CrowdStrike: Safeguards Will Prevent a Repeat of July Outage

A word from our sponsor, Anchore

Anchore enables organizations to secure software supply chains and automate compliance to save time and reduce risk. Built for cloud-native applications and air-gapped environments, it allows organizations to generate SBOMs and fix vulnerabilities while maintaining continuous government and industry compliance.

The Cybersecurity and Infrastructure Protection Subcommittee of the US House Homeland Security Committee grilled Adam Meyers, CrowdStrike’s senior vice president of counter-adversary operations, about the outage triggered by a CrowdStrike update this summer that disrupted global travel, hobbled government agencies, and sent significant companies scrambling to get their operations back online.

Meyers told the panel that the company had instituted new safeguards to prevent such a failure from happening again.

Lawmakers pressed Meyers to explain why the error had occurred and how the company planned to compensate consumers for the outage’s harm.

“I want to make sure that you all know what happened, can explain it, and then how you’re making sure it’s not going to happen again,” said Representative Andrew Garbarino, Republican of New York.

The company’s chief executive, George Kurtz, was absent from the hearing even though the committee had initially demanded his testimony. In his place was Mr. Meyers, who said in his opening statement that CrowdStrike had “let our customers down."

“We are deeply sorry and are determined to prevent this from ever happening again,” he said.

Many lawmakers praised CrowdStrike’s overall response. But they pushed Mr. Meyers to account for how a routine update — the kind the company sends 10 to 12 times daily — could have gone wrong.

He said the company’s screening updates process missed the issue. “It tested as clean or good, and that’s why it was allowed to roll out,” he said.

Meyers said the company has since updated its internal processes to incorporate more rigorous testing to protect against a similar situation. CrowdStrike customers can now also opt to wait to receive updates.

While CrowdStrike has clarified that a cyberattack did not cause the outage, lawmakers signaled that they were still concerned about the public's suffering.

Representative William R. Timmons IV, Republican of South Carolina, asked Mr. Meyers how the company planned to hold itself accountable. Mr. Timmons said his “constituents that missed flights and were stuck in airports for weeks” probably didn’t care about the company’s distinction between a security breach and the flawed update. (David McCabe and Steve Lohr / New York Times)

Related: The Committee on Homeland Security, New York Times, The Hill, Homeland Security Committee on YouTube, SecurityWeek, Benzinga, Cyber Daily, ABC, Quartz, PYMNTS.com, BBC, Cybernews.com, CRN, Nextgov/FCW, Channel Futures, The Register, GovInfoSecurity.com, The Guardian, Axios, Reuters, Bloomberg,  DataBreachToday.com, DefenseScoop, PaymentSecurity, InsideCyberSecurity, Tech-Economic Times, The Guardian, The Stack, The New York Times, The Independent, Cyberscoop

US officials are investigating German software developer SAP SE, product reseller and significant US government IT security provider Carahsoft Technology, and other companies for potentially conspiring to overcharge government agencies over a decade.

Since at least 2022, Justice Department lawyers have been investigating whether SAP, which makes accounting, human resources, supply chain, and other business software used worldwide, illegally conspired with Carahsoft to fix prices on sales to the US military and other parts of the government.

The civil investigation, which hasn’t previously been reported, poses a legal risk to a top technology vendor, the US government, and Germany’s most valuable company, which is seeing its shares soar.

The review also highlights Carahsoft, a powerful software vendor whose Virginia offices were raided on Tuesday by FBI agents and military investigators.

Carahsoft spokesperson Mary Lange described the search as “an investigation into a company with which Carahsoft has done business in the past.” It’s unclear if the search is related to SAP's investigation.

A civil investigative demand states that prosecutors examine whether SAP, Carahsoft, and other firms made false statements to the Department of Defense by coordinating bids and prices for “SAP software, cloud storage, and related hardware and services.” The document directs Carahsoft to produce an array of emails, text messages, contracts, staff lists, and other information related to its sale of SAP software.

Among all federal IT product vendors, Carahsoft holds the second-highest value of contracts directly with the government, totaling $3.5 billion since the beginning of fiscal 2020. Only Dell Technologies Inc. has more revenue.

