A critical software update gone wrong triggered a domino effect on July 19, 2024, causing a global Microsoft-CrowdStrike outage that crippled critical infrastructure, businesses, and organizations worldwide, especially the airline industry. However, amidst the pandemonium, Southwest Airlines in the United Stated seemed to have weathered the storm with surprising grace. While competitor airlines grounded their fleets and scrambled for solutions, Southwest continued operating with minimal disruptions. The reason: the airline is still using Windows 3.1 and Windows 95 that is 32-years-old!

How Did Southwest Survive BSOD?

The faulty update from cybersecurity giant CrowdStrike last Friday sent millions of Windows systems into a tailspin, causing widespread chaos leading to the dreaded Blue Screen of Death (BSOD). Airports became battlegrounds of long lines and cancelled flights, hospitals struggled with limited access to patient records, and financial institutions experienced service outages. The airlines affected by the CrowdStrike update had to ground their fleets because many of their background systems refused to operate. These systems could include pilot and fleet scheduling, maintenance records, ticketing, etc. According to this article on Forbes.com, in the United States alone, airlines cancelled 3,675 flights or 14 per cent of the total fleets. Another 56 per cent of all flights were late by 15 minutes or more. By 6 pm Friday, Delta Airlines had cancelled 1,326 flights, United had cancelled 562 and American had cancelled 466. Southwest however stood tall during the crisis.  It cancelled just three of its 4,390 departures. Also 94 per cent of Southwest flights departed within an hour of the scheduled time. So how did Southwest survive the Crowdstrike outage? Explaining the scenario, a website named govtech says, “That’s because major portions of the airline’s computer systems are still using Windows 3.1, a 32-year-old version of Microsoft’s computer operating software. It’s so old that the CrowdStrike issue doesn’t affect it so Southwest is still operating as normal. It’s typically not a good idea to wait so long to update, but in this one instance Southwest has done itself a favor.” Windows 3.1, launched in 1992, doesn’t get any updates. So, when CrowdStrike pushed the faulty update to all its customers, Southwest wasn’t affected as it didn’t receive an update. Apart from Windows 3.1, Southwest also uses Windows 95 for its staff scheduling system. It is a newer operating system — about three years younger than Windows 3.1 — but it’s ancient compared to today’s tech. Many of the [caption id="attachment_82984" align="alignnone" width="788"] Source: X[/caption]

Memes Galore After Southwest Dodges the Bullet

This unexpected resilience of Southwest Airlines sparked online jokes and memes, with some netizens poking fun at the airline's supposedly "outdated" technology.  Users on social media platform X took this opportunity to create memes and poke fun at the airline and its alleged attitude of "If it ain't broke, don't fix it." [caption id="attachment_82985" align="alignnone" width="776"] Source: X[/caption] [caption id="attachment_82986" align="alignnone" width="701"] Source: X[/caption] [caption id="attachment_82987" align="alignnone" width="758"] Source: X[/caption]

Southwest Grappling with ‘Modern’ Issues

While Southwest's outdated systems were a saving grace in this instance, it highlights the potential risks associated with such dated technology. The airline previously faced significant disruptions due to these very systems, resulting in hefty fines and a commitment to modernization efforts. During the holiday season in 2022, Southwest had to cancel 16,900 flights leaving around two million passengers stranded. This resulted in a $35 million fine as part of a $140 million settlement. The airline also committed to spending $1.3 billion to update its technology. Southwest will likely need to navigate a path that prioritizes both robust cybersecurity and the gradual integration of modern, reliable systems to avoid future outages and maintain passenger trust.

Airports were left crippled, healthcare systems were disrupted, supermarket check-outs malfunctioned, and journalists scrambled without the basic tools of the trade to report on an issue causing havoc worldwide. One company and one tiny software update is at the center of a global IT outage that engulfed millions of people, businesses, and organizations on Friday. While the situation is gradually being resolved, the CrowdStrike outage has left a significant impact. It all began with a regular system update that went terribly wrong. Seemingly all at once, millions of computers around the world became unusable and unable to be rebooted, displaying the dreaded "Blue Screen of Death." The culprit? CrowdStrike, a US cybersecurity company based in Texas known for its ransomware, malware, and internet security products designed almost exclusively for businesses and large organizations. [caption id="attachment_82972" align="alignnone" width="1280"] Scenes at Indian Airport (Source: ShivaniReports on X)[/caption]

Crowdstrike Outage: What Happened?

