Welcome to the eighth edition of Dellfer Insights, curated by our VP of Channels, Shawn Lorenz. This series highlights important industry news, key takeaways, and strategies to combat the next cyberattack. In this edition, we explore the Microsoft/Crowdstrike worldwide “IT Outage,” a preventable event that underscores the importance of robust cybersecurity engineering. We also discuss the need for improved cyber insurance models and revisit the persistent threats posed by state actors targeting network devices. It’s an exciting time to be on the front lines of cybersecurity, working to write flawless code and protect against threats.
đź’ˇDellfer Insight #1:
Q: What has CrowdStrike-Microsoft outage taught us? Â
A: There is no difference between a software vulnerability that enables a cyber attack and a software update that disrupts your entire customer base. Both stem from poor engineering practices in the software development process and the lack of runtime monitoring to catch errors and attacks.
Quick review: The CrowdStrike outage was caused by a defect in a configuration update for its Falcon sensor software. Specifically, a sensor configuration update released on July 19, 2024, triggered a logic error that led to system crashes and the infamous “blue screen of death” (BSOD) on Windows systems. This update was intended to target new malicious activities but inadvertently caused the crashes due to a flaw in the update’s logic.
The issue arose because problematic content passed through the Content Validator without being flagged, leading to the deployment of the faulty update. When the sensor tried to execute this update, it triggered an out-of-bounds memory read, causing the crashes.
The software industry often blames poor releases on the immense pressure to meet delivery deadlines, but perhaps it’s time to examine our outdated development tools. Hackers have had access to advanced tools, leaving our developers lagging behind. If my code scanner misses coding errors and vulnerabilities, it’s time to recognize that the shortcomings of traditional development and deployment tools are creating bugs and vulnerabilities.
Key Takeaway
CrowdStrike quickly reverted the update of its release and has since implemented additional measures to prevent similar issues. These measures should include more thorough testing methods such as fault injection, stress testing, and enhanced validation processes. These plans should also include improving both the development scanning and the real-time runtime monitoring of all CrowdStrike software.
Why It Matters
Better scanning tools that eliminate all security vulnerabilities and coding errors are needed. Dellfer’s ZeroDayGuard fully implements shift-left security, eliminating known exploits during development and all zero-day exploits during runtime. No more holes in your code, as we eliminate all bugs and attacks with your existing development workflows and no false positives. Out-of-bounds memory errors are among the thousands of bugs we catch in Linux daily. Need Windows?  Call us. One tool results in no vulnerabilities and bugs in your code. Dellfer.
đź’ˇDellfer Insight #2:
The current state of cyber insurance is not what it should be. The increasing frequency and complexity of outages and cyber-attacks, better risk modeling, and security tools underscore the urgent need for improved cyber insurance.
The CrowdStrike-linked global IT outage could result in insured losses between $540 million to $1.08 billion. The total direct financial loss for US Fortune 500 companies (excluding Microsoft) is projected at $5.4 billion, with only 10% to 20% covered by cyber insurance. Cyber insurance analysts stress the necessity of increasing cyber insurance and reinsurance capital to bridge the existing protection gap. They underscore the importance of diversifying cyber risk portfolios and better managing aggregated risk to mitigate systemic cyber threats.
To achieve this, they advocate for heightened investments in advanced cybersecurity tools, which can facilitate the development of new risk assessment models and enhance overall industry resilience. These tools help in better risk identification, prevention, and mitigation and support insurers in making more informed underwriting decisions supported by advanced models. This will ultimately lead to a more stable and sustainable cyber insurance market.
Moody’s concluded: “Cyber modeling has advanced, but the risks are constantly evolving, which creates uncertainty around return periods and the likelihood of an event. The CrowdStrike outage will prompt further scrutiny of risk aggregations and modeling practices and spur demand for cyber insurance.”
