We look into the worldwide effects of the CrowdStrike catastrophe: what caused this issue, why it happened, and what went wrong.
If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.
Intego Mac Premium Bundle X9 is the ultimate protection and utility suite for your Mac. Download a free trial now at intego.com, and use this link for a special discount when you’re ready to buy.
Get Apple security news delivered straight to your inbox, for free. Intego’s twice-monthly newsletter will keep you informed about Apple-related privacy and security, along with tips and tricks for getting the most out of your Mac or iPhone. Subscribe for free—no strings attached.
Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday, July 25, 2024. This week’s Intego Mac Podcast headlines include: our special report on the worldwide effects of the CrowdStrike catastrophe. Now, here are the hosts of the Intego Mac Podcast: veteran Mac journalist Kirk McElhearn, and Intego’s Chief Security Analyst, Josh Long.
Kirk McElhearn 0:30
Good morning, Josh. How are you today?
Josh Long 0:32
I’m doing well. How are you Kirk?
Kirk McElhearn 0:34
I’m doing just fine. I really liked the show notes that we prepared because these names that people come up with for malware, BeaverTail and InvisibleFerret. These are the images that come to mind with beaver tail and visible ferret. This could be like a buddy movie, or two superheroes like you know, a Batman and Robin type of thing.
Josh Long 0:55
The Invisible ferret… the funny thing about that is, how do you even know that it’s a ferret, if it’s invisible?
Kirk McElhearn 1:02
Well, someone told you. Someone told you, obviously. Yeah, okay.
Josh Long 1:06
Well, in any case, these are names for malware, as Kirk mentioned. So what are BeaverTail and InvisibleFerret? It looks like this is malware that was pushed out into the world through some fake-job-recruiter attacks, where people were being targeted and sent messages that were supposedly from job recruiters. And they tricked victims into downloading what appeared to be a video conferencing app MiroTalk; I’ve not really heard of that before. But apparently, it’s an app that can be used to create, they say secure video calls, chat and screen sharing. So there’s a number of different legitimate apps like that out there. And apparently, some job recruiters or alleged job recruiters, were using some fake version of MiroTalk and tricking people into installing it. And it actually installed malware on their systems.
Kirk McElhearn 2:05
And this is something created by the North Korean the Lazarus group that we’ve talked about many times.
Josh Long 2:10
That appears to be the case. Yeah, so it’s always a little bit tricky when we’re talking about attribution. But there are some definite signs that that’s probably the same group behind this particular malware attack. It’s the kind of thing that once your computer gets infected, it’s going to contact a command-and-control server and potentially download additional malware, it could steal your keychain credentials, it can steal your cryptocurrency wallets, and other private information from your machine. So it’s all the typical stuff that you kind of expect from your run-of-the-mill backdoor malware these days.
Kirk McElhearn 2:49
Run-of-the-mill malware. I guess it’s true that we’re seeing so much more of this, go back for over 10 years, it wasn’t as common. And I think a lot of this has to do with cryptocurrency, because this is the main way that cyber criminals can get, I want to say cash, but virtual cash, that’s untraceable, right?
Josh Long 3:07
It’s a relatively easy way for a nation state threat actor or other threat actors to get some money that they can use. Just steal these, you know virtual wallets off of people’s systems, they’re stored in the same place. And once you get it, well, you can drain it and the person who originally owned that wallet will no longer have that virtual currency anymore.
Kirk McElhearn 3:33
Okay, we’ve talked about apps that Apple’s approved in the App Store, often scam apps, but also piracy apps. And there’s a recent app that’s been on the app store for more than a year. And it was the number two most downloaded free app in the App Store in Brazil. So maybe in certain countries, it gets promoted a bit more. And basically, it’s an app for just viewing pirated content. I just don’t understand if someone I mean, we know a lot of this is automated. But if someone looks at the app, how can they not see what it’s doing? Right?
