Can/will the CrowStrike outage be replicated by hackers?

Nollij , 4 hours ago

“Hackers” (rather, malicious actors) rarely look to take down IT resources as their goal. Instead, they want to access it for their own purposes. The closest example would be ransomware, where it gets taken down as part of the threat/punishment. But if the victim pays, their resources must be restored.

Plus, I would be surprised if Crowd Strike doesn’t have any protections on its own files. I also expect there will be additional verification checks (hash/etc) on their updates going forward.

Blizzard OP , 3 hours ago

malicious actors rarely look to take down IT resources as their goal

Could be a hostile government sponsored group or idealists (Microsoft has more haters than fans) or simply someone could do it just because they can - if they could. Some men just want to see the world burn.

zelifcam , 1 hour ago

Im not sure you have a grasp of what actually happened.

PonyOfWar , 5 hours ago (edited 5 hours ago)

The “vulnerability” here was basically just having Kernel level access, which CrowdStrike is intended to have. If hackers had that, they’ve already won anyway. The difficulty lies in actually getting that level of access. So no, it doesn’t change a thing for hackers.

Blizzard OP , 4 hours ago

So how about hacking CrowdStrike and obtaining that access? I’m guessing it might be easier than hacking Microsoft?

Are there other companies having the same access level as CrowdStrike? How vulnerable are they?

sylver_dragon , 4 hours ago

So how about hacking CrowdStrike and obtaining that access? I’m guessing it might be easier than hacking Microsoft?

Maybe. CrowdStrike is a company which specializes in security and has some pretty smart folks in that area. They also live and die by the perceived value of their security products. So, security is pretty important to the company. Microsoft is a conglomerate, and while it does have some arms which specialize in (and are pretty good at) security, the company’s continued existence doesn’t depend on their performance. So, the Microsoft President can go in front of Congress and promise to do better, and we all know this is bullshit and Microsoft will continue to be Microsoft.

As for an attacker actually leveraging the CrowdStrike platform as part of an attack. It’s entirely possible. Security products have been found to have vulnerabilities in the past. IIRC, McAfee’s ePO server was vulnerable to Log4j. And given CrowdStrike’s engine runs in Ring 0 on the endpoints, it’s certainly an attractive target. Finding a Remote Code exploit in it seems like something an APT like the NSA or PLA Unit 61398 might get up to. That said, as I mentioned above, CrowdStike also employs a lot of smart folks and is likely doing it’s level best to find those vulnerabilities first and fix them.

Are there other companies having the same access level as CrowdStrike? How vulnerable are they?

Ya. Really, any EDR or A/V product is going to run in Ring 0. And any such kernel level driver crashing is going to cause a BSOD. That’s just the way Windows is designed. I have personally dealt with bad updates from several other products causing BSODs. Including one which brought down the entire site I was working at, at the time. I believe it also took down a number of other sites as well. Since, once I figure out how to get the bad update out of our system, the folks responsible for the update actually reached out and asked me what I did.

Ultimately, products like these exist in a very trusted state on systems, because they have to. if and when they crash, you can expect a BSOD. In this case, I suspect CrowdStrike is going to receive (and they deserve) a lot of shit for the way this one went down. The reporting I’ve seen states that the update file was just a mass of null bytes. And it seems there was no sanity checking or error handling for a corrupt update being pushed by CrowdStrike. I suspect that’s gonna get fixed pretty quick, but it was a pretty bad oversight for a product with regular, live updates.

Blizzard OP , 3 hours ago

Great comment. And cool story about your fix!