Key Takeaway
Advanced cybersecurity tools are essential for the cyber insurance industry to manage risks effectively, ensure accurate pricing, reduce claims, build trust, and support market growth by increasing the attractiveness and viability of cyber insurance products
Why It Matters
Dellfer’s ZeroDayGuard cybersecurity tools are essential for developing more accurate, comprehensive, and effective cyber insurance models. Dellfer enables better risk assessment, policy design, and risk management by scanning your source code and eliminating poorly written code and vulnerabilities. Dellfer provides a new approach that protects against attacks proactively. ZeroDayGuard stops known and unknown attacks at the source—the source-code layer—with no false positives.
đź’ˇDellfer Insight #3:
In our previous installment, we explored a series of cyber attacks on edge devices affecting major companies such as Barracuda Networks, Fortinet, Ivanti, Palo Alto, MITRE, and VMware. Â In this edition, we’ll dive deeper into recent instances of malware-as-a-service (MAAS) targeting platforms like Ivanti Connect Secure, JetBrains TeamCity, FortiClient Enterprise Management Server, and Palo Alto Networks PAN-OS as the most widely exploited edge infrastructure devices for the first half of 2024.
Malware-as-a-Service (MaaS) is a cybercriminal business model in which malware and related services are provided to other cybercriminals, typically via the dark web. This model allows even those with minimal technical skills to launch sophisticated cyber attacks using pre-made malware and deployment services paid for with fees and profit sharing. Recent attacks MaaS (below) demonstrate the limitations of traditional security solutions, emphasizing the need for more enhanced cyber tool strategies.
Ivanti Ivanti reported multiple threat actors or groups have targeted vulnerable devices. Researchers identified a unified cluster activity in Ivanti’s customer base profiled as the likely outcome of a MaaS coordination style. Exploiting CVE-2023-46805 allows attackers to bypass authentication controls and gain access to restricted resources, while CVE-2024-21887 lets authenticated administrators execute arbitrary commands on vulnerable devices.
Palo Alto Networks disclosed a critical security flaw in its PAN-OS software, CVE-2024-3400, with a maximum CVSS score of 10.0. This vulnerability allows attackers to execute code with elevated privileges on the firewall. The attack is multifaceted, involving additional payloads and further post-exploitation efforts. According to OSINT sources, researchers have found that some of the downloaded files are linked to known cryptocurrency mining malware.
JetBrains TeamCity. CVE-2024-27198 This vulnerability is particularly concerning due to its critical severity (9.8), ease of exploitation, and the widespread use of TeamCity in enterprise environments. It poses significant risks to code bases, CI/CD pipelines, and any credentials stored on TeamCity servers. The potential for supply chain attacks makes it an attractive target for nation-state threat actors
Fortinet CVE-2023-48788 is a critical SQL injection vulnerability in FortiClient Enterprise Management Server (EMS) affecting versions 7.0.1 through 7.0.10 and 7.2.0 through 7.2.2, with a CVSS score of 9.8. Discovered by Fortinet in March 2024, this flaw allows unauthenticated attackers to execute remote code via specially crafted requests, leading to SYSTEM-level privilege compromises, unauthorized access, and data theft. Active exploitation has been observed, with attackers installing remote management tools and PowerShell backdoors. Fortinet advises updating to versions 7.0.11 or 7.2.3, or applying a virtual patch if updates aren’t immediately feasible.
Key Takeaway
Two trends cause concern: 1) MaaS has increased the number of individuals armed with advanced attack tools by making it too easy. 2) Edge devices, especially edge appliances, are a popular target, with 85% of known zero-day exploits since 2021 focusing on these platforms.
Why It Matters
The second half of 2024 will show an increase in the number of cyber attacks on edge computing devices. It will not get better. This is only the beginning. The code you are shipping today has zero-day vulnerabilities. Many more cyber attackers are poking at your devices than you have cyber employees on your payroll. They are now working in unison with MaaS platforms with higher efficiency and attack rates. Dellfer will block these attacks with no false positives in real time.
We call it “ZeroDayGuard” for a reason. Dellfer is ready to have a discussion. Reach out anytime.