Forum Updates and DDoS attack

[Viet]

The fun part with CrowdStrike is this:

It is a kernel mode driver that is causing the crash.... this should be impossible really. Why? Because of this : https://learn.microsoft.com/en-us/w...igning-requirements--windows-vista-and-later-

Basically, you need Microsoft's nod before your driver can load into any retail windows installation. Windows does not load a kernel mode driver without Microsoft's signature.

This only means one and only one thing. Crowdstrike is somehow able to load a kernel mode driver without Microsoft's vetting.

That's not a very comforting thought.

There are in the past similar incidents. For example incident with Mcafee. The bug renders all windows clients unusable. Then after the incident some companies switch to checkpoint. But this crowdstrike is worse than previous incidents. The bug brings the entire windows OS to crash.
But the lesson to learn is never anable automatic update no matter crowdstrike, Mcafee or Checkpoint.
We are off topic though. This is DoS attack.

 

[silicon0000]

When opening this site it go for verification but verify automatically, not giving option of clicking on check box. If its not taking input then is it preventing DoS attack or not?

 

[Mr X]

When opening this site it go for verification but verify automatically, not giving option of clicking on check box. If its not taking input then is it preventing DoS attack or not?

Yes it is…

 

[Raj-Hindustani]

Crowdstrike is a very different attack but I get it that I am not alone in this mess… lol

It will surely be tough.

Smart firewalls and WAFs are not good enough to protect nowadays, and if I add AV protection also,.

We usually do quarterly, RED Team - Blue Team exercises,

Even we have all the latest CyberCOE tools available to us, including support from... Three SIEM tools: claroty- OT, Azure Sentinel, Qradar, Zerofox, SOC Prime, XSOAR - Centralized Alert Monitoring, Crowdstrike, and Anomali tools..... there are a few more.

But believe me, we have failed many times. They were able to compromise one of the domain admin accounts.

So truly, I understand - how difficult it is to deal with..

 

[Foinikas]

Take your time, do what is needed.

It's summer time, most of us could do with a few days out in the sun.

I agree,take your time. Shut the whole forum down if you want. It's better to take it slow and fix it when you can.

 

[Dalit]

We have taken many preventive measures including some of them mentioned by you. They can only attack us and I can come in public to reveal what happened. We have our strategy after realising what is happening and hopefully that issue is fixed once again.

View attachment 55700
Edit - other screenshots removed

The question is, where did these attacks originate from? Let me take a guess. India? Could it be possible that the very Hindutvatis on this forum carried out the DDoS attack?

 

[Mr X]

The question is, where did these attacks originate from? Let me take a guess. India? Could it be possible that the very Hindutvatis on this forum carried out the DDoS attack?

I want to hide as much information as possible but from what I have observed. It began from Russia.

Maybe someone paid someone in Russia to carry out these DDoS attacks but I really don’t want to speculate

 

[Dalit]

I want to hide as much information as possible but from what I have observed. It began from Russia.

Maybe someone paid someone in Russia to carry out these DDoS attacks but I really don’t want to speculate

I am pretty certain the Indians were behind this attack. As you said, probably paid Russian hackers. Wolves in sheep's clothing. I bet you it is the ones on this forum.

Definitely kudos to you and your team. You are doing a very good job in keeping the forum secure.

 

[Raj-Hindustani]

I am pretty certain the Indians were behind this attack. As you said, probably paid Russian hackers. Wolves in sheep's clothing. I bet you it is the ones on this forum.

Definitely kudos to you and your team. You are doing a very good job in keeping the forum secure.

Than you don't know about the threat actors.

We get hundreds of attack alerts from Russian federation networks, phishing campaign, password spraying etc is very common.

It's very normal.

 

[Dalit]

Than you don't know about the threat actors.

We get hundreds of attack alerts from Russian federation networks, phishing campaign, password spraying etc is very common.

It's very normal.

It is very normal to have cyber attacks from Russia? Maybe where you live.

To me it only makes sense that this attack happened from one foe only.

