the market (#1 most purchased on Vendr), most people would find it very annoying to go back to manually creating and entering terrible passwords 1Password + SSO = Great password coverage https://lnkd.in/eEGj_nDb

In relation to the recent cyber security issue noted with Crowdstrike, the post below shows the suspicious domains to avoid when searching for news or steps to recover from the issue.

To all my colleagues who work in IT as well as anyone else directly impacted by the recent CrowdStrike outage, thank you for your tireless efforts. If you still have issues feel free to reach out. We're all in this together. Be wary of current/ongoing phishing+impersonation campaigns to imitate CrowdStrike's brand: • Sending phishing emails posing as CrowdStrike support to customers • Impersonating CrowdStrike staff in phone calls • Posing as independent researchers, claiming to have evidence the technical issue is linked to a cyberattack and offering remediation insights • Selling scripts purporting to automate recovery from the content update issue Here's a list of malicious + suspicious domains attempting to impersonate CrowdStrike: crowdstrike.phpartners[.]org crowdstrike0day[.]com crowdstrikebluescreen[.]com crowdstrike-bsod[.]com crowdstrikeupdate[.]com crowdstrikebsod[.]com www.crowdstrike0day[.]com www.fix-crowdstrike-bsod[.]com crowdstrikeoutage[.]info www.microsoftcrowdstrike[.]com crowdstrikeodayl[.]com crowdstrike[.]buzz www.crowdstriketoken[.]com www.crowdstrikefix[.]com fix-crowdstrike-apocalypse[.]com microsoftcrowdstrike[.]com crowdstrikedoomsday[.]com crowdstrikedown[.]com whatiscrowdstrike[.]com crowdstrike-helpdesk[.]com crowdstrikefix[.]com fix-crowdstrike-bsod[.]com crowdstrikedown[.]site crowdstuck[.]org crowdfalcon-immed-update[.]com crowdstriketoken[.]com crowdstrikeclaim[.]com crowdstrikeblueteam[.]com crowdstrikefix[.]zip crowdstrikereport[.]com There is also a logscale query available below for checking against these domains in your organization. https://lnkd.in/eKxvmJe9