DDoS cyberattack campaign averaged 4.5 million requests per second, putting the bank under attack 70% of the time.

Source: VideoFlow via Shutterstock

A distributed denial-of-service (DDoS) attack targeting a financial institution in the United Arab Emirates set records for the duration of the cyberattack and the sustained volume of requests.

The attack — attributed to pro-Palestinian hacktivist group BlackMeta, also known as DarkMeta — lasted six days and included multiple waves of Web requests lasting anywhere from four to 20 hours, targeting the financial institution's site. Overall, it lasted more than 100 hours in total, averaging 4.5 million requests per second, cybersecurity firm Radware stated in an advisory published this week.

The DDoS attack represents a significant departure from the standard hacktivist denial-of-service attacks, says Pascal Geenens, director of threat intelligence for Radware.

"Those attacks were lasting between 60 seconds and five minutes — they came, they hit hard, and they go away after one to five minutes," he says. "Now, in the case of this attack, the campaign in total lasted six days, and in those six days, 70% of the time, that customer was being targeted by an average of 4.5 million requests."

BlackMeta, also known as SN\_BlackMeta, appeared in November 2023 and has a history of claiming responsibility for attacks against organizations in Israel, the United Arab Emirates, and the United States. In May, the group claimed responsibility for a multiday denial-of-service attack on the San Francisco-based Internet Archive. In April, the group claimed to have attacked the Israel-based infrastructure of the Orange Group, a French provider of telecommunication services in Europe, the Middle East, and Africa. The group also targeted organizations in Saudi Arabia, Canada, and the United Arab Emirates.

**DDoS Attacks for $500 a Month**

The BlackMeta group announced its intent to attack the financial institution on Telegram in the days leading up to the operation. The cyberattack inundated the financial firm's website with requests, causing the share of legitimate requests to plummet to as low as 0.002%, with an average of 0.12%. The attacks continued for 70% of the time during the six-day period.

Bandwidth captures showing the attack over six days. Source: Radware

The attackers used a cybercrime service known as InfraShutdown, which allows attackers to target sites for $500 to $625 a week, according to Radware's advisory.

BlackMeta is primarily motivated by a pro-Palestinian ideology, but similar to Anonymous Sudan, has an anti-Western stance, and appears to have links with Russia, and uses Arabic, English, and Russian in its posts, Radware stated.

"The group positions its attacks as retribution for perceived injustices against Palestinians and Muslims," the company stated. "Their targets typically include critical infrastructure such as banking systems, telecommunication services, government websites and major tech companies, all reflecting a strategy to disrupt entities viewed as complicit in or supportive of their adversaries."

**Profiting from DDoS Service?**

BlackMeta is likely a rebrand of Anonymous Sudan, a group that made a name for itself last year attacking targets along with the loose-knit pro-Russian Killnet group, according to the researchers. Anonymous Sudan targeted Israeli organizations and the encrypted messaging service Telegram in 2023. Comparing the number of claimed attacks by month over the past year and a half shows Anonymous Sudan's activity dwindling at the same time that BlackMeta's was ramping up.

Anonymous Sudan advertised its InfraShutdown DDoS attack service during previous attacks, urging other would-be attackers to sign up, which means the group is likely financially benefiting from its "hacktivism."

"If the actors behind \[BlackMeta\] are in any way related to or support Anonymous Sudan, the premium InfraShutdown service is highly likely to be the origin of the 14.7 million \[requests-per-second\], 100-hour attack campaign," Radware stated in its advisory

Rate-limiting the bandwidth during such attacks is not a solution to sustained application-layer attacks, because a company would have to be able to differentiate between the 1.5 billion legitimate requests reaching the website over a six-day period, and the 1.25 trillion malicious requests targeting the site, Geenens says.

"With the attacks going to Layer 7 — the application layer — the problem has shifted," he says. "Before we were at the network level, you could use a firewall, but that is too much processing power, so we moved to network protection. But when you move one layer up \[to Layer 7\], they can target specific pages and randomize the queries that they put in, so they make it look like legitimate posts."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Pro-Palestinian Actor Levels 6-Day DDoS Attack on UAE Bank

Cookies aren't going away, after all. After years of saying it will do so, Google has decided to not remove third-party cookies from Chrome.

