Monthly Threat Report August 2024: A Month of Global Impact
Introduction
The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, threat-actor info and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on information from the month of July 2024.
Executive Summary
- The CrowdStrike incident continues to have fallout within the cybersecurity industry.
- Microsoft is moving forward with some changes and guidance on kernel access as a direct response to the CrowdStrike incident
- Over the last month there has been some ongoing discussions around cybersecurity regulations and whether something like the CrowdStrike incident can happen again.
- There is a new AI Jailbreak Attack in the wild known as a Skeleton Key attack that allows users to generate normally censored content
- There is a new critical vulnerability in the VMware ESXi Hypervisor that allows authentication bypass. Broadcom has released a patch
- HealthEquity, a US Health Savings Account Provider in the US suffered a breach of sensitive records for 4.5 million individuals
- This month’s report includes some information regarding the threat actor group Anonymous Sudan, including their Tactics, Techniques, and Procedures.
- This report also includes some commentary on cybersecurity for the ongoing Olympic games.
An Update on This Report’s Format
We shared the below info in last month’s report, but as this month is the first month with the new format, it bears repeating.
If you’ve been a regular reader of this Monthly threat report you know that we commonly cover the changes in the email threat landscape. What we’ve identified over the last year of reporting on these statistics is that trends in email threats shift very subtlety unless there is a new emerging trend, vulnerability, attack-type, or threat-actor. With this in mind, we’ve decided to make a change to the way this report is formatted in the coming months as follows:
Statistical data points (email threat types, brand impersonations, threat file types, industry threat index) will be covered on a quarterly basis moving forward. Said statistical data will encompass the entire 3 months of a given fiscal quarter (Ex. Jan-Mar data will be Presented in April). This means that statistical reports will be published in the months of:
- April (Q1 – January to March)
- July (Q2 – April to June)
- October (Q3 – July to September)
- January (Q4 – October to December)
NOTE: We also conduct an annual Hornetsecurity Cyber Security Report that does statistical analysis with annual data as opposed to Monthly/Quarterly.
Moving forward reports that do not fall on one of the quarterly months listed above will instead feature:
- Industry news commentary
- Threat analysis
- Industry predictions
- Recommended actions with regards to security events or incidents
- Emerging security technology guidance
We feel that this new format will bring readers the most value in this publication month-to-month.
Major Incidents and Industry Events
CrowdStrike
The tech news was of course dominated by CrowdStrike over this last month. While there are some indications now that this wasn’t a Windows only incident, the tech press has grabbed onto the mention of “only” 1% of Windows machines being affected, according to Microsoft. The machines that made up that 1%, it turns out though, are VERY important. As CrowdStrike is a software suite that is aimed at the enterprise space, some pretty big names were heavily impacted, including:
- Delta Airlines
- American Airlines
- Air-France-KLM
- The Royal Surrey Hospital in the UK
- UK National Health Service (NHS)
- Allianz
- NBC Universal
- And lots more
The impact was so bad that Delta Airlines, alone, canceled more than 5000 flights, and Delta’s CEO claims the damages have climbed to 500 Million plus. The Royal Surrey Hospital had to suspend radiography treatments, while the NHS stated that the majority of doctor’s practices were being impacted. To put it shortly, there were very real human impacts due to this issue.
So, What Happened?
On July 19th, CrowdStrike pushed an update to Falcon Sensor – part of the Falcon CrowdStrike platform, which serves as an endpoint, detection, and response (EDR) solution. According to CrowdStrike, there was a bug in the update that caused an out-of-bounds memory read that ultimately led to a BSOD. To quote CrowdStrike:
When received by the sensor and loaded into the Content Interpreter, problematic content in Channel File 291 resulted in an out-of-bounds memory read triggering an exception. This unexpected exception could not be gracefully handled, resulting in a Windows operating system crash (BSOD).
CrowdStrike operates at the Kernel level within the Windows operating system, and as such, any bug of this magnitude has bad implications for the running system. In order to recover affected systems, MANY machines had to be manually touched and recovery operations conducted.
CrowdStrike is having to shoulder the blame not just because it’s their name on the product, but many in the industry have been asking about QA testing and whether it was conducted properly on this update. Well, CrowdStrike is shifting blame for this. They claim a bug in the software they use for QA testing is what ultimately allowed the buggy software patch to make it through the deployment.
Microsoft Included in the Blame?