On Friday, July 19, at 4:09 AM UTC (2:09 PM AEST), CrowdStrike released a sensor configuration update on their Falcon program targeting Windows systems. According to a statement published on the company's blog, this update, intended to target malicious system communication tools in cyberattacks, triggered a "logic error" that resulted in an operating system crash on Windows systems, leaving Mac and Linux users unaffected. We have collected quotes from industry experts to provide insight into the incident:

Beenu Arora, Founder and CEO, Cyble Inc: "The recent incident involving CrowdStrike and Microsoft has put the cybersecurity world into overdrive. The exceptional response from the support teams at both companies during these intense moments is commendable. To the professionals working tirelessly around the clock, your resilience and commitment deserve recognition and gratitude. Your efforts to assist affected parties highlight the strength of our industry in the face of adversity. Thank you for your outstanding work during this challenging time. Your dedication serves as a reminder of the importance of rapid and effective incident response in the TechCommunity."

 

Guy Golan, CEO and Executive Chairman, Performanta: "A mistake of this magnitude is an epic failure and a huge eye-opener for the cyber world and the business world more broadly. It should not have happened. This appears to have been a failure of process and QA, releasing something that was incorrect, perhaps driven by intense market pressures in the vendor race to have the best and greatest features, or in response to the evolving threat landscape and increased need for detection. The impact of one vendor by some of the world’s biggest organizations can bring the world to its knees, and the repercussions will be unprecedented. It’s going to cost companies billions, it will lead to legal action, and it will affect businesses and users in a way we’ve never seen before. Attackers may have more awareness of who is using CrowdStrike as a result of watching this unfold, which could cause further cybersecurity complications down the road. This isn’t the fault of one vendor – perhaps market pressures have led to such a catastrophe. More outages should be expected unless organizations of all sizes start to understand that the digital world is just as significant in the 21st century as the physical world. It’s about time we elevated cyber issues to the top of the agenda and understood the full effects of market pressures."

 

Alan Stephenson-Brown, CEO, Evolve: "News of a global IT outage that has caused problems at airlines, media, and banks is a timely reminder that operational resilience should be at the forefront of the business agenda. Demonstrating that even large corporations aren't immune to IT troubles, this outage highlights the importance of having distributed data centers and rerouting connectivity that ensures business can continue functioning when cloud infrastructure is disrupted. By prioritizing both contingency planning and preventative measures, IT systems can be protected. I urge business leaders to seriously appraise the systems they have in place to identify potential vulnerabilities before they find themselves the subject of the next IT outage headline.

 

Martin Greenfield, CEO, Quod Orbis: "The global IT outage underscores a critical weakness in many organizations' cyber-resilience strategies: an overreliance on single-point solutions like antivirus software. While such tools are essential, they should not be the sole pillar of a robust cybersecurity posture. This incident serves as a reminder that even industry-leading solutions can falter, potentially leaving entire sectors vulnerable. Whilst such threats can have a huge impact, steps to prevention are often quite straightforward. Organizations must adopt a more holistic approach to their cyber resilience, implementing a multi-layered defense strategy that encompasses not just software solutions but also robust policies, regular training, and proactive threat hunting. A key component of this approach should be continuous controls monitoring, which allows for real-time visibility into the effectiveness of security measures and rapid response to emerging threats. This incident also underscores the importance of basic cyber hygiene, particularly regular system updates. The involvement of Microsoft operating systems in this outage emphasizes that even simple steps like keeping software current can significantly reduce vulnerability. Yet this fundamental practice is often overlooked, leaving systems unnecessarily exposed. This also applies to security vendors themselves, who should be running regular tests on their solutions to ensure they’re up to date with the threat landscape. The widespread impact of this outage also highlights the interconnectedness of global IT systems and the potential for cascading failures. Companies must conduct thorough risk assessments, not just of their own systems but of their entire supply chain and third-party dependencies. This incident demonstrates how a single point of failure can have far-reaching consequences across multiple sectors and geographies."

