- The Weekend Byte
- Posts
- Crowdstrike Breaks The Internet
Crowdstrike Breaks The Internet
Plus a hacker steals 1.1TBs from Disney
Sorry, Kim Kardashian. You’re not the only one who can break the Internet and cause global flight delays. Crowdstrike, a leader in cyber security products, pushed a bad update that Windows systems that digested as well as days-old gas station sushi. More on this below…
Today, we’re covering:
Crowdstrike breaks the Internet
Hackers steal Disney secrets
Ransomware attacks limit blood supply and furniture stock
-Jason
AI Spotlight Breaking News
Crowdstrike BSOD
We interrupt this week’s AI news update with the week's biggest news. Crowdstrike broke the Internet.
Let’s start off with a level set. Crowdstrike is a great company. They have some of the best security software in the industry and a world-class services team. Only a few companies in the world can say that.
But every company has a bad day…for Crowdstrike, that bad day was just a lot worse than most. The headlines on Friday, July 19th, were all about IT outages.
I found myself in the airport looking at delayed flights and error messages scattered across monitors for Windows systems that couldn’t boot.
Gate monitor at Boston’s Logan Airport
So, what happened? On Friday, July 19, 2024, at 05:27 UTC, Crowdstrike released a sensor configuration update for Windows systems. Sensor configuration files contain code for detecting malicious activity on the system. When the code is written well, it can detect all sorts of bad things, like hackers installing malware or being sneaky. Updates to these files can occur several times daily so that the sensors have the latest information on stopping hackers.
When the code is bad, a different outcome occurs. In this case, an update to the now infamous Channel File 291, which looks for malicious network traffic, included bad code. That code triggered a logic error that resulted in the Windows systems crashing and throwing the classic blue screen of death (BSOD).
How many systems were impacted? Systems that were online on Friday, July 19, 2024, at 04:09 UTC and 05:27 UTC may have been impacted. After 05:27 UTC, Crowdstrike fixed the bad update so systems would no longer crash. Of course, systems that had already received the update needed some love and attention.
The fix wasn’t fancy, but it worked. Guidance quickly came out to try what your IT systems always tell you…reboot the system. For some users, that worked because it pulled down the updated sensor configuration file, and everything was good to go. For others, it required a manual workaround to boot the system into safe mode and delete the bad sensor configuration file.
For every IT team who scrambled to get this fixed, we salute you. To Crowdstrike, major #hugops for a quick response and transparency on the issue.
Security Deep Dive
Massive Disney Leak
On July 12, 2024, an attacker known as NullBulge released a 1.2 TB archive that they claimed contained years of Disney’s internal Slack data, including chats and files shared via the messaging solution.
The story of how this hack happened started weeks before. NullBulge was very vocal on X about their activities. Like a Disney storyboard, we’re going to walk through it all.
On June 24, 2024, the group posted about a big dump coming soon. At that point, they claimed they were halfway through stealing the data. A closer look at the screenshot below shows they likely used a tool called slackdump, which allows you to export your private and public Slack messages, threads, and files. The use of this would suggest that the attackers had compromised credentials that allowed them access to a Disney employee’s Slack account.
Five days later, on June 29th, the attacker claimed they were close to an entire terabyte of stolen Slack data.
On July 4th, we saw the first evidence of stolen data: the attacker posted a screenshot of what appears to be an internal business dashboard.
They also posted screenshots of various PPTs and Word documents.
It wasn’t until July 12th that Nullbulge announced on X (seriously, why did Elon rename Twitter to X) the release of the entire data set.
Meanwhile, on the group’s leaksite, which sits on the clear web, they highlighted that the 1.1 TB of data included the data collected from almost 10K Slack channels. Interestingly, the call out that they had an “inside man” who got nervous and cut off their access. This could indicate that an employee gave them their credentials or could just be that they lost their access.
nullbuldge.se
With the story complete, the question is Nullbulge? They’re a self-proclaimed hacktivist group “protecting artists’ rights and ensuring fair compensation for their work.”
nullbuldge.se
As SentinelOne points out in their blog post, they also dabble in supply chain attacks and basic ransomware attacks. Remember, on the Internet, no one knows you’re a dog.
Security News
What Else is Happening?
👋 What happens when the US bans you from selling security software in the US? You shut shop in the US. That’s the lesson Russian anti-virus company Kaspersky learned the hard way.
☎️ AT&T purportedly paid $370K to the attacker who stole call and text logs for nearly all of AT&T's cellular customers. The ransom is currently being laundered through crypto mixers and gambling services. Something tells me it won’t smell as nice as using Downy.
🤖 AI company Lattice is walking back an announcement that they were giving “digital workers” official employee records. When I say “digital workers,” I don’t mean remote employees. I mean AI digital workers. To summarize the Internet’s feedback, which led to Lattice walking this back: “Umm…wtf, why?” This was largely driven by the Snowflake-related data breaches.
🪪 Per the Identity Theft Resource Center, “The number of data breach victims in H1 2024 (1,078,989,742) increased 490 percent compared to the first half of 2023 (182,645,409).”
👮 UK police arrested a 17-year-old boy who may have participated in the attacks against MGM Resorts.
🛋️ Bassett Furniture shut down manufacturing following a ransomware attack. In a recent 8-K filing, they said that customers could order furniture, but their ability to fulfill those orders is impacted.
🩸 In bad news for UK patients and vampires, the UK national blood stocks are “very fragile” following a ransomware attack that impacted London hospitals.
If you enjoyed this, forward it to a fellow cyber nerd.
If you’re that fellow cyber nerd, subscribe here.
See you next week!
Reply