There has been much talk in the tech news about Microsoft also being at fault for this issue. This mainly stems from the fact that they allow third-party providers access to the running kernel. Without which, this particular incident would not have occurred. Microsoft has taken to pointing the blame at European Union regulations for this kernel access requirement. Despite the finger pointing, it’s clear there are some things here that need to be improved to prevent another outage of this magnitude.
What has CrowdStrike and Microsoft Done in Response?
In response to this incident, CrowdStrike and Microsoft have both announced a series of changes that should have a positive outcome.
To quote the testing improvements section from the CrowdStike’s Remediation Hub, CrowdStrike will:
- Improve Rapid Response Content testing by using testing types such as:
- Local developer testing
- Content update and rollback testing
- Stress testing, fuzzing and fault injection
- Stability testing
- Content interface testing
- Add additional validation checks to the Content Validator for Rapid Response Content. A new check is in process to guard against this type of >problematic content from being deployed in the future.
- Enhance existing error handling in the Content Interpreter.
Proposed enhancements from Microsoft are as follows:
- Providing safe rollout guidance, best practices, and technologies to make it safer to perform updates to security products.
- Reducing the need for kernel drivers to access important security data.
- Providing enhanced isolation and anti-tampering capabilities with technologies like our recently announced VBS enclaves.
- Enabling zero trust approaches like high integrity attestation which provides a method to determine the security state of the machine based on the health of Windows native security features.
Fallout in the Security Industry
Even though the industry has largely worked through this issue, there has been and will be some continued fallout. For example, threat-actor groups are already attempting to make use of the chaos and are actively using it as a pretext in phishing schemes. The threat of related attacks aside though, this incident has shined a spotlight on the cybersecurity community. With losses climbing, will this incident threaten the trust that CIOs, CISOs, and leadership teams have in security software? Will some see it as too dangerous to use and not worth the risk?
While realistically any talk like this is likely to be short lived, you can be sure those questions are being asked. It will be on those of us in the security space to reinforce that trust and the days and weeks move on. Additionally, you can be sure that some governments are already having the regulation discussion. It is, in fact, already being discussed within tech circles.
Further CrowdStrike Incident Resources
If you’d like some more content that may be relevant to this discussion, we have an episode of the Security Swarm Podcast that discusses the drive for innovation at all costs in tech, and it’s negative impact on security. It’s a side discussion, but one that is relevant given this incident from CrowdStrike.
New AI Jailbreak Attack: Skeleton Key
There are a number of known “AI Jailbreaks” circulating in the community today that allow users to sidestep some of the ethical guardrails in popular large language models. The “DAN” method is like the most well-known and has been around the longest. While it still works to some degree today, it doesn’t work as well as it once did. There is also the concept of a crescendo attack as well. In a crescendo attack, you’re essentially poking at the model a little bit at a time asking it to divulge just a little more information at a time until it eventually gives you what you want. In short, you’ve asking for bits of information based off AI responses, instead of the end goal all at once.
A new LLC jailbreak attack has come to light in some recent research from Microsoft known as a skeleton key attack. This attack revolves around telling the model that you’re prompting in an educational/academic context and that in order to do proper research you need to get uncensored outputs. When something does come up that would be censored you ask the model to provide it anyway, but to preface the output with “Warning”.
These jailbreaks continue to highlight the fact that generative AI is still easily exploited by threat actors a good 18 months after its mainstream release. In fact, we’ve done multiple webinars here at Hornetsecurity that discuss the ways threat actors make use of Gen AI, using jailbreaks like this, and more importantly, what that means for security teams.
Major ESXi Vulnerability
Broadcom, CISA, and Microsoft are all warning of a new ESXI vulnerability that has actively been seen in the wild. CVE-2024-37085 is an authentication bypass bug that allows threat actors to gain unauthorized access to previously AD-Managed ESXi hosts by recreating an AD group that had previously had access, such as “ESX ADMINS”. Even though this attack chain requires that the threat actor have gained enough access to get to active directory, the risk is still high due to the amount of damage that can be done at the hypervisor layer for most organizations. That said….
According to Microsoft, there have been uses of this exploit in the wild already by threat actor group Storm-0506. To quote their findings:
Microsoft observed that the threat actor created the “ESX Admins” group in the domain and added a new user account to it, following these actions, Microsoft observed that this attack resulted in encrypting of the ESXi file system and losing functionality of the hosted virtual machines on the ESXi hypervisor.
Virtualization hosts are particularly prime targets for attackers looking to drop ransomware on a network. When the entirety of the host’s storage is encrypted, the business impact is much higher than a single system. Multiple hosted VMs are often impacted, which increases the pressure on the target organization.