 

Dmytro Tereshchenko, Head of Information Security Department, Sigma Software Group: "The CrowdStrike failure has significantly impacted many organizations globally. This includes critical sectors such as banking, stock exchanges, airports, and emergency services. Recovery protocols are in place for those affected, though a comprehensive restoration across many entities will likely be a protracted process. For cybersecurity professionals, this incident isn’t something new and unexpected. It underscores a known issue within our highly interconnected supply chains. A disruption to any key supplier can indeed have extensive repercussions, affecting a broad spectrum of systems and services. While this situation is neither unprecedented nor unexpected, the timeline for complete recovery remains uncertain. We clearly understand the problem’s scale, but precise recovery estimates are still forthcoming. Users who have yet to encounter issues should be able to operate without significant disruption. Affected entities are already seeing progress in their recovery efforts. At Sigma Software Group, we’ve issued detailed guidelines to our team, and our experts are diligently addressing the situation to mitigate further impact."

 

Satnam Narang, Sr. Staff Research Engineer, Tenable: "The outage affecting computer systems worldwide is severe. It is affecting critical systems, such as those in hospitals, airports, financial institutions, and more. For instance, patients aren’t able to get medications in the hospital setting. It’s impacted me personally as I have a loved one who is currently in the hospital setting. While the issue is associated with Windows systems, it does not appear to be an issue with Microsoft Windows, but rather, security software installed on millions of Windows computers worldwide. Because this is security software, it requires a higher level of privileges to the underlying operating system, so a bad or faulty security update can result in a catastrophic impact. This event is unprecedented, and the ramifications of it are still developing."

Amidst the global outage affecting Microsoft Windows systems, the Indian Computer Emergency Response Team (CERT-In) has issued a critical advisory (CIAD-2024-0035) to address the issue. This outage seems to have stemmed from a recent update to the CrowdStrike Falcon Sensor, a popular endpoint detection and response (EDR) solution. Dubbed the Blue Screen of Death (BSOD), the outage has disrupted operations across airports, hospitals, software firms among other sectors globally and is generating widespread frustration among users.

Flawed Update Led to BSOD: CERT-In

According to the CERT-In advisory, Windows hosts equipped with the CrowdStrike Falcon Sensor experienced crashes and the infamous BSOD following a recent update to the agent. This critical error typically indicates a system halt due to a hardware or software failure, rendering the affected device inoperable. The exact cause of the BSOD remains undisclosed, but the swift action taken by CrowdStrike suggests a flaw within the update itself. The CrowdStrike team promptly reverted the changes, potentially mitigating further disruptions.

Resolving the Issue: Workarounds and Updates

While the update has been rolled back, some Windows systems might still be experiencing issues. CERT-In has provided a workaround for these cases, involving booting into Safe Mode or the Windows Recovery Environment and manually deleting a specific file associated with the faulty update.

• Navigate to the directory C:\Windows\System32\drivers\CrowdStrike and locate the file matching the pattern "C-00000291*.sys".
• Delete the identified file and reboot the host normally

Additionally, users have been advised to check the CrowdStrike support portal for the latest updates and recommendations.

Microsoft Statement on BSOD

While CERT-In's advisory primarily focuses on the technical aspects of the issue, news reports suggest a broader collaborative effort between Microsoft and CrowdStrike. Earlier on Friday, Microsoft acknowledged that an outage in its online services had affected customers worldwide.  In its latest update in a post on social media platform X, Microsoft stated, "Our services are still seeing continuous improvements while we continue to take mitigation actions. Multiple services are continuing to see improvements in availability as our mitigation actions progress. A recent surge in BSOD reports across various Microsoft Windows versions coincided with the timeframe of the CrowdStrike update. Though details remain unconfirmed, this potentially points towards a wider impact beyond the systems specifically mentioned in the CERT-In advisory.

The Indian Computer Emergency Response Team (CERT-In), a cybersecurity agency operating under the Ministry of Electronics and Information Technology, has sounded the alarm for Adobe users and issued a high-risk warning. Their latest Vulnerability Note (CIVN-2024-0213) details multiple critical security weaknesses discovered in several Adobe software versions. These vulnerabilities expose users of Adobe Premiere Pro, Adobe InDesign, and Adobe Bridge to significant security risks. CERT-In classifies the identified vulnerabilities as "HIGH" severity and urges users to act swiftly to safeguard their systems. This includes updating their Adobe software immediately. If left unaddressed, attackers can exploit these vulnerabilities to trigger memory leaks and run unauthorized code on targeted systems. Such attacks can have severe consequences, including stolen data, system crashes, and unauthorized access to sensitive information. Apart from Adobe Products, CERT-In has also issued critical warnings vulnerability warnings for IBM WebSphere application server and Joomla Content Management System