Josh Long 4:03
Right. Yeah, if you look at the interface of this app, you’ll see that when you’re actually load the app, it has things across the top streaming, and it gives you Netflix, Disney plus, and others. And if that’s not a pretty obvious sign that they’re actually giving you content from those services without having to actually sign into the real services, which you would normally do with the actual legitimate app from those companies. Yeah, that’s pretty suspicious. And it’s kind of hard to believe that things like this get past apples reviewers. Now the app was called collect cards store box, which is kind of weird. It doesn’t really sound like it has anything to do with streaming. But then when you actually open the app, you get this pretty obvious pirated streaming service app. How did this get to number two? Well, it’s the kind of thing that once word starts spreading that oh, you can watch all the movies that You want from Netflix or Disney plus for free, just download this app, then it kind of spreads via word of mouth. And once it starts catching on, then more people start sharing it. And then all of a sudden it rockets to the top of the charts. We’ve seen this happen actually before with other apps, including even in the US. So this is not something that’s limited to like just the App Store in Brazil, this one particular case happened to reach number two in Brazil, number two, and the most downloaded free apps in the country. So that’s pretty amazing that something like this could get that popular before Apple realizes that there’s a problem. And then you get someone like nine to five Mac, for example, was publishing an article about this. And then not surprisingly, shortly after the headlines come out, then Apple takes it down.
Kirk McElhearn 5:48
So I have an app on my Mac. And when I open it, I see things like Paramount plus and stars in AMC plus, it’s Apple’s TV app. Now, it doesn’t mean you’re gonna get this for free. But it’s not that different from this store, card collector, whatever it is, it’s showing the different things now you can connect to them if you’re signed into them with other apps, or you can log in. And basically what the Apple TV app does is it aggregates all the content in its up next list. But for an app to just show other streaming services, Is not that wrong, necessarily?
Josh Long 6:22
Well, that’s a fair point. I mean, there are for example, filtering services that may connect to your other accounts. I would say, though, if you’ve got some free app that claims to do one thing, and then it actually does something entirely different…
Kirk McElhearn 6:35
Totally agree. And at the same time, it might be examining things on your devices and have some sort of malware and we don’t know about that. Speaking of an app, examining things on your device and having malware to steal info, what about these new Facebook ads for Windows Desktop themes that have malware in them? Facebook ads for Windows Desktop themes, if I’m understanding this correctly, these are ads on Facebook to buy a desktop theme or download a desktop theme for your PC. And so this is, I guess, the theme is the wallpaper and the fonts and the icons and things like that. And yet there is no such thing as a free lunch, right?
Josh Long 7:18
Well, yeah, if you see something like this, that’s offering you some free special thing. And in this particular case, these Facebook ads, again, were are for Windows Desktop themes. So this isn’t Mac specific. But the reason I thought this was worth talking about on the show is you could potentially see ads like this on Facebook, or really any other platform that advertise something that might seem a little bit enticing, it might seem kind of cool. Maybe I want to download that and try it out. Always be careful with anything that you have to install on your computer. And if you’re seeing something like this in an ad, always be skeptical, you know, I I see ads on social media all the time. My wife sees them, my kids see them and they send me screenshots. And they’re like, What is this thing. And very often these things are total scans, like it’s pretty common, like ads that you see on social media are actually scams, which is unfortunate. But unfortunately, that’s also the reality and you could potentially come across. In this case, it was Windows malware, and you could potentially come across something that leads you to Mac malware, or even some sketchy iOS apps, right if you’re browsing on your mobile device where it is. And that’s where you see ads. So always be careful. Anytime you get an ad, think twice before clicking on it.
Kirk McElhearn 8:36
It’s good that you have such a dedicated malware research team in your home, Josh.
Josh Long 8:43
It’s a nice thing for my family members. So they can just go hey, what do you think about this thing? Oh, no, that’s a scam, don’t click on that.
