CyberWeekly 20' July | Issue #6
Crowdstrike outage, healthcare ransmoware, HIPPA, Oracle bulk patch updates, Snort IPS, Active Directory pentesting, CVE-2024-27956 - SQLi, CVE-2024-40626 - XSS (Stored), RAG manipulation attacks, etc
📰 News
Technical Details: Falcon Content Update for Windows Hosts
On July 19, 2024, at 04:09 UTC, CrowdStrike released a sensor configuration update to Windows systems. which caused a logic error, resulting in system crashes and blue screens (BSOD) on affected systems. The issue was resolved on July 19, 2024, at 05:27 UTC. The problem was not related to a cyberattack.
Affected customers were those using Falcon sensor for Windows version 7.11 and above, who were online between 04:09 UTC and 05:27 UTC on July 19, 2024. Systems running these versions that downloaded the update during this period were susceptible to crashes.
The configuration files, known as "Channel Files," are part of Falcon's behavioral protection mechanisms. Updates to these files are routine and address new tactics, techniques, and procedures. Channel File 291, which was involved in this event, controls Falcon’s evaluation of named pipe execution on Windows systems.
Channel Files in C:\Windows\System32\drivers\CrowdStrike\ and start with “C-
”. Channel File 291 (filename starts with “C-00000291-
” and ends with .sys) was the file involved in the issue. The update aimed to target malicious named pipes used by common C2 frameworks but caused a logic error leading to crashes.
CrowdStrike corrected the logic error in Channel File 291. Updated logic in Channel File 291 will continue to evaluate and protect against named pipe abuse. Systems not impacted will continue to operate normally and are not at risk of future occurrences of this event. Linux and macOS systems were unaffected as they do not use Channel File 291. A thorough root cause analysis is ongoing to understand how the logic flaw occurred.
Well, CrowdStrike broke Red Hat Linux too, and very few knew. Kernel panic observed after booting 5.14.0-427.13.1.el9_4.x86_64
by falcon-sensor process.
Change Healthcare Ransomware Attack Cost Predicted to Rise to at Least $2.3B in 2024
UnitedHealth Group (UHG) updated the cost of its response to the February 2024 ransomware attack on Change Healthcare, now estimated between $2.3 billion and $2.45 billion for the year, over $1 billion more than previously reported. UHG has already spent nearly $2 billion, with massive disruption caused by prolonged outages. Most systems are restored and operational, with UHG providing over $9 billion in advance funding and interest-free loans to help providers unable to bill for their services due to the outages.
As of June 30, 2024, UHG has incurred $1.98 billion in costs, including $1.3 billion in direct costs related to restoring the Change Healthcare clearinghouse platform and higher medical expenses due to a temporary pause in some care management activities. Individual notifications to affected individuals are set to begin on July 20, 2024. Up to 1 in 3 Americans, potentially more than 110 million individuals, may have had their protected health information exposed. Even with these massive costs, UHG reported second-quarter earnings of $7.9 billion and profits of $4.2 billion, with revenues up 6% year-over-year at $98.9 billion in Q2, though profits are down from $5.5 billion in Q2 2023, largely due to the ransomware attack.
Change Healthcare published a substitute data breach notice on July 10, 2024, confirming that notification letters will start being mailed on July 20, 2024. The breach, detected on February 21, 2024, involved hacker access to internal systems from February 17 to February 20, 2024, with a substantial amount of data exfiltrated. Analysis of the data began on March 13, 2024, revealing a large proportion of Americans were affected. The types of exposed information vary and include health insurance information, health information, billing, claims, payment information, and other personal information such as Social Security numbers and driver's license numbers.
Oracle Critical Patch Update Advisory for July 2024
Oracle’s critical patch update for July 2024 addresses nearly 400 security issues affecting Oracle and third party components used in Oracle products. Ninety-five of the fixes address vulnerabilities in Oracle Communications; 60 address issues in Financial Services Applications; Fusion Middleware received 41 patches; and MySQL received 37. Don’t let the volume of updates scare you off. There are a lot of products here and you’re likely only using a subset of these products. Even so make sure you’re doing regression testing, particularly with middleware updates.
📑 Blog Reads
📹️ Videos
He Sent Me Minecraft Malware (Java Deobfuscation) By John Hammond
Mapping APT TTPs With MITRE ATT&CK Navigator By HackerSploit
The Ultimate Guide to Finding the Best Open Source Packages By Snyk
Bypassing Restrictions in API Gateway - (Hacking AWS!) By Tyler Ramsbey
You're Too Old For Cybersecurity By The Cyber Mentor
📚 Recommended Reading
CVE-2024-40626: Stored XSS in Outline editor (Type confusion attacks in ProseMirror editors)
Getting Unauthenticated RCE on the Logsign Unified SecOps Platform
⚒️ Tools
PwnedBoot - The Windows bootloader (
winload.efi
) does not check the code signature or integrity of themcupdate_<platform>.dll
file when starting the system if the 'Disable Driver Signature Enforcement' option is selected. The file is loaded very early in the boot stage, and its entry point is executed from within the bootloader before a call toExitBootServices()
, which means that you can just restore the context and return back to the firmware. The plot twist is thatmcupdate_<platform>.dll
it not inside a valid memory mapping in the firmware context, so this project just remaps itself over the bootloader.Zigfrid - Zigfrid is the end result of my RFID tinkering. Since I will most definitely forget most things described here in the (very) near future, I share this for those few who might find it interesting. Please be warned: This is not a toy. It is completely unreliable, untested, malicious tool, which can and will cause elevators to stop or even shut down immediately, locks to jam, hackers get jailed, and other weird RFID phenomenons. Ok, you get the idea, lets move on.
🔬 Research
Without the sponsors and partners, hacklido wouldn't be where it is now, So we would like to thank them.
Sponsors:
Community Partners:
If you wish to Sponsor / Partner with hacklido and get benefitted? Reach out to us via email@hacklido.com to discuss with us!