SAP technology is a big chunk of this business. Prosecutors said in court filings that Carahsoft received more than 600 federal contracts for SAP tech worth more than $990 million and “facilitated” as much as $1 billion more in additional sales. (Jake Bleiberg / Bloomberg)

Related: Bloomberg, Defense One, NextGov, Reuters, Fortune, Washington Business Journal,  FedScoop, The Register

Swedish prosecutors concluded Iran was behind 15,000 text messages sent on Aug. 1, 2023, to deepen divisions in the country.

The messages sought to sway recipients to exact revenge on people burning Islam’s holy book after several such incidents in Sweden, according to the prosecutor. Part of the text read, “Those who insulted the Koran must pay,” according to numerous reports in local media.

While investigators were able to identify the Iranian hackers, Sweden dropped the probe as it has no jurisdiction to charge them in Iran and cannot bring them to Sweden to face trial.

The Iranian embassy in Stockholm rejected the allegations in an emailed response to questions, calling them “baseless” and saying they could harm relations between the countries. (Niclas Rolander / Bloomberg)

Related: CSO, The Record, Al Jazeera, Le Monde.fr, Radio Free Europe/Radio Liberty, r/europe

Security researcher Johann Rehberger created a proof-of-concept exploit that used a vulnerability to create false LLM memories as a vector to exfiltrate all ChatGPT user input in perpetuity.

Rehberger created the PoC after OpenAI dismissed his discovery of a vulnerability and labeled the flaw a safety issue, not, technically speaking, a security concern. After Rehberger's PoC, OpenAI engineers took notice and issued a partial fix earlier this month.

The vulnerability abused long-term conversation memory, a feature OpenAI began testing in February and made more broadly available in September. Memory with ChatGPT stores information from previous conversations and uses it as context in all future conversations. That way, the LLM can be aware of details such as a user’s age, gender, philosophical beliefs, and pretty much anything else, so those details don’t have to be inputted during each conversation.

Within three months of the rollout, Rehberger found that memories could be created and permanently stored through indirect prompt injection, an AI exploit that causes an LLM to follow instructions from untrusted content such as emails, blog posts, or documents.

The researcher demonstrated how he could trick ChatGPT into believing a targeted user was 102 years old, lived in the Matrix, and insisted Earth was flat. The LLM would incorporate that information to steer all future conversations. A malicious attacker could plant these false memories by storing files in Google Drive or Microsoft OneDrive, uploading images, or browsing a site like Bing.

While OpenAI has introduced a fix that prevents memories from being abused as an exfiltration vector, the researcher said, untrusted content can still perform prompt injections that cause the memory tool to store long-term information planted by a malicious attacker. (Dan Goodin / Ars Technica)

Related: Embrace The Red, Embrace The Red, Embrace The Red, Embrace The Red on YouTube

Researchers from the Swiss university ETH Zurich used artificial intelligence to crack one of the most widely used CAPTCHA security systems, Google’s popular reCAPTCHAv2.

“This has been coming for a while,” said Matthew Green, an associate professor of computer science at the Johns Hopkins Information Security Institute. “The entire idea of captchas was that humans are better at solving these puzzles than computers. We’re learning that’s not true.”

CAPTCHA stands for Completely Automated Public Turing Test, designed to tell computers and humans apart. The system used in the new study, Google’s reCAPTCHA v2, tests users by asking them to select images containing objects like traffic lights and crosswalks.

While the Swiss researchers' process to defeat reCAPTCHAv2 was not fully automated and required human intervention, a fully automated process to bypass CAPTCHA systems could be right around the corner.

“I would not be surprised if that comes up in the near term,” Phillip Mak, a cybersecurity security operations center lead for a large government organization and an adjunct professor at New York University, said. (Peter Saalfield / Decrypt)

Related: arXiva, New Scientist, TechRadar, Tech Xplore, COINOTAG NEWS, ZDNET

Help support Metacurity. If you are enjoying our daily delivery of the top infosec news you should know, please consider supporting Metacurity with an upgraded subscription.

Researchers at HP intercepted an email campaign comprising a standard malware payload delivered by an AI-generated dropper, which is almost certainly an evolutionary step toward genuinely new AI-generated malware payloads.

In June 2024, HP discovered a phishing email with a common invoice-themed lure and an encrypted HTML attachment. The decrypted attachment opens with the appearance of a website but contains a VBScript and the freely available AsyncRAT infostealer.

The VBScript is the dropper for the infostealer payload. It writes various variables to the Registry; it drops a JavaScript file into the user directory, which is then executed as a scheduled task. A PowerShell script is created, and this ultimately causes the execution of the AsyncRAT payload.