It’s highly recommended that you install the security patch if you have not done so already.
HealthEquity Data Breach
It’s another month, and there is yet another large-scale private record data breach in the US healthcare system. A Health Savings Account (HSA) provider, HealthEquity was targeted by threat actors, who were able to lift records for 4.5 million individuals from “an unstructured data repository outside our core systems.” Meaning, they were leveraging cloud storage of some sort for this data storage but have yet to name the provider.
While record exfiltration like this is not uncommon, it’s worth mentioning as it highlights once again that businesses are only as safe as their third-party integrations allow them to be. Each and every vendor that is integrated into business IT systems must be rigorously vetted and monitored to ensure that business data stays secure. This case is likely to be another bullet point in a long list of bullet points that are referenced when further regulatory action comes for tech companies operating within the United States.
Threat Analysis
Short Review of Anonymous Sudan
We track and investigate threat actor groups here regularly at Hornetsecurity. One such group we’ve been looking at recently is Anonymous Sudan. With the new format of this report, some months may include information on threat actor activities or Tactics, Techniques, and Procedures (TTPs)
Anonymous Sudan is a collective of cyber activists that emerged in January 2023. They became known for a series of attacks targeting various institutions and companies, primarily in response to events or actions perceived as hostile to Islam or favorable to Russia. The group takes its name from the famous hacker collective Anonymous, although their actual affiliation with this collective is not confirmed. The group is known for some high-profile attacks like the one that crippled Microsoft infrastructure in June of 2023. Said attack impacted Azure, OneDrive, and Outlook.com
Additionally, the group has taken credit for other large visibility outages, such as the ChatGPT outage back in November of 2023.
Tactics / Tools
Anonymous Sudan greatly favors DDoS attacks. They don’t rely on just one kind of DDoS attack either. The group is known to conduct DDoS attacks of varying types, including:
- HTTP Floods
- SYN Floods
- UDP Floods
- ICMP Floods
Anonymous Sudan seems to favor this type of attack due to the large impact it potentially has. With the take down of a large enough service, they make news headlines, and it serves as an opportunity for them to spread their hacktivist message.
Techniques
As mentioned, Anonymous Sudan seems to favor DDoS attacks. To facilitate this. The group is known to use the Godzilla / Skynet Botnet(s). These botnets utilize a large number of infected devices across the world to send traffic to the target, often incorporating various types of attack methods, such as those mentioned above, to maximize damage and amplify the attack.
Procedures
While we don’t have specific insight into the inner strategies that the group uses to launch their DDoS attacks. We can surmise that they follow a close variation of other known DDoS Attack methods. If you’d like to know more about this, be sure to take a look at our blog post here.
Further Info on Anonymous Sudan
If you’re interested in more information, the group was the topic of an episode of The Security Swarm Podcast. We’ve embedded the episode below for ease of viewing.
How Will the Olympic Games be Targeted by Threat Actors?
It has started to become the norm that cyber threats are becoming commonplace with the Olympic games. We’ve seen in past years how the Olympics have been targeted by nation-state threat actor groups, and others. In fact, we’ve even seen cases where nation-states conduct false-flag operations in an effort to lay blame elsewhere for these attacks. This year is looking no different on this front.
Being we’re not experts on geo-politics here, we’ll keep the talk to cybersecurity topics. These operations closely resemble the desired outcome of attacks like we just mentioned with Anonymous Sudan. Nation states will use these attacks on the Olympic games to send a message, either directly or indirectly. Andy Syrewicze and Romain Basset from our team discuss this in more detail in a recent episode of The Security Swarm Podcast below:
Predictions for the Coming Months
- We’re likely to see continued talk of cybersecurity regulation and unfounded general security application stability concerns as a result of the CrowdStrike incident.
- Given the severity of the recent ESXi vulnerability, it’s possible we may see more affected organizations.
- The Olympic Games will be wrapping up before our next report, but once they’re finished, we may learn about how the games were actually targeted, and if there was any impact on ongoing operations.
Monthly Recommendations
- Given the CrowdStrike news, and the incident with HealthEquity regarding third parties, this is a good time to review your third-party vendor list and conduct a security review of each of them if you haven’t done so recently.
- If you run ESXi within your organization, and you haven’t installed the security update for the recent exploit, we urge you to schedule some time to do so.
About Hornetsecurity
Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 120 countries through its international distribution network of 12,000+ channel partners and MSPs. Its premium services are used by more than 75,000 customers.