Source: Piotr Malczyk via Alamy Stock Photo

After almost four years of tinkering, Google said it will not phase out third-party cookies from its Chrome browser. Instead, the company will provide users with options on how they want to be tracked on the web.

Back in 2020, Google urged browser makers, publishers, developers, and advertisers to move away from using third-party cookies and adopt mechanisms that would provide users with a more private and secure web. Despite opposition from online advertisers, Google set April 2025 as the deadline for removing third-party cookies from Chrome.

However, following discussions with stakeholders -- a list which includes regulators, publishers, developer, and other entities -- Google said it now realizes building ad mechanisms which also preserve privacy has implications for online advertisers.

"In light of this, we are proposing an updated approach that elevates user choice," wrote Chavez. "Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they'd be able to adjust that choice at any time."

One of the mechanisms Google has been working on for the past few years is Privacy Sandbox, a suite of APIs for online ad delivery and analytics with privacy protections built-in. Chrome users will have the choice of keeping third-party cookies or using Privacy Sandbox.

The Electronic Frontier Foundation noted that while major browsers, like Safari and Firefox, block third-party cookies by default, Chrome still does not. And while Privacy Sandbox may be less invasive, it is problematic because it shifts control of online tracking from third-party trackers to Google, according to EFF's Lena Cohen. "That doesn't mean it's good for your privacy," Cohen wrote. EFF suggests downloading its Privacy Badger browser extension to opt out of Privacy Sandbox and the broader online tracking ecosystem.

**About the Author(s)**

Google Will Not Remove Third-Party Cookies From Chrome

Small businesses are increasingly being targeted by cyberattackers. Why, then, are security features priced at a premium?

Source: Song\_about\_summer via Shutterstock

Small and midsize businesses (SMBs) are more vulnerable to attacks because software companies, cloud service providers, and technology makers either charge for safety features that should be offered at every service tier or fail to offer the features at all.

Earlier this year, at least 165 customers of data-services provider Snowflake were compromised — and one reason was because the firm did not offer a way to easily require all users to enable multifactor authentication (MFA), cybersecurity experts say. And just last year, a nonprofit organization failed to detect an attack because, among other reasons, its Microsoft 365 license level of "E3" did not come with logging features that were available to organizations on the more expensive "E5" plan, incident responders stated at the time.

Software makers and service providers need to offer effective security features as a safety measure to every tier of service and not create a cybersecurity gap between the "cyber poor" and enterprises that can afford extra security, says Kymberlee Price, CEO and co-founder of Zatik, a provider of fractional security expertise targeting smaller businesses.

"If vendors do not change the way they price security, if they don't put seatbelts in the base model, then software liability is inevitable," Price says.

Finding ways to secure the cyber poor — those companies and organizations that cannot afford dedicated cybersecurity professionals or high-priced security systems — has become a critical effort worldwide. In 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) pledged to find ways to help the smallest organizations, which typically do not have budgets for information technology, let alone information security. Security compromises can result in business failures and significant stress-related problems for small-business owners.

Driving security down to the smallest firms is critical to promote security across the business ecosystem, as larger companies count SMBs among their vendors, contractors, and partners, says Saeed Abbasi, product manager of vulnerability research at Qualys.

"Strengthening cybersecurity in SMBs is essential for protecting their assets and safeguarding larger business ecosystems, as these small businesses often serve as links in broader supply chains," he says. "Moreover, proactive cybersecurity costs are typically lower than the potential losses from data breaches."

**Delivering More Security By Default**

Defining the difference between what should be a security product in its own right and what should be a security feature is not easy, Price acknowledges. Single sign-on capabilities, such as Okta, would be obviously considered as a security service, but a feature in another product to connect to Okta's SSO should not require purchasing a higher tier, Price says.

"If there's some completely new innovation that revolutionizes the way security works ... that's going to involve development and other costs," so charging extra for that seems fair, she says. "But at this point, so many of these features \[are the equivalent of\] backup cameras, which were an LX-model option when they first came out, but now they're standard in the base models."

Among the safety features Price says she would like to see: Firms should be given the ability to require and monitor two-factor authentication across the business, single sign-on integration should be a base-tier feature, and role-based access controls that split administration and normal user functions should be standard. In addition, companies should start offering audit trails in every application by default and the ability for an administrator to revoke access to users.