However, HP researchers found that the VBScript was neatly structured and commented on every crucial command, which is unusual. It was also written in French, which works but is not the general language of choice for malware writers.

Clues like these made the researchers consider the script was not written by a human but by gen-AI for a human.

The researchers believe the attacker is a newcomer using gen-AI. Perhaps because they are a newcomer, the AI-generated script was left unobfuscated and fully commented. Without the comments, it would be almost impossible to say whether or not the script is AI-generated. (Kevin Townsend / Security Week)

Related: HP

Leading crypto exchange Binance has refuted circulating speculations of a data breach affecting almost 13 million users on its platform.

A threat actor claimed he had obtained sensitive information of about 12.8 million Binance users. Firebear, as his username states, alleged he acquired the data during a platform compromise in August 2024.

Binance said it had investigated the assertions and found the threat actor's allegation false.

Firebear, also known as Greavys, stated that the data contained first names, last names, e-mail addresses, zip codes, birthdays, and secondary addresses of these Binance users.

Furthermore, the cybercriminal asserted that this information was for sale, and he would auction it off either in parts or in whole to interested buyers through his Telegram account. (Mark Brennan / The Crypto Basic)

Related: Decrypt, The Cryptonomist

CISA has tagged another critical Ivanti security vulnerability, which can let threat actors create rogue admin users on vulnerable Virtual Traffic Manager (vTM) appliances, as actively exploited in attacks.

Tracked as CVE-2024-7593, this auth bypass flaw is caused by an incorrect implementation of an authentication algorithm that lets remote unauthenticated attackers circumvent authentication on Internet-exposed vTM admin panels.

Ivanti vTM is a software-based application delivery controller (ADC) that provides load balancing and traffic management for hosting business-critical services.

"Successful exploitation could lead to authentication bypass and creation of an administrator user," Ivanti warned when it released security updates to patch this critical vulnerability.

While the company said that proof-of-concept (PoC) exploit code was already available on August 13 when it released CVE-2024-7593 patches, it has yet to update the security advisory to confirm active exploitation. (Sergiu Gatlan / Bleeping Computer)

Related: Security Affairs, Help Net Security, Infosecurity Magazine, Security Week

According to an analysis by the law firm DeMayo Law, National Highway Traffic Safety Administration recall data shows that software fixes are now responsible for more than one in five automotive recalls.

In 2014, 34 of 277 automotive recalls were software fixes. The percentage of software recalls floated around 12–13 percent (apart from a spike in 2015) before growing steadily from 2020. In 2021, 16 percent of automotive recalls (61 out of 380) were for software. In 2022, almost 22 percent of recalls were software fixes (76 out of 348), and last year topped 23 percent (82 out of 356).

Chrysler led the way, with 82 different software recalls since 2014. Ford (66 recalls) and Mercedes-Benz (60) are the runner-ups. Meanwhile, Tesla ranks only eighth, with 26 software recalls since 2014, which puts it on par with Hyundai (25) and Kia (25).

Electrical systems were the most common problem area, which makes sense—this is also the second-most common hardware fix recall and would probably be the top if not for the massive Takata airbag recall, which has affected more than 100 million cars worldwide. (Jonathan Gitlin / Ars Technica)

Related: Fleet Management Weekly, Fudzilla, Ars Open Forum

Malign actors have hacked email communications from individuals associated with the Trump campaign within the last ten days.

"Robert," who provided stolen internal Trump campaign materials to Politico, the New York Times, and the Washington Post in July and August, sent on September 18 the cover page of a dossier on Senator JD Vance (R-OH), the Republican vice presidential nominee, dated February 23, 2024. 

He also sent a 271-page Vance dossier, along with similar dossiers on two other potential Donald Trump running mates —  a 382-page document on North Dakota Governor Doug Burgum (R), dated March 2, 2024, and a 550-page document on Senator Marco Rubio (R-FL), dated April 1, 2024. All of the dossiers were marked "Privileged & Confidential."

Robert boasted that he had "a lot" of other Trump campaign materials. He sent me a dozen purported emails to and from top Trump campaign staff, including senior advisor Susie Wiles, senior advisor Dan Scavino, and pollster John McLaughlin. The emails covered 11 months, from October 2023 to August 2024. 

Robert also sent a 4-page letter, dated September 15, 2024, from an attorney representing Trump to three individuals at the New York Times.

