CrowdStrike Falcon Archives

Tech Optimizer

May 5, 2025

Chimera Malware: Outsmarting Antivirus, Firewalls, and Human Defenses

X Business, an e-commerce store specializing in handmade home décor, experienced a cybersecurity incident involving a malware strain called Chimera. The attack began during a routine update to their inventory management system and escalated within 12 hours, resulting in halted customer orders, locked employee accounts, and a crashed website. The attackers demanded a ransom of 0,000 in cryptocurrency, threatening to expose sensitive customer data. Chimera is an AI-driven malware that adapts its code to evade detection, targeting both Windows and macOS systems. It exploited a zero-day vulnerability in Windows' Print Spooler service and bypassed macOS security measures by forging code signatures. The malware used social engineering tactics to deceive employees into activating malicious payloads, leading to compromised systems and encrypted customer data. The recovery process took 48 hours, utilizing cybersecurity tools like CrowdStrike Falcon and SentinelOne Singularity to identify and isolate the malware. Data restoration was achieved through Acronis Cyber Protect and macOS Time Machine, while vulnerabilities were addressed with Qualys and emergency patch deployment via WSUS. The network security framework was improved using Cisco Umbrella and Zscaler Private Access to implement a Zero Trust architecture. The incident highlights the need for small enterprises to adopt proactive cybersecurity strategies, including a 3-2-1 backup approach, Zero Trust models, investment in AI-driven defense tools, and employee training to recognize social engineering attempts.

Winsage

April 21, 2025

April’s Windows 11 update is borking some PCs with CrowdStrike

The Windows 11 update KB5055523 has caused significant issues, including disruptions to Windows Hello logins, preventing users from using face recognition and PIN codes. It has also introduced bugs affecting business applications, particularly with SAP GUI, which may crash with error codes 0xc0000409 and 0x000b1c30 or fail to launch. These problems are linked to a conflict with the CrowdStrike Falcon Sensor security software, specifically when Additional User-Mode Data (AUMD) is activated. Users are advised to consider rolling back the update and postponing further Windows 11 24H2 updates until a solution is provided.

Winsage

November 19, 2024

New Windows 11 recovery tool to let admins remotely fix unbootable devices

Microsoft is introducing a feature called "Quick Machine Recovery" to help IT administrators remotely fix unbootable systems via Windows Update, following a significant outage in July 2024 caused by a problematic update to the CrowdStrike Falcon software. This outage affected various critical sectors globally, leading to issues like boot loops and the Blue Screen of Death for users. The Quick Machine Recovery feature will allow targeted fixes without physical access to the machines and is expected to roll out in early 2025 for Windows 11 Insider Program participants. Additionally, Microsoft is working with security vendors on the Microsoft Virus Initiative (MVI) to develop tools that allow security software to operate outside the Windows kernel, reducing risks associated with kernel-level access. This initiative includes adopting Safe Deployment Practices for gradual and monitored updates. A private preview of these developments will be available in July 2025. Microsoft has also launched a new Windows 11 administrator protection feature and is focusing significant resources on security challenges through its Secure Future Initiative (SFI).

Winsage

October 9, 2024

October 2024 Patch Tuesday: Updates and Analysis

Microsoft released a patch for CVE-2024-43572, a vulnerability in the Microsoft Management Console, rated Important with a CVSS score of 7.8, allowing remote code execution through malicious MSC files. Another patch was issued for CVE-2024-43573, a Moderate spoofing vulnerability in the Windows MSHTML Platform with a CVSS score of 6.5, affecting multiple Microsoft products. Additionally, three critical vulnerabilities were identified: CVE-2024-43468 in Microsoft Configuration Manager (CVSS score 9.8), CVE-2024-43488 in the Arduino extension for Visual Studio Code (CVSS score 8.8), and CVE-2024-43582 in the Remote Desktop Protocol Server (CVSS score 8.1). The CrowdStrike Falcon® platform introduced a Patch Tuesday dashboard for tracking vulnerabilities, and organizations are encouraged to adopt comprehensive cybersecurity strategies beyond just patching.

Tech Optimizer

September 28, 2024

How XDR is replacing traditional anti-virus software and why you need it in your business

XDR (Extended Detection and Response) is a sophisticated alternative to traditional anti-virus software, particularly for enterprise environments. It employs advanced technologies for enhanced system protection and often includes endpoint protection. XDR differs from EDR (Endpoint Detection and Response) by aggregating threat data from various security layers, including email gateways, cloud environments, and networks, allowing it to identify threats like lateral movement. Traditional anti-virus software primarily relies on signature detection and often requires manual intervention from IT teams, while XDR integrates these functionalities with a holistic approach, analyzing connections and behaviors across the network for proactive threat management. Businesses handling sensitive information or operating in regulated industries are increasingly adopting XDR due to its ability to automate detection and response processes. In contrast, traditional anti-virus solutions remain sufficient for individual consumers, as most consumer-targeted attacks are less sophisticated.