 

[AjayGhatak]

That's why you need to be a person in this game to work for a subcontractor. Essentially you are doing the same job when you were doing in the NSA or Military Intelligence, but you get paid 4 times the amount so that line the pocket of the contractor company (which spell the who's who in the military circle)

But that does not mean it was always secure, because things changes and circumstance changes, and the reason why they are doing that is because of money, those who were in charge of these organisation have no idea how IT work, I mean do you think, for example, Gen David Petraeus is well verse and knowledgeable in IT if at all? That's the person who make those decision (Not singling him out, everyone in his position was doing the same thing) But then IT Company like MS or Oracle should have known better

Alright! Now I have more details in the crowdstrike mess.. https://www.crowdstrike.com/blog/falcon-update-for-windows-hosts-technical-details/

These guys at crowd strike have these so called "configuration files" (which incidentally use same extension as kernel driver in windows, no less... weird!). These "configuration aka channel files" are used by their kernel driver to monitor aberrant "thing" (they say named pipes, but it could be anything else too). And when they changed the configuration, it triggered some existing issue in the kernel driver... And then no more booting.

This is ... very very very poorly designed solution. It kind of absolves Microsoft and it also kind of does not. Microsoft validates all kernel mode drivers. So you have to supply your driver and Microsoft will... validate that it does not blow up the system and will then sign your driver. Only now, driver also looks for and loads an unsigned "config" file (and presumably skips some stuff if it does not finds it).. I do not know if it violates Microsoft's mandate to write a kernel driver if you are loading code or data from a file that was not submitted for validation to Microsoft.

Ideally, you should NOT change anything after you get certified by Microsoft because you are otherwise making validation that Microsoft did worthless and make their OS unreliable. I mean I could just include a Python interpreter in my driver and load all the logic from an unsigned .py file. That will be ludicrous.

Now the question is if Microsoft complicit in this broken design? Did they know of this and decided to let it fly OR they were unaware of it at all. Both are bad. First is very bad because it gives Crowdstrike too much power to make changes right under Microsoft's nose. Second is bad because it means Microsoft is incompetent. Assuming it was first ... it was a stupid decision and if there are more actors like Crowdstrike, it makes me really nervous.

I will love to see if any litigation arises from this between Microsoft and Crowdstrike.

 

[AjayGhatak]

I want to hide as much information as possible but from what I have observed. It began from Russia.

Maybe someone paid someone in Russia to carry out these DDoS attacks but I really don’t want to speculate

Russia is the capital of anything shady in IT. Could be anything. Oh and Russians do mess up things as well. A lot. I have seen my employer's website being probed when it was aimed at something totally different.

Cloudflare should help a lot. But depends upon specifics.

BTW, do check all the hosts under your domain and that all your hosts are locked up tight and only allowing cloudflare traffic. I once saw a website that had changed primary load balancer IP(s) but did not lockdown host for some weird reason. The idea was to mitigate attack going on host IP cached. But finding new IP was as easy as doing a nmap scan of your ip range. Anyhoo! nice weekend and hopefully this gets resolved easily.

 

[AjayGhatak]

But the lesson to learn is never anable automatic update no matter crowdstrike, Mcafee or Checkpoint.

In corporate with a 10,000 laptops and IoT devices / kiosks, its simply not practical to not do automated updates. The trick usually is to have control over what updates get deployed on your assets. So your own IT can validate any changes and then deploy it. But then likes of Crowdstrike just bypass that and assume the role of IT of an enterprise while deploying their changes. Businesses love it because they think it reduces their cost. But in reality it makes the more fragile. The last line of defence is now gone and if Crowdstrike strikes, its takeover for all these businesses. There is no safety net of local IT to prevent a broken deployment.

 

[lightning f57]

You guys are doing a great job to keep things ticking over. I hope the functionality of recent threads/posts can come back and also we can get more stability browsing as its hanging for me allot.

 

[Mr X]

I am pretty certain the Indians were behind this attack. As you said, probably paid Russian hackers. Wolves in sheep's clothing. I bet you it is the ones on this forum.

Definitely kudos to you and your team. You are doing a very good job in keeping the forum secure.

You are free to make an opinion. I don’t know who is involved as it could be anyone. Take an example of this guest user / bot for example who accessed the website for several thousand times and his location is traced in Hong Kong



I am not going to reply to any messages after this post as I will only make forum updates in this thread