Category: Risk Management

The Ripple Effect of the CrowdStrike Incident – An Expanded Attack Surface and Potential Future Threats

August 1, 2024

The CrowdStrike incident in July 2024, which resulted in the blue screen of death (BSOD) affecting millions of Windows computers globally, not only highlighted vulnerabilities within IT infrastructure but also potentially handed malicious actors new clues about weak points to exploit. This incident underscores the increased attack surface area and the heightened risk of future attacks targeting critical infrastructures such as shopping malls, airports, hospitals, and other essential services.

If you missed my previous blog explaining the CrowdStrike Incident, you can refer it here: Understanding the CrowdStrike Incident of July 2024

The Expanded Attack Surface

An attack surface refers to the various points within a system or network that could be vulnerable to exploitation by attackers. The CrowdStrike incident has inadvertently revealed new attack vectors, potentially increasing the attack surface in several ways:

Critical Infrastructure Vulnerabilities

  1. Airports and Airlines: The disruption caused flight delays and cancellations, exposing the vulnerabilities in the IT systems of airlines and airports. Attackers now see these systems as potential targets for future attacks, aiming to cause widespread chaos and economic damage.
  2. Hospitals and Healthcare Services: The incident highlighted the susceptibility of hospital IT systems, where even minor disruptions can have life-threatening consequences. Attackers could exploit these vulnerabilities to launch ransomware attacks or disrupt critical medical services.
  3. Shopping Malls and Retail Services: Retail services were also affected, indicating vulnerabilities in the digital payment systems and supply chain management. Future attacks could aim to steal customer data, disrupt sales, or manipulate inventory systems.

Increased Interconnectivity

The interconnected nature of modern IT systems means that an attack on one system can ripple out to affect many others. The CrowdStrike incident demonstrated how interconnected services, from cloud providers to local networks, can be impacted, making the entire ecosystem more vulnerable.

Remote Work and Digital Transformation

The rise of remote work and the accelerated digital transformation in various sectors have expanded the attack surface. Remote work setups often rely on less secure home networks, which can be exploited by attackers to gain access to corporate networks.

Supply Chain Attacks

The incident showed how updates and third-party software can be vectors for attacks. Attackers might focus more on supply chain attacks, targeting software vendors and service providers to infiltrate their customers’ systems.

Potential Future Attacks

Given the expanded attack surface, several types of attacks could become more prevalent in the future:

Ransomware Attacks

Ransomware attacks on critical infrastructure like hospitals, airports, and retail networks can cause significant disruption and compel organizations to pay hefty ransoms to restore their operations. The heightened awareness of these vulnerabilities may lead attackers to increasingly target these sectors.

DDoS Attacks

Distributed Denial of Service (DDoS) attacks can overwhelm the systems of airports, airlines, and large retail chains, causing outages and service disruptions. These attacks could be timed to coincide with peak periods, such as holiday travel seasons or major sales events, to maximize impact.

Data Breaches and Theft

Attackers may focus on stealing sensitive data from hospitals and retail networks, such as patient records and customer payment information. This data can be sold on the dark web or used for identity theft and financial fraud.

Advanced Persistent Threats (APTs)

APTs involve attackers infiltrating networks and remaining undetected for extended periods, gathering intelligence, and causing damage. Critical infrastructure and large corporations could be prime targets for such sophisticated attacks.

Mitigating the Risks

To combat these potential threats, organizations must adopt robust security measures:

Enhanced Security Protocols

Organizations must implement comprehensive security protocols, including regular updates and patches, multi-factor authentication, and advanced threat detection systems.

Employee Training and Awareness

Employees should be trained to recognize phishing attempts and other common attack vectors. Regular security awareness training can significantly reduce the risk of successful attacks.

Network Segmentation

Segmenting networks can limit the spread of an attack and protect critical systems. By isolating sensitive areas of the network, organizations can contain breaches and minimize damage.

Incident Response Planning

Having a well-defined incident response plan is crucial. Organizations must be prepared to respond swiftly and effectively to minimize the impact of any security breaches.

Collaboration and Information Sharing

Collaboration between organizations and government agencies can enhance overall security. Sharing information about threats and vulnerabilities can help organizations stay ahead of potential attacks.

Conclusion

The CrowdStrike incident of July 2024 has not only exposed critical vulnerabilities in our digital infrastructure but also expanded the potential attack surface for malicious actors. By understanding these vulnerabilities and adopting proactive security measures, organizations can better protect themselves against future threats. It is imperative to recognize that as our digital world evolves, so too must our strategies to safeguard it, ensuring resilience against the ever-growing landscape of cyber threats.