Kirk McElhearn 8:51
Okay, we have a story about Google shutting down its URL shortener. So this is the G O O dot G L thing, kind of like Bitly, B I T dot L Y. And so there was an article about this last week. And I just figured, okay, they’re shutting this down now. And then Josh said that they announced this in 2018. And people were still using this. Now, there are two reasons to use a URL shortener. One is I don’t know you publishing a newsletter. And you don’t want to have a really long URL. And it’s it’s time sensitive. And maybe after three months, it won’t be useful anymore. So you want something that short. But if you’re going to put something seriously on your website, to have a permanent link to something, and Google’s already announced in 2018, that they’re deprecating this, did Google not have a big banner on the top of the site for six years saying, don’t use this because we’re going to turn it off soon?
Josh Long 9:44
Well, I think at some point, they actually cut it off so that you can’t create new goo.gl URLs. But the problem is that a lot of people were still using existing ones right. They might have had them as a link on their website. use them on us in social media posts in the past. And like you said they might be in newsletters, they might even be in software, they might be in documentation for software, right? There’s a lot of different places that shortened URLs can end up. And unfortunately, some of those places are not updatable. Like in the example of social media posts, you can’t go back and edit a social media post from many years ago. And in many cases, or there might be some software that you’re still using. It hasn’t been updated in a few years, but it’s still functional. And so you might still use it. And they might be using goo.gl, maybe even behind the scenes in some way that you don’t even know about. So that’s why it’s so important that, you know, when these things happen, it unfortunately happens an awful lot with Google, right? We’ve talked before about the Google graveyard, the all these different services that Google has offered for free at some point in the past, and eventually discontinued. This is yet another one of those things that’s ending up on the trash heap. But at the same time, in this case, it could be potentially problematic for some users. So what Google is saying they’re going to do is they’re starting next month, they’re going to start redirecting some of these existing goo.gl links to a notice first, that this link will no longer work in the near future. And then a year from now, in August 25 2025. They’re saying that all of these links will cease to work, though, they’re just going to shut them all down permanently, you’ll never be able to use a glue.gl link ever again.
Kirk McElhearn 11:33
Okay, so on the flip side, Google announced that they were going to eliminate third party cookies in Chrome, but they decided they’re not going to eliminate them. And they are going to introduce an I quote, a new experience in Chrome that is designed to allow people to make an informed choice applicable across their web browser. It’s my experience in the tech industry. If anyone talks about a new experience, it’s going to be garbage.
Josh Long 11:56
Well, that’s a fair point. The thing that I think is amusing about this story is that Google has been saying for literally years, we’re going to eliminate third party cookies, and they give a deadline. And then it starts getting closer to that deadline. And Google says, Yeah, we’re actually going to do that a year from now. It’s gorgeous. We’re kicking it down the road another year. And so Google’s been doing this for the past few years with third party cookies. And now they finally just said, Yeah, we’re not going to do that, after all.
Kirk McElhearn 12:24
But they’ve been saying for six years that they were going to eliminate the URL shortener, and people weren’t paying attention, because you can’t trust Google one way or another. Well,
Josh Long 12:33
that’s, that’s also part of the problem is that you can’t really trust that Google is going to do what they say they’re going to do. Because they often kind of backtrack, they changed their minds at the last minute. So, who knows, maybe goo.gl is not actually going to shut down next, next year, after all.
Kirk McElhearn 12:50
Like maybe they’ll change their mind six months from now, because they realize there’s money to be made. They could put interstitial ads between the initial URL and the redirect something like that.
Josh Long 12:59
But the other thing that we should talk about here with this whole third party cookie thing is that, you know, this has been something that I think was a big focus in the past, like, let’s say, maybe 10 years ago, people were worried about cookies, and how they violated your privacy. And, you know, there’s so many different ways that your privacy can be violated these days, that like, third party cookies is just one of many. And it’s not necessarily the worst, we we frequently mentioned, all the different ways that you can be fingerprinted, how you probably have a unique browser fingerprint. We mentioned last week, mi unique.org is a website where you can go and find out whether you your individual browser is different from everybody else’s who’s ever visited that particular site. And very often you’ll find that you might be unique or pretty close to it, where there’s very few people who will have the exact same browser configuration as you do.