For Snowflake, it was not a matter of charging extra for a MFA but of not enabling a feature that cybersecurity professionals have long advocated for. On the platform, individuals could opt into MFA, but company administrators had no power to require the security for every user in their organizations, said Ofer Maor, co-founder and CTO at threat response firm Mitiga, in an interview last month.

"Snowflake not only does not require MFA, but it also makes it very hard for administrators to enforce this," he said. "Unlike other \[software-as-a-service\] platforms, where an admin of a tenant can require MFA for all users in the tenant, in Snowflake this option is not available. The only way for the admin to attempt to enforce it is by manually reviewing every user in the system to see if they voluntarily enabled MFA and, if not, ask them to do so."

Both Snowflake and Microsoft now offer the requested security features on their platforms. As of July 9, administrators can require MFA by default for Snowflake, and Microsoft changed its policy on the cost of logging last year, following criticism of its licenses.

**Make Cyber Safety Easy, Available in Lowest Tiers**

Because SMBs often do not have their own IT specialist, not to mention a skilled cybersecurity expert, offering easy-to-use basic security is paramount. There needs to be a path to drive security down to every user, says Narayana Pappu, CEO at Zendata, a data security and compliance firm.

"SMBs usually lack security expertise in-house, don't have resources to implement nor maintain a solution, and usually carry security risks that can put them out of business if or when a security incident occurs," he says. "These are great reasons to drive good security down to the SMB level — in a connected ... world, you are only as strong as your weakest link."

While generative artificial intelligence and the latest large-language models could provide some companies more security, the cost may still be prohibitive and rarely are such features offered at the base level.

Instead, cybersecurity and software firms should provide basic, effective security in every product at the base service tier, says Zatik's Price, who stresses that she is not against charging everyone a bit extra to make the feature available. However, all tiers should offer the most effective security measures, she says.

"There's no version of a car that does not include seatbelts on the market today," she says. "Are seatbelts free? No, they're baked into the cost of that car. \[Similarly\], we're not saying that all security should be free and zero cost."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Small Businesses Need Default Security in Products Now

With every new third-party provider and partner, an organization's attack surface grows. How, then, do enterprises use threat intelligence to enhance their third-party risk management efforts?

The network of global supply chains means organizations are more interconnected than ever, which increases the potential for a data breach or other security incidents involving third-party suppliers and partners. Third-party vendors, especially those digitally connected to an organization, significantly increase their attack surface and open exposure to software supply chain risks, vulnerabilities, and malicious or negligent insiders.

According to Cyentia Institute, 98% of organizations have at least one third party that suffered a cybersecurity breach within the previous two years.

Organizations have increased their investments in third-party risk management (TPRM) programs to mitigate these risks. In its "2023 Global Third-Party Risk Management Survey," EY found that 90% of respondents were investing to improve their programs' effectiveness. In a recent Dark Reading report, "Managing Third-Party Risk Through Situational Awareness," experts outline how organizations can use threat intelligence to effectively manage third-party risk.

"Third-party risk management is such a big challenge for CISOs," says Rick Holland, VP CISO at security services provider ReliaQuest.

Experts say that the top drivers for TPRM investments are regulatory demands, increased remote work, and data privacy. Much of that investment is being used for threat intelligence programs. By harnessing threat intelligence from various sources, organizations can comprehensively understand the threat landscape and make informed decisions to manage third-party risks effectively.

Threat intelligence is found in many sources, such as open source intelligence, commercial threat intelligence providers, industry-specific information sharing and analysis centers, and internal security data. As applied to third parties, threat intelligence analysts incrementally add intelligence that could indicate that their third parties are either at risk of attack, under attack, or have recently been attacked. Such indicators include comments on Web forums and marketplaces, leaked data, credentials spilled on the Internet, and more.

Download the report to learn how to get started with threat intelligence. Organizations can better comprehend their threat landscape through such threat intelligence and make better-informed decisions to manage their risks. Learn how to collect and use threat intelligence to help reduce many risks associated with third parties.

**About the Author(s)**

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com.

Fighting Third-Party Risk With Threat Intelligence

Cybersecurity startup Zest Security emerged from stealth with an AI-powered cloud risk resolution platform to reduce time from discovery to remediation.