Important References

  1. “Security Engineering: A Guide to Building Dependable Distributed Systems” by Ross Anderson
  2. “Building Secure and Reliable Systems: Best Practices for Designing, Implementing, and Maintaining Systems” by Heather Adkins, et al.
  3. “Zero Trust Networks: Building Secure Systems in Untrusted Networks” by Evan Gilman and Doug Barth
  4. Research Paper: “Network Segmentation: Architecture and Use Cases” by the SANS Institute

Optus Outage Incident – Root Cause Analysis

November 15, 2023

There were four breaches, one hacking and the recent outage believed to be some configuration mishap while doing a software upgrade, all in past 5 years making big news for Optus (see reference1-5). Around 4.05am on Wednesday, November 8, 2023, Optus experienced a widespread service outage, affecting a significant number of its customers. The disruption impacted various services, including mobile data, internet, and voice calls, leaving users frustrated and businesses grappling with operational challenges. The outage not only underscored the importance of robust telecommunications infrastructure but also shed light on the vulnerabilities that can arise in even the most advanced networks.

This pose a question, what makes a big giant so vulnerable to Cybersecurity?

Big telecommunication companies can be vulnerable to cyber attacks due to various factors. Some of the key reasons include:

  1. Complex Networks: Telecommunication companies typically have complex and extensive networks with numerous interconnected systems. This complexity can create vulnerabilities, and managing such vast networks can be challenging, making it easier for attackers to find and exploit weaknesses.
  2. Interconnected Infrastructure: Telecommunication systems rely on interconnected infrastructure, including routers, switches, and other critical components. If one part of the infrastructure is compromised, it can potentially impact the entire network, leading to widespread disruptions.
  3. Dependence on Technology: Telecommunication companies heavily rely on technology to provide their services. This dependence on technology means that any vulnerabilities in the underlying software or hardware can be exploited by cyber attackers to gain unauthorized access or disrupt services.
  4. High-Value Targets: Due to the critical nature of their services, telecommunication companies are attractive targets for cybercriminals, hacktivists, or even state-sponsored attackers. Disrupting telecommunications services can have significant economic and social consequences, making these companies high-value targets.
  5. Data Sensitivity: Telecommunication companies handle vast amounts of sensitive customer data, including personal information and communication records. This makes them attractive targets for cybercriminals seeking to steal and exploit valuable data for financial gain or other malicious purposes.
  6. Increasing Connectivity: As telecommunication networks become more integrated with other industries and technologies (such as the Internet of Things), the attack surface for potential threats expands. This increased connectivity can expose telecommunication companies to new and evolving cyber threats.
  7. Legacy Systems: Some telecommunication companies may still be using legacy systems that were implemented before the current cybersecurity landscape evolved. These older systems might have known vulnerabilities that have not been adequately addressed or patched, making them susceptible to attacks.
  8. Supply Chain Risks: Telecommunication companies often rely on a complex supply chain for hardware and software components. If any of these components have vulnerabilities, it can introduce risks into the overall system, especially if security measures are not rigorously enforced throughout the supply chain.
  9. Human Factors: Insider threats or human error can also contribute to vulnerabilities. Employees with access to critical systems may inadvertently introduce security risks through actions such as falling for phishing attacks, using weak passwords, or mishandling sensitive information.

To mitigate these vulnerabilities, telecommunication companies must invest in robust cybersecurity measures, conduct regular risk assessments, stay updated on the latest threats, and implement best practices for network security. This includes employee training, regular system patching and updates, and the adoption of advanced security technologies.

We believe Optus and like companies are aware and abreast of all measures it should take to safeguard against listed vulnerabilities to cyber attack. Most organisations now a days invest heavily on tools and technologies. What else is important?

Cybersecurity program to my opinion is like a big aircraft (or more) ready to land to an airport. We should equally focus on the runway and related on ground safety. In an organisation it translate to a focused leadership and efficient management. No matter how sophisticated tools and technology we deploy, unless we have a leadership foreseeing challenges and efficient management stack to make best use of deployed tools and technologies, there will still exist a gap, no matter how small it is, when compromised will result in big losses.

Potential Root Causes of the Outage: Though Optus announced this to be a software upgrade failure, it is hard to believe so. Primary reason for my disagreement over such a conclusion is the span of outage. The outage was for voice, text and internet. It is highly unlikely that any one upgrade will touch all these three domains which are domain-isloated with layer-2 and layer-3 redundancies. Following broad conclusion can be drawn.