Kirk McElhearn 13:57
Okay, we’re gonna take a break when we come back, we’re going to talk about the CrowdStrike catastrophe.
Voice Over 14:04
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years, and our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X9 includes VirusBarrier, the world’s best Mac anti-malware protection, NetBarrier, powerful inbound and outbound firewall security, Personal Backup, to keep your important files safe from ransomware, and much more to help protect, secure, and organize your Mac. Best of all, it’s compatible with macOS Sonoma and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode show notes, at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the special discount link exclusively for Intego Mac Podcast listeners. Intego: world class protection and utility software for Mac users, made by the Mac security experts.
Kirk McElhearn 15:20
Before we start talking about CrowdStrike, we want to talk about the dot top domain. I’ve never actually seen a dot top domain, but apparently it’s the most used domain for phishing.
Josh Long 15:32
Well, behind .com. But I mean, everybody uses .com, right? Brian Krebs reports that there’s a Chinese company that’s in charge of handing out domain names ending in .top. By the way, it’s actually been around for a number of years. And now ICANN, the Internet Corporation for Assigned Names and Numbers, has issued a warning to this company that manages .top, and says that they have until mid-August to show that they’ve put systems in place for managing phishing reports and suspending abusive domains, or else, they’ll forfeit their license to sell domains. This is a really serious threat. And I think the thing that I really wanted to highlight here is just the fact that there are a lot of what are called “top-level domains.” So these are things like .com; you know about .com .org .net .edu .gov, like these are all very common ones. And there are also a whole bunch of others, right? There’s .io .ai. There’s country specific ones, like .cn for China, for example, and many others like .info. Some of these have a much worse reputation than others. I’ve seen many of these lists over the years; there’s one particular list that’s screenshotted in this KrebsOnSecurity article, and the ranking here in terms of the volume of phishing domains, you’ve got .top right next to .com, you’ve got .xyz, .cn (which is again, that’s a country level code), and many others. Some other ones on here on this list in the top 20 that I’ve seen in previous years that I think are worth pointing out are, you’ve got .shop .lol .site, .club, and .click, and also .live and .cc. These are ones that show up frequently in these lists over the years. So if you happen to hover over a link that leads to one of these sites, or you accidentally click on a link, and it ends up at one of these, it doesn’t necessarily mean that the site is bad, but there’s a higher probability that there might be something suspicious going on on that site.
Kirk McElhearn 17:37
Okay, so unless you’ve been living in a cave for a week, you heard about the CrowdStrike catastrophe where essentially CrowdStrike, who makes Josh is going to explain exactly what it is. It’s an endpoint security, sort of anti virus thing for Windows computers, pushed out an update to its malware definitions, which broke windows computers, and you had blue screens of death in airports and hospitals in supermarkets, Sky News, the TV station here was affected, they couldn’t broadcast news, the BBC was affected for a while. I know here in the UK, supermarkets had problems with payments, doctors couldn’t get patient information, hospitals had to cancel operations. This is a huge problem. And all it was was this tiny little 40 kilobyte file that was sent out to eight and a half million Windows computers, we’re going to try and explain what happened, why it happened. Why it’s unlikely, what would happen to max? And will this happen again? Where do we start, Josh?
Josh Long 18:35
Maybe we just talk about a little bit more in detail about what exactly did happen. At first people were kind of thinking this was like a global, you know, Windows meltdown, like Windows is failing all over the world. And it turned out well, it’s not actually Windows that’s failing. It’s that there’s some software that happens to run on a lot of Windows machines and fortune 500 companies, that is causing a problem for a whole bunch of different Windows machines across different industries. And
Kirk McElhearn 19:04
that’s a good point that this is business software. This is not software that individuals use.
Josh Long 19:09
Right. CrowdStrike isn’t a consumer antivirus company, they they make software that’s designed for big corporations. This is endpoint detection and response software. So this is like antivirus, with some other capabilities. And it all ties in with a mobile device management solution. And it’s all remotely manageable by the corporate headquarters IT department and all that kind of stuff.
