Faulty CrowdStrike Update, U.K. Teen Arrested for Involvement with Scattered Spider: Your Cybersecurity News Roundup
Threat Actors Exploit Major IT Disruptions Caused by Faulty CrowdStrike Update
Businesses worldwide experienced significant disruptions to their Windows workstations due to a faulty update from cybersecurity firm CrowdStrike. CEO George Kurtz stated that while Mac and Linux hosts were unaffected, a defect in a single content update caused Blue Screens of Death (BSoD) on Windows hosts. A fix has been deployed, and customers are advised to check the support portal for updates.
Compounding the issue, threat actors are exploiting the situation by distributing Remcos RAT to CrowdStrike’s Latin American customers. They are using a malicious ZIP archive, “crowdstrike-hotfix.zip,” containing a loader that launches the Remcos RAT payload. The campaign includes Spanish-language instructions targeting Latin America-based customers.
The disruptions, caused by a routine update on July 19, impacted Falcon sensor for Windows version 7.11 and above. Microsoft revealed that 8.5 million Windows devices were affected globally. The incident underscores the risks of relying on monocultural supply chains and highlights the need for robust disaster recovery mechanisms.
U.K. Teen Arrested for Involvement with Scattered Spider Cybercrime Syndicate
Law enforcement officials in the U.K. have arrested a 17-year-old boy from Walsall, suspected of being a member of the notorious Scattered Spider cybercrime syndicate. The arrest was made in connection with global cybercrimes targeting large organisations with ransomware and unauthorised access to computer networks, according to West Midlands police. This arrest is part of a broader investigation involving the U.K. National Crime Agency (NCA) and the U.S. Federal Bureau of Investigation (FBI), which previously led to the apprehension of a 22-year-old syndicate member in Spain.
Scattered Spider, an offshoot of The Com group, has become an initial access broker and ransomware affiliate, delivering ransomware families such as BlackCat, Qilin, and RansomHub. Google-owned Mandiant reports the group’s shift to encryptionless extortion attacks, targeting data from software-as-a-service (SaaS) applications.
In related news, the U.S. Treasury Department has imposed sanctions on Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, members of the CyberArmyofRussia_Reborn (CARR) group. This Russia-based hacktivist group, associated with the Sandworm (APT44) group, has been involved in cyber attacks on critical infrastructure in the U.S. and Europe. CARR has manipulated industrial control system equipment at various facilities, including water supply, hydroelectric, wastewater, and energy sites.
GhostEmperor Resurfaces with Advanced Capabilities and Evasion Techniques
The covert Chinese hacking group GhostEmperor has re-emerged after a two-year hiatus, showcasing even more advanced capabilities and evasion techniques. Initially discovered by Kaspersky Lab in 2021, GhostEmperor was infamous for targeting telecommunications and government entities in Southeast Asia through sophisticated supply chain attacks.
GhostEmperor’s recent activities were uncovered by cybersecurity firm Sygnia, which released a detailed report this week. Sygnia’s investigation into a compromised network of an unidentified client revealed that GhostEmperor was behind the breach. The attackers used the compromised network to infiltrate another victim’s systems, marking the first confirmed activity from GhostEmperor since 2021.
Sygnia’s investigation found that GhostEmperor had updated its notorious Demodex rootkit, a kernel-level tool that grants the highest level of access to the victim’s operating system while evading endpoint detection and response (EDR) software.
GhostEmperor’s ability to evade detection and employ complex attack strategies led researchers to categorize them as a state-sponsored actor, given the resources and expertise required to develop and deploy such tools.