Understanding the Vulnerabilities

According to CERT-In, several underlying issues are responsible for the vulnerabilities found in Adobe products:

• Integer Overflow or Wraparound: This vulnerability occurs when an arithmetic operation surpasses the maximum capacity of the integer data type used to store the value, leading to unexpected behavior or crashes.
• Heap-based Buffer Overflow: This arises when data surpasses the designated buffer capacity in the heap memory, potentially allowing attackers to execute unauthorized code.
• Out-of-bounds Write and Read: These vulnerabilities occur when software reads or writes data beyond the allocated memory boundaries, leading to data corruption, crashes, or code execution.
• Untrusted Search Path: This vulnerability arises when software searches for resources in untrusted directories, which attackers can exploit to execute malicious code.

Affected Adobe Softwares

The following Adobe software versions are susceptible to these vulnerabilities:

• Adobe Premiere Pro:
  • All versions before 24.4.1 for Windows and macOS
  • All versions before 23.6.5 for Windows and macOS
• Adobe InDesign:
  • All versions before ID19.3 for Windows and macOS
  • All versions before ID18.5.2 for Windows and macOS
• Adobe Bridge:
  • All versions before 13.0.7 for Windows and macOS
  • All versions before 14.1 for Windows and macOS

Security Patch

CERT-In recommends the following actions to mitigate the risks associated with these vulnerabilities:

• Apply the Latest Updates: Install the most recent updates provided by Adobe for the affected software as soon as possible. Keeping software up-to-date is essential to shield systems from known vulnerabilities.
• Regular Update Checks: Enable automatic updates for your Adobe software if available. Otherwise, routinely check for updates and install them promptly.
• Download from Official Sources: Only download software and updates from the official Adobe website or trusted app stores. Avoid downloading from untrusted sources, as they might distribute malicious versions.
• Layered Security: Consider using additional security measures like firewalls, antivirus software, and intrusion detection systems to add an extra layer of protection against potential attacks.
• Regular Backups: Regularly back up important data to minimize the impact of a potential security breach or system failure.

By following these recommendations, users of the affected Adobe software can significantly reduce their risk of falling victim to cyberattacks.

IBM WebSphere Application Server Under Fire

CERT-In has also reported a vulnerability in IBM WebSphere Application Server (CVE-2024-0215) that could allow Remote Code Execution (RCE) attacks. This means attackers could potentially exploit this flaw to execute malicious code on the server, granting them complete control of the system. According to IBM, "a remote attacker could exploit this vulnerability to execute arbitrary code on the system with a specially crafted sequence of serialized objects." The bulletin applies to:

• IBM WebSphere Application Server Traditional V9.0 or earlier versions
• IBM WebSphere Application Server Network Deployment V8.5 or earlier versions

IBM has recommended updating to the following versions to address the vulnerability or fix the pack that contains the APAR PH61489.

• For V9.0.0.0 through 9.0.5.20: Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH61489 --OR-- · Apply Fix Pack 9.0.5.21 or later (targeted availability 3Q2024).
• For V8.5.0.0 through 8.5.5.25: Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH61489 --OR-- · Apply Fix Pack 8.5.5.26 or later (targeted availability 3Q2024).

Users can find detailed information and download the updates from the official IBM Security Bulletin.

Cross-Site Scripting (XSS) Vulnerabilities in Joomla

A high-risk warning for users of the Joomla Content Management System (CMS) has also been issued by CERT-In. Multiple vulnerabilities classified as "HIGH" severity have been identified in advisory (CIVN-2024-0214), allowing attackers to inject malicious scripts into websites. These vulnerabilities exist in various components/functions (Custom Fields, wrapper extensions, StringHelper::truncate, fancyselect list field layout, accessiblemedia) of Joomla due to improper input validation. These vulnerabilities fall under the category of Cross-Site Scripting (XSS), which can be exploited to steal user data, deface websites, or redirect users to phishing sites. Successful exploitation of these vulnerabilities could allow the attacker to conduct cross-site scripting attacks on the targeted system. Cert-in has suggested users upgrade to Joomla CMS versions 3.10.16-elts, 4.4.6, or 5.1.2. More details have been provided by Joomla in its Security Announcements page.