Kirk McElhearn 19:33
Sounds like a real Rube Goldberg machine.
Josh Long 19:37
Well, it’s one aspect of a complex system, right? You might have many systems in place to protect and manage your your endpoints. And this is just one of those systems that a lot of companies happened to us. So what actually happened here behind the scenes is that there was an update file that caused the software to misbehave. And so if you’re endpoint that was running this CrowdStrike software happened to get this particular update, then now your system could crash, it would have a blue screen of death. And it would be exceedingly difficult to get that machine back online. Now imagine that happening, not just a one computer at your company, but all the computers are nearly all of the computers at your company. And you can now understand why flights were grounded. And all these other things happened as a result of this catastrophic issue.
Kirk McElhearn 20:29
So this was a malware definition update, right? And what’s important to know is that there is so much malware for windows that some of these things get Hourly updates, that this is a constant process. And in fact, some of these enterprise anti malware companies actually use a cloud system where the computer will send information to the cloud to get the latest update, because there are so many updates needed.
Josh Long 20:55
This was one of those like hourly type, you know, updates that’s getting pushed out constantly, they’re sending these out all the time. Evidently, this particular update was not very carefully tested, because it caused a problem for just about every Windows system that received this file.
Kirk McElhearn 21:12
But it didn’t affect Linux or Mac computers, and CrowdStrike does have client software for both of these platforms.
Josh Long 21:17
It’s interesting that you mentioned Linux, because the same company did recently have an issue that affected their Linux clients. But it was obviously not nearly the scale, because not as many people use Linux as use Windows. Oops.
Kirk McElhearn 21:32
Yeah. So one of the suggested fixes was to reboot the computer up to 15 times. But there’s a logic for this. It’s not just keep rebooting the computer because you have nothing else to do. There’s a reason for this, isn’t there?
Josh Long 21:44
Yeah, well, it seems like what’s going on there is that this was probably a race condition. And what that basically means is that in some cases, your computer may be able to get past that particular bad spot in the code, it might be able to overcome it one out of 15 times, and so you might just get lucky and eventually be able to boot your computer. Whereas the other 14 out of 15 times, the malfunctioning code actually runs first, and so you can’t boot your computer. So it’s one of those like kind of odd things that can happen.
Kirk McElhearn 22:17
Sometimes with computing, we don’t tend to think of computing as being random like that, we think that every time we boot it, it’s going to work or it’s not going to work instead of every once in a while it might actually fix it. Now, Microsoft also released a USB recovery tool. And if I understand correctly, a system administrator would copy this onto a USB thumb drive, and boot off of this on a Windows computer to then clean out the malicious file malicious and not the right word, the file causing the damage.
Josh Long 22:46
Right, exactly. This also opens up like a whole bunch of other scenarios. Like imagine somebody comes along and they show up at your workplace. They say they’re from it, and they need to plug in this USB recovery tool into your machine. Well, you don’t know like, what, what’s actually going on. If you’re work for a big enough company, you may not know the IT guy, right who services your machine. Or maybe he really is from the corporate office. And so he doesn’t normally come out to your site, but he was ordered to do so and so well.
Kirk McElhearn 23:16
Okay, I guess you need to run something on my machine. This was definitely in one of those Tom Cruise movies. Yeah, it definitely is a Tom, here’s a mask looking like someone else. And he came with the USB thing. Yeah. Okay. So you can imagine a situation like this, you’re in charge of it at a company like let’s say a major airline. And you know that this is costing your company millions of dollars, and you’ve got to get the computers online. And you get a phone call from someone saying, Hello, I’m from CrowdStrike. And I’d like to help you. Well, it’s a good possibility that these would be people taking advantage of the situation and trying to scam you, whether it be by email, websites, phone calls, direct messages, or whatever. And the scammers came out really quickly, didn’t they?
