INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
"Mouse Logger" Malicious Python Script
Published: 2024-07-24
Last Updated: 2024-07-24 06:45:59 UTC
by Xavier Mertens (Version: 1)
Keylogging is a pretty common feature of many malware families because recording the key pressed on a keyboard may reveal a lot of interesting information like usernames, passwords, etc. Back from SANSFIRE, I looked at my backlog of hunting results and found an interesting piece of Python malware. This one implements a keylogger and a screenshot grabber but also... a "mouse logger"! By mouse logger, I mean that it can collect activity generated by the user's mouse.
The attacker uses the classic Python module pyinput ...
Read the full entry:
https://isc.sans.edu/diary/Mouse+Logger+Malicious+Python+Script/31106/
Widespread Windows Crashes Due to CrowdStrike Updates
Published: 2024-07-19
Last Updated: 2024-07-19 16:59:59 UTC
by Johannes Ullrich (Version: 1)
Last night, endpoint security company CrowdStrike released an update that is causing widespread "blue screens of death" (BSOD) on Windows systems. CrowdStrike released an advisory, which is only available after logging into the CrowdStrike support platform. A brief public statement can be found here.
CrowdStrike now also published a detailed public document with tips to recover:
https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/
---
Update: Some reports we have seen indicate that there may be phishing emails circulating claiming to come from "CrowdStrike Support" or "CrowdStrike Security". I do not have any samples at this point, but attackers are likely leveraging the heavy media attention. Please be careful with any "patches" that may be delivered this way.
One domain possibly associated with these phishing attacks is ...
---
Linux and MacOS systems are not affected by this issue.
The quickest fix appears to boot the system into "Windows Safemode with Network". This way, Crowdstrike will not start, but the current version may be downloaded and applied, which will fix the issue. This "quick version" of the fix is not part of CrowdStrike's recommendations but may be worth a try if you have many systems to apply the fix to or if you need to talk a non-computer-savvy person through the procedure. Some users have reported that this will succeed.
Casimir Pulaski (@cybermactex) mentioned on X that a simple reboot sometimes works if the latest update was downloaded before the system crashed.
The support portal statement offers the following steps to get affected systems back into business ...
Read the full entry:
https://isc.sans.edu/diary/Widespread+Windows+Crashes+Due+to+Crowdstrike+Updates/31094/
CrowdStrike: The Monday After
Published: 2024-07-22
Last Updated: 2024-07-22 17:06:26 UTC
by Johannes Ullrich (Version: 1)
Last Friday, after CrowdStrike released a bad sensor configuration update that caused widespread crashes of Windows systems. The most visible effects of these crashes appear to have been mitigated. I am sure many IT workers had to spend the weekend remediating the issue.
It is still early regarding the incident response part, but I would like to summarize some of the important facts we know and some lessons learned.
You are likely affected if the CrowdStrike sensor system retrieved updates between 0409 and 0527 UTC on Friday, July 19th. CrowdStrike allows users to configure a sensor update policy, which will delay the update of the sensor software. But the corrupt file was a configuration ("signature") update, not an update of the sensor itself. Configuration updates are always applied as soon as they are released. Customers do not have an option to delay these updates. Systems crashed because a kernel driver provided by CrowdStrike crashed as it read the malformed configuration file.
Since news of the incident broke, CrowdStrike has been updating and expanding its guidance. Your first stop should be CrowdStrike's "Remediation and Guidance Hub". It will link to all the resources CrowdStrike has to offer. Yesterday, CrowdStrike announced that they will soon offer a new, accelerated technique for recovery. As I write this, the new technique has not been published. CrowdStrike did provide a new dashboard to affected users to track systems affected by the update.
Microsoft developed a USB solution to simplify the process. To apply the update, systems must be booted from the USB key. However, Bitlocker-encrypted hosts may require a recovery key.
Bitlocker is the major hurdle to a speedy recovery for many affected organizations. Ben Watsons posted on LinkedIn that his organization came up with a way to use a barcode scanner to simplify entering the recovery keys. I do not believe that the related code to create the barcodes is public.
Read the full entry:
https://isc.sans.edu/diary/CrowdStrike+The+Monday+After/31098/