Source: Peachshutterstock via Shutterstock

Organizations have plenty of tools to identify cloud risks, vulnerabilities, and misconfigurations, but not so much for remediating cloud risks. For most companies, significant collaboration is needed between DevOps and security teams to validate the risk, understand the root cause, and determine the best resolution.

Remediating risk usually involves a series of manual and time-consuming processes. Cybersecurity startup Zest Security wants to change that with its AI-powered platform designed to simplify and automate risk resolution. The platform correlates and pinpoints the root cause of cloud risks to craft resolution paths that eliminate cloud vulnerabilities and misconfigurations that attackers can exploit, Zest said in a statement.

On average, it takes 30 to 60 days to remediate a single cloud security risk, and 80% of resolved risks resurface after remediation, Zest said. The increase in known cloud attacks is directly the result of lack of efficient and effective remediation.

"Zest eliminates the back-and-forth typically required between security and DevOps teams to determine the best path to mitigation and remediation," said Matthew Hurewitz, director of platforms and application security at Best Buy, in a statement. "Zest shows security teams all of their options, so they can quickly and confidently resolve their vulnerabilities."

As part of the launch, Zest Security also raised $5 million in seed funding from Hanaco Ventures, Silvertech Ventures, and several angel investors. The company's co-founders have years of experience in cloud and product security. Uri Aronovici, Zest’s CTO, previously worked at Akamai Technologies and Check Point Software. Prior to founding Zest, Snir Ben Shimol, Zest's CEO, built the global cybersecurity platform and services organization at Varonis. Shimol was also the CSO of Cider Security before it was acquired by Palo Alto Networks.

**About the Author(s)**

Zest Security Aims to Resolve Cloud Risks

The threat group uses its "Stargazers Ghost Network" to star, fork, and watch malicious repos to make them seem legitimate, all to distribute a variety of notorious information-stealers-as-a-service.

Source: Miriam Doerr Martin Frommherz via Shutterstock

A threat actor known as "Stargazer Goblin" has found a new way to leverage GitHub to distribute malware and malicious links to unsuspecting users.

Instead of hosting malware on GitHub and then luring users to inadvertently download an infected code package (by getting them to click on a malicious link in a phishing email, for instance), the new tactic involves convincing victims that malicious repositories are legitimate via a socially engineered influence operation involving thousands of inauthentic accounts.

Researchers from Check Point Research (CPR) who uncovered the operation noted in a report this week that the adversary's end game is running a malware distribution-as-a-service (DaaS) network dubbed Stargazers Ghost Network, currently comprised of more than 3,000 active GitHub accounts.

**A Large Network of Rogue Accounts**

The threat group is using a relatively small number of these accounts to actually distribute the malware and malicious links, and the remaining ones are the inauthentic accounts that are being used to make the rogue repositories appear legitimate. Their tactics for doing so have included using the inauthentic accounts to star, fork, and subscribe to the malicious repos, in order to give them a veneer of innocence.

Starring, which gives the group its name, is a way to bookmark repositories on GitHub to make them easier to find in the future, and also as a way to show appreciation for a particular project. Forking is about creating an identical copy of another GitHub project as a way to propose changes to the project or to build on it for your own purposes; and watching is basically a way of keeping abreast of the latest developments in a project. Just as with applications on mobile app stores, users tend to perceive GitHub projects with more stars, forks, and watchers as being more credible — and trustworthy — than others.

"In the past, malware was hosted on GitHub, though the repositories that hosted malware never suggested that a normal user would land, trust, download, and execute the hosted sample," says Antonis Terefos, a researcher at CPR. "Currently, via the Stargazers Ghost Network, we are experiencing a new era of malware distribution utilizing accounts to act organically by starring \[and\] forking malicious repositories \[to make them appear\] as legitimate to normal users."

**Stargazer Goblin's Distribution-as-a-Service Play**

Since at least August 2022, and likely even earlier, Stargazer Goblin has used its rogue GitHub accounts to distribute a variety of malware families, including Atlantida Stealer, Rhadamanthys infostealer, RisePro, Redline, and Lumma Stealer. A Stargazers Ghost Network advertisement from July 2023 — in English and Russian — that CPR researchers found on a Dark Web forum showed the threat actor charging $10 to "star" a repository with 100 accounts, and $2 to provide an account with an empty "aged" repository, which generally is more trusted than a brand-new one.