The letter has not been made public by either the Trump campaign or the paper. I provided a copy of the letter to Ben Smith, the editor-in-chief of Semafor, who confirmed its authenticity with someone at the New York Times who had seen it. (Judd Legum / Popular Information)

Related: Slashdot, The Daily Beast, Mediaite, The Guardian, Semafor

Researchers at Cloudflare report that a threat actor tracked as SloppyLemming, likely operating out of India, relies on various cloud services to conduct cyberattacks against Pakistan's energy, defense, government, telecommunication, and technology entities.

The group’s operations align with Outrider Tiger, a threat actor that CrowdStrike previously linked to India. This actor is known for using adversary emulation frameworks such as Sliver and Cobalt Strike in its attacks.

Since 2022, the hacking group has been observed relying on Cloudflare Workers in espionage campaigns targeting Pakistan and other South and East Asian countries, including Bangladesh, China, Nepal, and Sri Lanka. Cloudflare has identified and mitigated 13 Workers associated with the threat actor.

The threat actor, Cloudflare says, appears particularly interested in compromising Pakistani police departments and other law enforcement organizations and likely targeting entities associated with Pakistan’s sole nuclear power facility.

Using phishing emails, the threat actor delivers malicious links to its intended victims, relies on a custom tool named CloudPhish to create a malicious Cloudflare Worker for credential harvesting and exfiltration, and uses scripts to collect emails of interest from the victims’ accounts.

In some attacks, SloppyLemming would also attempt to collect Google OAuth tokens delivered to the actor over Discord. Malicious PDF files and Cloudflare Workers were seen being used as part of the attack chain.

Cloudflare has identified tens of C&C domains used by the threat actor, and analysis of their recent traffic has revealed SloppyLemming’s possible intentions to expand operations to Australia or other countries. (Ionut Arghire / Security Week)

Related: Cloudflare

Police in Spain have arrested five people accused of scamming two women out of 325,000 euros ($362,000) by pretending to be Hollywood star Brad Pitt online.

According to a statement from the Guardia Civil, ten other people were also investigated as part of Operation Bralina, which spanned eight provinces.

One woman lost 175,000 euros ($195,000) to the fraudsters, while another lost 150,000 euros ($167,000). Of that total, police recovered 85,000 euros ($95,000).

Police said fraudsters contacted both victims via a Brad Pitt fan site and convinced them that the actor wanted to invest in various projects with them.

Guardia Civil said, “In order to find their victims, the cyber criminals studied their social networks and put together a psychological profile of them, discovering as a result that both women were vulnerable people suffering from depression and a lack of affection." (Jack Guy / CNN)

Related: AFP, The Cut, Newser

Startup Torq, which calls itself the AI-first security hyperautomation leader, announced it had closed a $70M Series C venture funding round.

Evolution Equity Partners, with Bessemer Venture Partners, Notable Capital, Greenfield Partners, and Strait Capital participating. (Kyle Wiggers / TechCrunch)

Related: Torq, Reuters, Business Wire, PYMNTS, Venture Capital Journal, FinSMEs, CRN, CTech, Silicon Angle, Globes

Cyber emergency response firm Blackpanda announced that it secured $6.7 million in an extended Series A venture funding round.

Singtel Innov8, Gaw Capital Partners, and WI Harper Group participated in the round. (KrASIA)

Related: tnglobal, Tech in Asia

Sources say cybersecurity startup Wiz is in discussions to sell existing shares at a valuation of up to $20 billion.

One of the sources says Wiz, which in July walked away from a deal to be bought by Alphabet Inc.’s Google for $23 billion, is talking about a transaction that would let existing shareholders tender from $500 million to $700 million of their holding.

The company may also raise money directly from investors. The terms of the offering could change, and it may not come together.

Venture firms involved in the transaction reportedly include G Squared, Thrive Capital, and Lightspeed Venture Partners. (Katie Roof and Gillian Tan / Bloomberg)

Related: CTech, The Information, Tech Monitor

Best Thing of the Day: Spotting the Scammers on the Gmail App

To help users identify scammers and recognize authentic senders, the Gmail app for Android and iOS will start showing checkmarks on verified senders in the coming weeks.

Worst Thing of the Day: Not to Mention They Might End Up Tripping Balls

Google is serving AI-generated images of mushrooms when users search for some species that could prove fatal to mushroom foragers as they decide which mushrooms are safe to eat.

Closing Thought