Tech Optimizer

September 24, 2024

MSSP Market News: Bitdefender Debuts Hardening and Attack Surface Tech

Bitdefender has introduced GravityZone Proactive Hardening and Attack Surface Reduction (PHASR) technology, which adapts security policies based on user behaviors. Integrity360 launched Continuous Threat Exposure Management (CTEM) as a Service in partnership with XM Cyber to help organizations manage cybersecurity risks. EC-Council released the Certified Ethical Hacker CEH v13, enhanced with AI capabilities for ethical hacking training. Rapid7 expanded its Managed Threat Complete solution to include third-party detections from CrowdStrike, SentinelOne, and Microsoft. DigiCert acquired Vercara, enhancing its cloud-based security services. ArmorCode added new modules for penetration testing management to its Application Security Posture Management platform. Chenega Corporation and CyberSheath achieved a perfect score on the Joint Surveillance Voluntary Assessment (JSVA), crucial for CMMC 2.0 compliance.

Tech Optimizer

September 20, 2024

macOS Sequoia change breaks networking for VPN, antivirus software

Users of macOS 15, also known as 'Sequoia,' are experiencing network connection issues with certain endpoint detection and response (EDR) solutions, VPNs, and web browsers, particularly with CrowdStrike Falcon and ESET Endpoint Security. These problems seem to resolve when the tools are deactivated, indicating a compatibility issue with the operating system's network stack. Firewall configurations are causing packet corruption and SSL failures, affecting command-line tools like 'wget' and 'curl.' CrowdStrike has advised customers against upgrading to macOS 15 due to significant changes in networking structures, and similar warnings have been issued by SentinelOne Support. Users have reported connectivity issues with Mullvad VPN and corporate VPNs, while ProtonVPN appears to function without problems. ESET recommends removing ESET Network from the filters in System Settings to restore network functionality for certain versions of their software. Security researcher Wacław Jacek has suggested a temporary fix for firewall issues, and Mullvad VPN is aware of the problems and is working on a resolution. Users relying on EDR products, VPNs, or strict firewall configurations may want to delay upgrading to macOS 15 until these issues are resolved.

Winsage

August 15, 2024

August 2024 Patch Tuesday: Updates and Analysis | CrowdStrike

Microsoft's August 2024 Patch Tuesday addressed 85 vulnerabilities, including six zero-day exploits. The vulnerabilities are categorized as CVE-2024-38213, CVE-2024-38193, CVE-2024-38189, CVE-2024-38178, CVE-2024-38107, and CVE-2024-38106. Six vulnerabilities are classified as Critical, while the remaining 79 are rated Important or Moderate. The predominant risk types include elevation of privilege (37%) and remote code execution (35%). Windows products received 43 patches, with 21 for the Extended Security Update (ESU) and 8 for Microsoft Office. Notable zero-day vulnerabilities include: - CVE-2024-38189 in Microsoft Project (CVSS 8.8) allows remote code execution. - CVE-2024-38193 in Windows Ancillary Function Driver for WinSock (CVSS 7.8) allows privilege escalation. - CVE-2024-38107 in Windows Power Dependency Coordinator (CVSS 7.8) allows privilege escalation. - CVE-2024-38178 in the Scripting Engine (CVSS 7.5) allows remote code execution. - CVE-2024-38106 in the Windows kernel (CVSS 7.0) allows privilege escalation. - CVE-2024-38213 in Windows Mark of the Web Security (CVSS 6.5) allows security warning bypass. Critical vulnerabilities include: - CVE-2024-38063 (CVSS 9.8) in Windows TCP/IP allows remote code execution. - CVE-2024-38140 (CVSS 9.8) in Windows Reliable Multicast Transport Driver allows remote code execution. - CVE-2024-38109 (CVSS 9.1) in Azure Health Bot allows privilege escalation. - CVE-2024-38159 and CVE-2024-38160 (both CVSS 9.1) in Windows Network Virtualization allow remote code execution. - CVE-2023-40547 (CVSS 8.8) impacts Secure Boot. Additional vulnerabilities with existing proof of concept include: - CVE-2024-38199 (CVSS 9.8) in Windows Line Printer Daemon allows remote code execution. - CVE-2024-38202 (CVSS 7.3) in Windows Update Stack allows privilege escalation. - CVE-2024-21302 (CVSS 6.7) in Windows Secure Kernel Mode allows privilege escalation.

Winsage

August 12, 2024

Windows 11/10 system driver has BSOD-triggering CVE-2024-6768 flaw on fully updated PCs

A significant disruption occurred in the global landscape of Windows enterprise and business PCs due to a flawed CrowdStrike Falcon IPC Template Type, causing Blue Screens of Death (BSODs). Cybersecurity firm Fortra discovered a new vulnerability, CVE-2024-6768, in the Common Log File System (CLFS.sys) driver of Windows, affecting all versions of Windows 10 and Windows 11. This vulnerability is caused by improper validation of input data, leading to a denial-of-service-triggered BSOD. A crafted .BLF file can allow an unprivileged user to induce a system crash. The attack requires local access to the system. This flaw is similar to CVE-2023-36424, which Microsoft addressed in November 2023 updates.

Tech Optimizer

August 5, 2024

Cybercriminals taking advantage of CrowdStrike-linked global computer outage

A global IT outage caused by a flawed software update from CrowdStrike has led to increased cybercriminal activity, with phishing campaigns and malware distribution targeting individuals and businesses. The outage, which began at 1:20 a.m. ET on Friday, affected organizations reliant on Windows computers using CrowdStrike Falcon, resulting in widespread system failures. The Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) has issued a warning about the surge in online criminal activity and advised caution when interacting with communications related to the incident. CrowdStrike's CEO, George Kurtz, acknowledged the disruption and the company's efforts to assist affected customers. CrowdStrike is working to deploy a previous version of its Falcon software and has provided workaround steps for users experiencing issues.