CPR also said that the operation likely extends well beyond GitHub.

"We believe that Stargazer Goblin created a universe of Ghost Network accounts operating across various platforms such as GitHub, Twitter, YouTube, Discord, Instagram, Facebook, and many others," CPR said in its report. "Similar to GitHub, other platforms can be utilized to legitimize malicious phishing and distribute links and malware to victims through posts, repositories, videos, tweets, and channels, depending on the features each platform offers."

Terefos says the majority of repositories on the Stargazers Ghost Network use tags that ensure they surface at the top of GitHub searches when users are looking for something. The threat group has also used services, such as Discord, to promote the malicious repositories as places where users can get game mods, cracked software such as Adobe and VPN software, and free trading, AI, and coin-mining tools.

"Since last week's CrowdStrike event, which threat actors have been trying to take advantage of, we have been monitoring for CrowdStrike 'drive-fixes' repositories, on the Ghost Network. So far, there have been none," Terefos says. "\[But\] this could be an example of how a user could land on a malicious repository by searching on GitHub for how to perform the \[CrowdStrike\] fix. The user would see that the repository has been starred by multiple other accounts, indicating that the provided 'fix/repo' works. Instead, the user is being infected with malware."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Stargazer Goblin' Amasses Rogue GitHub Accounts to Spread Malware

The good news: Only organizations far behind on standard Windows patching have anything to worry about.

Source: dennizn via Alamy Stock Photo

A Microsoft Defender SmartScreen vulnerability that was patched in February is still being used in infostealing attacks across the globe.

CVE-2024-21412 — a "high" severity, 8.1 CVSS-scored security bypass bug in SmartScreen — was first disclosed and fixed on Feb. 13. Since then, it has been used in campaigns involving well-known infostealers like Lumma Stealer, Water Hydra, and DarkGate.

Now, five months later, Fortinet has flagged yet another campaign involving two more stealers: Meduza and ACR. Attacks thus far have reached the US, Spain, and Thailand.

Sometimes, organizations take their time updating third-party software. By contrast, "The attackers in this case are taking advantage of software that's native on Microsoft Windows, which would be updated in normal Microsoft patch cycles," notes Aamir Lakhani, global security strategist and researcher at Fortinet. "It's a little unclear and concerning when these vulnerabilities are not patched, because it could indicate there are other Microsoft vulnerabilities that are not being patched as well."

**A CVE-2024-21412 Attack Chain**

If you visit a website, or download a file or program that's known to be unsafe — or is suspicious for any number of other reasons — SmartScreen will step in and present you with that famous blue screen message: "Windows protected your PC." It's a simple, effective way to alert users to potentially dangerous cyber threats.

So consider how useful it would be to an attacker if they could simply disable that notification. This is what CVE-2024-21412 allows them to do.

In the latest campaign identified by Fortinet, the attackers are beating SmartScreen "through the combination of PowerShell trickery and hiding attacks in images and taking advantage of how those images are processed," Lakhani explains.

First, they lure victims with a URL that triggers the download of a shortcut (LNK) file. The LNK downloads an executable with an HTML Application (HTA) script with PowerShell code for retrieving decoy PDF files and malicious code injectors.

One of the injectors is more interesting than the other. After running anti-debugging checks, it downloads a JPG image file, then uses a Windows API to access its pixels and decode its bytes, wherein lies malicious code.

"These types of image-based attacks have been around a long time and, while they aren't as common as other types of attacks we typically observe, we still see them pop up over time because they are quite effective," Lakhani notes. "It's not surprising to see this attack, especially because \[steganography\] detection is often overlooked compared to other attack scenarios."

**Consequences to the Unpatched**

The stealers smuggled in through image files in this case get planted inside of legitimate Windows processes, at which point the gathering and exfiltration of data begins.

The kinds of information they aim for are broad. ACR, for example, steals from dozens of browsers (Google Chrome, Firefox), dozens of crypto wallets (Binance, Ledger Live), messenger apps (Telegram, WhatsApp), password managers (Bitwarden, 1Password), virtual private network (VPN) apps, email clients, file transfer protocol (FTP) clients, and more. 

Only organizations far behind on standard Windows patching have anything to worry about. Clearly, though, those organizations are out there.

