#2961 - CrowdStrike

The sheer volume of CrowdStrike-esque domains being registered and weaponized today is…staggering.

Exploiting An Enterprise Backup Driver For Privilege Escalation - CVE-2023-43896 https://northwave-cybersecurity.com/exploiting-enterprise-backup-software-for-privilege-escalation-part-two

just ran into an incredible bug: portal 2 crashes if you happen to have a CPU with 128 threads

https://github.com/ValveSoftware/portal2/issues/367

Dear buttplug.io users:

We apologize for the current downtime.

If your butt is BSOD’ing, please try rebooting it a few times.

Just reiterating, because this is getting lost in a lot of the coverage: the original Azure outage and the Crowdstrike Windows bug are NOT related. That said, a significant number of corps run Windows servers on Azure with Crowdstrike Falcon. Wired coverage has more.
https://www.wired.com/story/crowdstrike-outage-update-windows/

So I just happened to read a blog discussing some PoC crashes in Office (https://code610.blogspot.com/2017/10/microsoft-outlook-2016-rwra-crash.html) & what I do? I sent them to @expmon_ immediately (https://pub.expmon.com/analysis/110243/).

ht: I've found real exploitable bugs w/ the power of EXPMON, it's not just a 0day detection system.:)

pour one out for the homies who can't head to the pub tonight because they're stuck unfucking hundreds of computers

you can outsource the work, but you cant outsource the risk

"Google is no longer trying to index the entire web. In fact, it's become extremely selective, refusing to index most content. This isn't about content creators failing to meet some arbitrary standard of quality. Rather, it's a fundamental change in how Google approaches its role as a search engine."

https://www.vincentschmalbach.com/google-now-defaults-to-not-indexing-your-content/

This pretty much confirms my previous assessment:

https://infosec.place/notice/AjnQ7fYpkwNnsgcLLc

Here is a GPO that can apparently run in safe mode to automate the removal of the problematic crowdstrike driver: https://gist.github.com/whichbuffer/7830c73711589dcf9e7a5217797ca617

EDIT: despite my indication that this for running in safe mode, many people seemed to have missed that I said it is for safe mode. So, here is the clarification: IT IS FOR SAFE MODE

H/T @p4gs

When I said "one day my stance on EDR / AV / IPS will be vindicated" I didn't mean for half the Internet to melt down but I am soooooo enjoying this moment.

Thank you #Crowdstrike for giving me my day of glory. Now I will have a story to tell my grandchildren.

so I happen to have a 0day downgrade attack bitlocker bypass, which would be very helpful for people dealing with the crowdstrike issue and have more than about a dozen systems with tpm+secure boot bitlocker lol

the downgrade attack part is why i never publicly documented the original issue yet

also I bet MS are very annoyed that everyone’s saying its their fault

Explaining to reporters that this is not a Microsoft issue but a Crowdstrike issue - interesting how different the "non tech" world looks at this

I recall reading a "computer horror story", most probably around 2005-2010 but dated earlier, maybe much earlier, that involved a computer room with floor tiles and a short circuit, probably below those tiles. The story described the long process of investigating the issue and I was thrilled to read it.

It was comparable to the Unix recovery legend and to VAXen, my children, just don't belong in some places.

Please boost and if you know that story or anything that sounds at least close to it -- please share! If you help me find the one I'm looking for, you'll be my hero for at least a week!

EDR bug crashes all your points of access.

Vendor investigation and Incident Response processes are started, risking the exposure of your operation.

Nobody got fired for buying #Microsoft and #Crowdstrike ...

that's because the HR systems are down.

"Mild chaos at Sydney Airport"

I think "mild chaos" is my new favorite phrase for describing anything.

"many 911 and non-emergency call centres are not working correctly across the State of Alaska"

Periodic reminder that "security by shoving in more complexity" is an especially bad idea in case of critical infrastructure...

#CrowdStrike