The longest day in the connected world
Friday, 19 July 2024, will be remembered as a landmark day for cyber awareness. This was the day when our hyper-connected, digitised world discovered just how fragile it is, and how critical the effects of careless, uncoordinated management of IT services can be. These services, often managed in isolation rather than through open communities, now govern the vast majority of the activities and services we rely on.
Maria Costanza Candi
The numbers speak for themselves: more than 4,000 cancelled flights, 35,500 delays worldwide, and over 180 large hospitals impacted, with medical equipment unable to be used, operating theatres closed and bookings blocked due to the 8.5 million terminals affected by the event.
To understand what happened, ItaliaImballaggio interviewed Pietro Melillo, PHD, CISO of Würth and member of the team of experts behind the RedHotCyber blog, a real community dedicated to cybersecurity that emphasises the need for a shared culture of cybersecurity in both companies and the daily life of citizens.
“First and foremost, it’s important to clarify that this was not a cyberattack,” Melillo explained. “Moreover, Microsoft is not to blame. The issue arose from a simultaneous update of millions of PCs by an advanced antivirus provided by CrowdStrike, a Texas-based software and cybersecurity company. The crisis lasted a total of 90 minutes – the time it took to update the terminals, identify the problem and attempt to mitigate the damage. However, the situation was further aggravated by the reckless handling of the crisis by operators and their failure to build processes and architectures suited to the critical nature of the services involved.”
Cybersecurity: an essential building block for organisations
Inadequate procedures and panic contributed to the crisis, creating a chain of unstable situations that cybercriminals exploited, worsening the impact of the crisis.
“When the first problems presented themselves with the notorious Blue Screen of Death (BSOD),” Melillo continues, “technicians, in a state of distress, shared screenshots on social networks and specialised forums to seek advice on how to manage the situation. However, this inadvertently made critical information on the internal IT security management strategy public to companies and institutions, triggering a wave of cyberattacks. The screenshots posted by users, in fact, revealed vulnerabilities that cybercriminals used to send phishing emails disguised as patch notifications or update fixes, which, in reality, collected data or spread malware. CrowdStrike Intelligence reported that a deceptive ZIP file named crowdstrike-hotfix.zip was distributed, containing a HijackLoader payload designed to deploy the RemCos RAT (remote access tool). The ZIP file included Spanish filenames and instructions suggesting a targeted attack on LATAM users. It was initially uploaded by a submitter based in Mexico to an online malware scanning service.
These scams typically involve phishing emails, fake support calls and fraudulent offers of recovery services. The best practice is to contact companies directly through their official channels rather than responding to unsolicited communications. The attack sequence starts with the execution of Setup.exe, which uses DLL hijacking to load HijackLoader. Marketed as a private encryption service called ASMCrypt, HijackLoader is adept at evading detection. It then runs the final RemCos payload, which connects to a command-and-control service at 213.5.130.58:433, giving the attacker control over the infected systems.
All this was made possible by exploiting the downtime and confusion, compounded by the superficial handling of the situation by all parties involved, who inadvertently provided easy access to their systems.”
The human factor: for better or worse
While machines are often discussed as standalone entities, the human factor remains ever-present, for better or worse. According to Melillo, errors in this case stem from a flawed approach to IT security. Management often views IT security as an unnecessary expense, leading IT departments to handle security without proper procedures and relying too heavily on the perceived reliability of software suppliers.
“The mistakes made by end users and technicians included publicly sharing their defence strategies,” Melillo continues. “However, CrowdStrike made an even more critical error by failing to test the update before distributing it. This procedural oversight affected both public and private companies that updated their systems without proper precautions. Specifically, they neglected to maintain separate environments for development, testing and production, which would have allowed them to test the robustness of the systems with the new updates. The central issue revolves around the need for organisations to develop cybersecurity procedures based on internal expertise rather than relying solely on the trust of software brands, which can clearly make mistakes leading to significant global issues.”
A question of risk perception
Cybersecurity is, therefore, closely linked to a shared culture that spans citizens, institutions and companies alike. “The issue of cybersecurity is a priority,” Melillo concludes. “Infrastructures are clearly not adequately protected and lack well-structured processes for checking incompatibilities and malfunctions. We need to return to managing and embracing complexity, as clearly demonstrated by the events of 19 July. The core issue is the effective management of complexity and processes, which are often approached with great superficiality today. Testing processes are crucial for identifying issues such as exposed passwords, uncovered libraries and vulnerabilities that can lead to disasters on the scale we have witnessed. Although some of these processes may require extra effort and time, they are essential for preventing serious issues that can impact people’s lives far more than we realise. Flights, trains, hospitals, and essential services have suffered not only serious immediate damage but are now struggling with ongoing challenges related to system restoration and secondary attacks, where organised groups are ready to exploit the aftermath of the crisis, not to mention the legal ramifications involving moral and material damages as well as privacy violations. For instance, the Italian Data Protection Authority is taking steps to evaluate the possible impact on users’ personal data following recent reports of data breaches.”