"I would understand how individual software updates from smaller companies may be missed, but most organizations have regular Microsoft software patch updates, and this particular vulnerability remains open to attack," Lakhani says. To encourage better patching practices, he adds, "I think in all cases, software vendors need to give users alerts and notifications that critical security patches exist and should be installed when the software is launched or used."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Cyberattackers Exploit Microsoft SmartScreen Bug in Stealer Campaign

Players can only access the game by first joining its Telegram channel, with some going astray in copycat channels with hidden malware.

Source: Science Photo Library via Alamy Stock Photo

Malicious actors are targeting users of a mobile currency game by using fake Android and Windows software that installs spyware and other malware.

Hamster Kombat launched in March and already has more than 250 million users, likely due to the promises of winning TON-based cryptocurrency. The game is for Android users, who can earn in-game currency by completing certain tasks within the game.

To play, users must join the game's Telegram channel, scan a QR code, and then launch a Web app on their device. When users first search for the game's Telegram channel, they are likely to come across other Hamster-branded channels attempting to distribute Android malware. One channel, named "HAMSTER EASY," even distributes Ratel Android spyware as an APK file.

This malware can allow the threat actors to subscribe the victim to different services and hide the notifications so that they remain unaware.

Other fake websites include "hamsterkombat-ua.pro" and "hamsterkombat-win.pro," which redirect visitors to advertisements to generate money instead of the real game. 

On the Windows platform, researchers discovered GitHub repositories that promise its victims Hamster Kombat farm bots and autoclickers but instead deliver cryptors that contain Lumma Stealer, info-stealer malware.

As the game continues to grow in popularity among users, it will continue to attract malicious actors, so users should be wary of being tricked by threat actors and copycat apps and remain vigilant when downloading software.

**About the Author(s)**

Hamster Kombat Players Threatened by Spyware &amp; Infostealers

Though the cybersecurity vendor has since reverted the update, chaos continues as companies continue to struggle to get back up and running.

Source: SOPA Images Limited via Alamy Stock Photo

This is a breaking news story and will be updated as new developments occur.

This morning, Microsoft servers across the world displayed the dreaded "blue screen of death," leading to mass IT outages that disrupted business, airlines and flights, healthcare providers, banks, and more. The cause: A defective update to CrowdStrike Falcon Sensor, a widely used cloud-based endpoint detection and prevention (EDR) software program.

CrowdStrike said its engineering team has identified the issue that caused the massive disruption to Windows-based systems: A bug in the Memory Scanning prevention policy, which was not identified during their testing stages, Callie Guenther, senior manager at Critical Start, noted in an emailed statement.

"While CrowdStrike likely performed standard regression and functionality tests, these were insufficient because they did not simulate the real-world deployment environment where the bug caused the Falcon sensor to consume 100% of a CPU core," she wrote. This ultimately led to system performance issues.

CrowdStrike has since reverted the flawed Falcon software update. Even so, some users are still experiencing system crashes or are unable to stay online to receive the new and fixed version. The cybersecurity vendor has provided workaround steps for this issue.

In a post on social platform X, Microsoft CEO Satya Nadella said the company is aware of the issue and is working closely with CrowdStrike to provide technical support to its customers and get their systems back online.

**Falcon Fallout**

The severity of the broken CrowdStrike update became increasingly painful as victim reports rolled in throughout the day: More than 1,300 flights have been canceled or delayed, trains, card payments in stores, pharmacies, and even general practitioner (GP) surgeries were stalled. 

The Department of Health in Belfast reported that two-thirds of GP practices in Northern Ireland have been affected, with patient records inaccessible as well as lab tests and routine prescriptions.

Delta flights have been paused as it "works through a vendor technology issue," the New York Times reported, and Turkish Airlines has canceled at least 84 flights. Employees at financial institutions like JPMorgan Chase and Instinet have had trouble accessing their corporate systems as operations began to stutter.

Even the Paris Olympics organizing committee reports that its IT operations have been affected, mainly affecting delivery of uniforms and accreditations.

Meanwhile, President Joe Biden has been briefed on the outage, according to the White House, and administration officials are reportedly in touch with affected entities as well as CrowdStrike, which is working with customers that have been impacted.

"Mac and Linux hosts are not impacted," George Kurtz, president and CEO of CrowdStrike, wrote online. "This is not a security incident or cyberattack. The issue has been identified \[and isolated,\] and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website."