Josh Long 23:56
Yep. So this whole thing really was going on on Friday. And on Friday, the very same day, you were already seeing threat actors who were sending phishing emails posing as CrowdStrike support. They were impersonating CrowdStrike staff and phone calls. They were posing as independent researchers. And they were even selling scripts that were purporting to automate the recovery of this issue. At the same time, there were also threat actors, again, also on Friday, who were sending out these malicious ZIP archives that were named things like CrowdStrike hyphen, hotfix, dot zip, and tricking people into actually installing malware on their machines as sort of a preventative fix, because, you know, if your machine had actually been taken offline, obviously, you’re not gonna be able to run this thing on your machine. And so they were tricking people who didn’t even have a problem into actually installing malware on their machine as a supposed preventative fix. So the takeaway from that is that, you know, anytime that there’s some big event in the news, especially something that might be panic inducing. Be very careful before just reacting. If you get a phone call, you get a text message and email, or somebody’s trying to tell you, you need to do this in order to protect yourself or to be safe. And matter of fact, it even happens with things that are not computer related. It might be that there’s news of some war that’s broken out, and your country is going to be involved in this thing. They might be sending out malicious files that claim to have information about this. So always be careful anytime that there’s some sort of panic inducing news.
Kirk McElhearn 25:38
So this doesn’t only happen on Windows, while this particular problem could not happen on a Mac. And you’ll explain why in a second, the way the system architecture is built. Apple has had some problems with updates as well, was it last year, they released their first rapid Security Response update, and they pulled it really quickly because something went wrong. And I think they haven’t had any more rapid Security Response updates since then.
Josh Long 26:02
Okay, so there’s a couple of things to break down there. First of all, why is this type of thing less likely to happen on a Mac? On the Windows side of things, usually, you have antivirus and other endpoint detection and response EDR solutions that hook in at such a low level into the system. So they’re basically operating as kernel drivers. So these these things hook into the operating system kernel, you don’t really have that anymore on Macs. Why is that because Mac OS has been redesigned. In recent years, Apple has something called system integrity protection. And this is on by default. So it’s protecting your system from anything hooking in at that kernel level. And we used to have things called kexts K e x t, was a kernel extension. And you don’t really don’t have those anymore on Macs, it’s or it’s very rare that you get an exception from Apple to get a kernel extension like this. And the reason for that is because it does hook in at such a low level into the operating system. And it’s generally much safer to not have things hooking in at that level. So antivirus software on Macs today doesn’t use kernel extensions, it uses higher level processes that can still block malware without actually having to hook into the system in the same way that Windows antivirus software does. Now, the other thing that you asked about there is this rapid security response. And and yeah, I think this was the second ever rapid security response that Apple issued. And I remember when they first announced this whole concept of rapid security responses, it sounded like we were going to get updates that would fix security problems urgently without even requiring a restart. And while the couple of rapid security responses that Apple did release did require a restart. And the second one was this problematic one, if I remember, right, I don’t think we ever got another rapid security response from Apple ever again. It’s just been the standard point, whatever operating system updates, so I feel like Apple decided that maybe we shouldn’t be releasing these responses quite so rapidly after all.
Kirk McElhearn 28:16
Okay, I just want to end this discussion by pointing out that there was an incident in 2010 when McAfee issued an update to their software for Windows XP that took down a good part of the internet. And the person who was the chief technical officer at the time, George Kurtz is now the Chief Executive Officer of CrowdStrike. History doesn’t repeat itself, but it rhymes.
Josh Long 28:38
And nothing against him. I doubt that this particular incident is specifically because of him. In any case, yeah. It’s a funny coincidence, if nothing else. So a big takeaway from this is if you’re a software developer, no matter what kind of software it is, it’s really important to make sure that you test your updates carefully. Whether you’re an operating system developer, like Apple or whether you’re any other software developer, make sure you test your software as carefully as possible before you deploy it to end users.
Kirk McElhearn 29:09
Okay, that’s enough for this week. Until next week, Josh, stay secure.
Josh Long 29:11
All right, stay secure.
Voice Over 29:15
Thanks for listening to the Intego Mac Podcast, the voice of Mac security, with your hosts, Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software: intego.com