  1. Technical Glitch or Human Error? The first question on everyone’s mind during a network outage is whether it was caused by a technical glitch or human error. Optus, like any other telecommunications giant, relies on a complex network of hardware, software, and personnel to keep its services running smoothly. Initial investigations suggested that the outage might have originated from a technical malfunction in one of the critical components of the network. However, the possibility of human error, such as misconfigurations or oversight during routine maintenance, cannot be ruled out.
  2. Network Overload and Capacity Issues: With the ever-increasing demand for data and connectivity, telecommunications networks face the constant challenge of expanding their capacity to meet user needs. The Optus outage could have been exacerbated by a sudden surge in network traffic or an unexpected overload on specific components, causing a strain on the infrastructure.
  3. Security Concerns: In an era where cybersecurity threats are on the rise, the outage raised questions about the role of security in safeguarding critical infrastructure. While initial reports did not indicate a cyberattack, the incident prompted a reassessment of the security measures in place to protect against potential threats that could compromise the network’s integrity.
  4. Supply Chain Vulnerabilities: Telecommunications providers often rely on a vast supply chain for their equipment and software. The outage might have been linked to vulnerabilities in components supplied by third-party vendors, highlighting the importance of rigorous vetting and security protocols throughout the supply chain.

Learning from the Outage: The Optus outage serves as a wake-up call for both telecommunications providers and consumers. It emphasizes the need for continuous investment in robust infrastructure, regular system audits, and comprehensive cybersecurity measures. As technology evolves, so do the challenges, and proactive steps must be taken to stay ahead of potential disruptions.

Conclusion: The recent Optus outage is a stark reminder that even industry giants are not immune to technical hiccups and unexpected disruptions. As we navigate the intricate web of modern telecommunications, it becomes imperative for providers to prioritize resilience, security, and adaptability in the face of an ever-changing digital landscape. Only through continuous improvement and investment in cutting-edge technologies can we hope to build a telecommunications infrastructure that stands the test of time.

Reference:

  1. https://www.cyberdaily.au/commercial/9263-deja-vu-optus-suffers-data-breach-from-major-cyber-attack
  2. https://www.itnews.com.au/news/optus-cyber-attack-exposes-customer-information-585567
  3. https://itwire.com/security/optus-hit-by-huge-data-breach,-up-to-9m-customers-claimed-affected.html
  4. https://www.databreaches.net/au-optus-under-investigation-for-white-pages-privacy-breach/
  5. https://www.smh.com.au/business/companies/i-could-access-everything-optus-customers-worried-after-logging-in-as-vladmir-20190214-p50xx6.html

CVE-2021-44228 – Log4Shell/Log4J

March 5, 2022

🪢 There has always been this tug-of-war between what is “comfortable” vs. what is “healthy”, since ages, and has been more of discussion with technology proliferation in our day to day affairs.

👨🏻‍💻 Software developers, while documenting and logging an application’s physiology, tend to be creative and use “variables” in making the program’s footprint more meaningful.

🤗 This is exciting, I mean how helpful it is to read and refer software logs if it contains useful runtime informations. In simple terms, knowing current directory, resource utilisations etc. while writing a piece of information in software logs bears enormous intelligence.

🎯 Personally I am a fan of using this methodology. I am not a software developer, but used this technique in automating alerts for link latency, resource utilisation using SolarWinds NPM. Back in year 2007-2008 I learned SolarWinds from Rajiv Bahl. I was mesmerised by the innovative approaches he used in using MS Visual Basics in demonstrating resiliency in key network components, animated presentations for packet flow, and most importantly harnessing the power of SolarWinds’s SQL database (in using key tables) in forming SLA reports. I took this inspiration and learning to level next in automating link latency alerts. So the boring latency, flap, jitter alerts were replaced with formally drafted email alerts starting with “Dear Team, I am ROUTERXXX…” and having a body of message embedding key values of troubleshooting importance, being called using SQL queries.

🧞‍♂️ This was magic. When I did this alert automation for call centre links and an automated SMS/Email when latency exceeds 170ms from Sydney to Mumbai; was highly appreciated by service management team. We were more proactive, excellent customer satisfaction, and I secured an “innovation Award” for that quarter.

🧐 When I look back, I see myself so charged with innovation and undermining security challenges it brings home. With CISSP, my lens changed so my frame of reference and I started to think these past memories from a totally new frame of reference. I don’t see it was bad from a security standpoint, but this Log4J, kind of rekindled my past life of using variables and bringing automation-driven intelligence to logging.

📚 The details are already documented here: [https://www.cygenta.co.uk/post/log4shell-in-simple-terms], and I will encourage people to read this excellent piece for a quick understanding.

🧪🔬 Using variables gives great power and ease. It make us use information in more intelligent way saving huge time and effort, but this ease comes at the cost of misusing these variable driven intelligence mechanism.

Log4J/Log4Shell is a classical example of this paradox we are faced with. Some enjoy ease and innovations, other enjoy exploitation and evil; and some stands guarding the castle. This is IT and every one enjoys what they love the most.

#security #log4j #log4jvulnerability #cissp #ccsp #solarwinds #grc #technology