You’re not going to believe this, but there was a lot of misinformation on social media over the weekend after the massive CrowdStrike/Microsoft outage.
As airlines cancelled flights, hospitals had to reschedule patients and some companies just flat-out couldn’t work on Friday, people were quick to assume that the outage, which was actually caused by a faulty CrowdStrike Falcon update, was a cyber attack.
Media headlines posed the question: “Cyber attack, or outage?” Social posters quickly assumed this was some sort of “hack.”
On the one hand, I get it. Seeing a “blue screen of death,” often with code that looks indecipherable, has been ingrained into our heads that it’s a “hack,” because that’s how they’ve always been displayed in works of fiction or as the generic image of a “hack” anytime there is actually a real cyber attack.
That’s not to say there aren’t many lessons to be learned from this outage, and at some point, we’ll be ready to dig into those. But also calling this a cyber attack can spread unnecessary FUD, especially when threat actors are trying to capitalize on the outage to spread malware in actual cyber attacks.
The one big thing
Business email compromise (BEC) and ransomware were the top threats observed by Cisco Talos Incident Response (Talos IR) in the second quarter of 2024, accounting for 60 percent of engagements. Although there was a decrease in BEC engagements from last quarter, it was still a major threat for the second quarter in a row. There was a slight increase in ransomware where Talos IR responded to Mallox and Underground Team ransomware for the first time this quarter, as well as the previously seen Black Basta and BlackSuit ransomware operations.
Why do I care?
Within BEC attacks, adversaries will compromise legitimate business email accounts and use them to send phishing emails to obtain sensitive information, such as account credentials. Adversaries can also use compromised accounts to send emails with fraudulent financial requests, such as changing bank account information related to payroll or vendor invoices. Targeting employees’ personal mobile devices can be an effective method for initial access because they may not have the same security controls as their corporate devices. Organizations should ensure SMS phishing scams are included in security awareness training for employees.
So now what?
The lack of MFA remains one of the biggest impediments for enterprise security. All organizations should implement some form of MFA, such as Cisco Duo. The implementation of MFA and a single sign-on system can ensure only trusted parties are accessing corporate email accounts to prevent the spread of BEC.
Top security headlines of the week
A false narrative spread over the weekend that Southwest Airlines was using a very old version of Windows, which allowed it to escape the CrowdStrike-related outage. Many news outlets reported that Southwest’s system relies on Windows 3.1, released more than 20 years ago. However, this does not actually appear to be the case, though Southwest’s systems may still be outdated compared to its competitors. Instead, Southwest may have been largely unaffected by the outage simply because it doesn’t use CrowdStrike. Delta, American, Spirit, Frontier, United and Allegiant airlines all reported that they were affected by the outage, forcing the cancellation of thousands of flights across the globe. The source of the story that Southwest uses Windows 3.1 appears to come from posts on social media, the original one of which provided no sources, links or background information to back this statement up. Another popular piece of fake news that made the rounds during the widespread outage was that the Las Vegas Sphere was a victim of the outage, with a fake image spreading online appearing to show the “blue screen of death” on the outside of the concert and event venue. (Kotaku, OSNews)
U.K. police arrested a teenager suspected of being a member of the Scattered Spider hacking group and a perpetrator of the massive MGM ransomware attack last year. The arrest is part of a larger investigation conducted by the National Crime Agency in the U.K. and the U.S.’s FBI into a hacking group that is known to breach networks, steal data and deploy ransomware. While not named explicitly in the arrest announcement, this group is largely known as Scattered Spider. The group breached MGM’s network last year, taking hotel and casino services offline for several days, even just forcing some casino operations to stop altogether. MGM eventually paid a multi-million dollar ransomware to the attackers. Scattered Spider is a group of English-speaking threat actors, some of whom are as young as 16, and commonly communicate via Telegram channels and Discord servers. An English detective involved in the operation stated that the 17-year-old in question was part of a group that “targeted well-known organizations with ransomware, and they have successfully targeted multiple victims around the world, taking from them significant amounts of money.” (Bleeping Computer, Dark Reading)
Russian state-sponsored actors or hacktivist groups are likely to try and disrupt the upcoming Olympic games in France via cyber attacks, misinformation campaigns and deepfake photos and videos. Russia has been excluded from the Summer Olympics because of its involvement in an alleged doping scheme with its athletes and has been increasingly hostile toward the West for its support of Ukraine. Russian threat actors have already been spreading disinformation, with Microsoft warning that some actors have been deploying influencers deploying artificial intelligence to “denigrate the reputation of the [International Olympic Committee]” and “creating the expectation of violence” at the Olympics. French authorities have also already arrested a Russian national who the government alleges was planning various events to “destabilize” the games. Researchers from FortiGuard Labs have also reported that there has been a spike of dark web activity among known Russian adversaries, including Cyber Army Russia Reborn and LulzSec, specifically saying they plan to target the Olympics. Russia may also seek to use its influence on hacktivist groups to do its bidding so that the Russian government has plausible deniability in any activities. (Forbes, Financial Times)
Can't get enough Talos?
Upcoming events where you can find Talos
BlackHat USA (Aug. 3 – 8)
Las Vegas, Nevada
Defcon (Aug. 8 – 11)
Las Vegas, Nevada
BSides Krakow (Sept. 14)
Krakow, Poland
Most prevalent malware files from Talos telemetry over the past week
SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f f
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
MD5: 8c69830a50fb85d8a794fa46643493b2
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201
SHA 256: 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d
MD5: fd743b55d530e0468805de0e83758fe9
Typical Filename: KMSAuto Net.exe
Claimed Product: KMSAuto Net
Detection Name: W32.File.MalParent
SHA 256: 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe
MD5: 49ae44d48c8ff0ee1b23a310cb2ecf5a
Typical Filename: nYzVlQyRnQmDcXk
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::tpd
SHA 256: bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a
MD5: 200206279107f4a2bb1832e3fcd7d64c
Typical Filename: lsgkozfm.bat
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::tpd