**It's Not a Data Breach, but it's a Disaster**

In an industry where cybersecurity practices and services are meant to protect an enterprise without interrupting them, this outage proves that "even non-malicious cybersecurity failures can bring businesses to their knees," according to Maxine Holt, cybersecurity analyst at Omdia.

This massive incident underscores an over-reliance on cloud services, Holt noted in an online statement, and the outage may prompt organizations to reconsider moving their mission-critical applications to the cloud.

"Omdia's Cloud and Data Center analysts have long warned about over-reliance on cloud services," Holt said. "Today's outages will make enterprises rethink moving mission-critical applications off-premises. The ripple effect is massive, hitting CrowdStrike, Microsoft, AWS, Azure, Google, and beyond. CrowdStrike's shares have plummeted by more than 20% in unofficial pre-market trading in the US, translating to a staggering $16 billion loss in value."

As CrowdStrike will undoubtedly face scrutiny as it gets back on its feet, only time will tell how this outage could affect regulation and pressure on software vendors.

"We need stronger regulations and guidance on vendor responsibilities for functional testing," Josh Thorngren, security strategist at ForAllSecure, wrote in an emailed statement. "If you're not testing the behavior of your application under-expected (and unexpected) conditions with every update — this type of issue will always be a risk."

Buggy CrowdStrike EDR Update Crashes Windows Systems Worldwide

The Coalition for Secure AI is a consortium of influential AI companies aiming to develop tools to secure AI applications and set up an ecosystem for sharing best practices.

Source: ElenaBS via Alamy Stock Photo

The largest and most influential artificial intelligence (AI) companies are joining forces to map out a security-first approach to the development and use of generative AI.

The Coalition for Secure AI, also called CoSAI, aims to provide the tools to mitigate the risks involved in AI. The goal is to create standardized guardrails, security technologies, and tools for the secure development of models.

"Our initial workstreams include AI and software supply chain security and preparing defenders for a changing cyber landscape," CoSAI said in a statement.

The initial efforts include creating a secure bubble and systems of checks and balances around the access and use of AI, and creating a framework to protect AI models from cyberattacks, according to Google, one of the coalition's founding members. Google, OpenAI, and Anthropic own the most widely used large language models (LLMs). Other members include infrastructure providers Microsoft, IBM, Intel, Nvidia, and PayPal.

"AI developers need — and end users deserve — a framework for AI security that meets the moment and responsibly captures the opportunity in front of us. CoSAI is the next step in that journey, and we can expect more updates in the coming months," wrote Google's vice president of security engineering, Heather Adkins, and Google Cloud's chief information security officer, Phil Venables.

**AI Safety as a Priority**

AI safety has raised a host of cybersecurity concerns since the launch of ChatGPT in 2022. Those include misuse for social engineering to penetrate systems and the creation of deepfake videos to spread misinformation. At the same time, security firms, such as Trend Micro and CrowdStrike, are now turning to AI to help companies root out threats.

AI safety, trust, and transparency are important as results could steer organizations into faulty — and sometimes harmful — actions and decisions, says Gartner analyst Avivah Litan.

"AI cannot run on its own without guardrails to rein it in — errors and exceptions need to be highlighted and investigated," Litan says.

AI security issues could multiply with technologies such as AI agents, which are add-ons that generate more accurate answers from custom data.

"The right tools need to be in place to automatically remediate all but the most opaque exceptions," Litan says.

US President Joe Biden has challenged the private sector to prioritize AI safety and ethics. His concern was around AI's potential to propagate inequity and to compromise national security.

In July 2023, President Biden issued an executive order that required commitments from major companies that are now part of CoSAI to develop safety standards, share safety test results, and prevent AI's misuse for biological materials and fraud and deception.

CoSAI will work with other organizations, including the Frontier Model Forum, Partnership on AI, OpenSSF, and MLCommons, to develop common standards and best practices.

MLCommons this week told Dark Reading that in fall this year it will release an AI safety benchmarking suite that will rate LLMs on responses related to hate speech, exploitation, child abuse, and sex crimes.

CoSAI will be managed by OASIS Open, which, like the Linux Foundation, manages open source development projects. OASIS is best known for its work around the XML standard and for the ODF file format, which is an alternative to Microsoft Word's .doc file format.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Source

DARKReading