The ransomware attack that crippled Synnovis, a key pathology provider for southeast London's NHS Trusts, continues to disrupt critical services nearly a month after the initial attack. While some progress has been made, the slow recovery highlights the fragility of healthcare infrastructure and the potential for wider patient data breaches.

Technical Hurdles Plague Restoration Efforts

The attack that took place on June 3 knocked out most of Synnovis' IT systems, impacting everything from lab analysis equipment to results transmission. With electronic workflows crippled, the lab reverted to manual processes, significantly hindering processing capacity and turnaround times.

The daily blood sampling count in major London hospitals plunged from 10,000 to merely 400 per day after the cyberattack. The biggest challenge that Synnovis is facing is that all its automated end-to-end laboratory processes are offline, since all IT systems have been locked down in response to the ransomware attack.

The ongoing recovery prioritizes critical systems first. New middleware deployed at partner hospitals aims to streamline result reporting, but full restoration remains a distant prospect. Synnovis is collaborating its parent company, SYNLAB, and NHS to ensure a secure and phased recovery.

Mutual Aid Boosts Capacity, But Data Breach Looms Large

To address the backlog of critical tests, Synnovis implemented a "Mutual Aid" program across southeast London boroughs, leveraging partner labs within the NHS network. Additionally, SYNLAB is diverting resources from its wider UK and international network to bolster processing capacity.

However, a more concerning development emerged on June 20. A Russian ransomware group called Qilin claimed responsibility for the attack and leaked data online. Synnovis later confirmed the published data was stolen from its administrative drives.

"This drive held information which supported our corporate and business support activities. Synnovis personnel files and payroll information were not published, but more needs to be done to review other data that has been published relating to our employees." - Synnovis

While a full analysis is ongoing, initial findings suggest the data may contain patient information like full names, NHS numbers, and test codes.

Uncertainties for Synnovis Remain as Investigation Continues

The stolen data appears partial and in a complex format, making analysis and identification of impacted individuals challenging. Synnovis, with assistance from the NCSC and NHS cybersecurity specialists, is investigating the attack's scope and potential data breach. Law enforcement and the Information Commissioner are also kept informed.

Mark Dollar, CEO of Synnovis, acknowledged the disruption and expressed regret for the inconvenience caused.

“We are very aware of the impact and upset this incident is causing to patients, service users and frontline NHS colleagues, and for that I am truly sorry. While progress has been made, there is much yet to do, both on the forensic IT investigation and the technical recovery. We are working as fast as we can and will keep our service users, employees and partners updated.” - Mark Dollar, CEO of Synnovis

However, the timeline for full system restoration and the extent of the potential data breach remain unclear.

The Synnovis attack highlights a broader trend within healthcare IT systems and the potential consequences of third-party cyberattacks. SYNLAB, the parent company of Synnovis, has been targeted by cybercriminals multiple times in the last year. Similar attacks hit their subsidiaries in Italy in April 2024 and a year earlier in France. These incidents underline a concerning rise in third-party vulnerabilities within the healthcare industry.

As Synnovis grapples with recovery, the cybersecurity community awaits further details on the data breach and its potential impact on patients.

Apple has taken steps to enhance the security of its popular AirPods lineup by addressing a critical Bluetooth vulnerability through a new firmware update. This AirPods firmware update,  identified as Firmware 6A326 and 6F8, is aimed at several models including AirPods, AirPods Pro, AirPods Max, Powerbeats Pro, and Beats Fit Pro. The AirPods vulnerability tracked as CVE-2024-27867 and discovered by Jonas Dreßler, posed a potential risk where attackers within Bluetooth range could spoof a user's device and gain unauthorized access to their AirPods. This issue highlights the importance of timely updates to protect Apple devices from cyberattacks. 

AirPods Firmware Update Fixes Major Bluetooth Vulnerability

Initially, Apple's AirPods firmware update patch notes appeared routine, mentioning "bug fixes and other improvements." However, further details on Apple's security website revealed the update's critical nature, specifically addressing an authentication issue with improved state management related to Bluetooth connections. For affected users, the AirPods firmware update will be applied automatically when AirPods are paired with an iPhone or another compatible device. To verify the update, users can check the firmware version by navigating to Settings > Bluetooth on iOS devices or System Settings > Bluetooth on Macs. This proactive approach highlights the regular updates required by devices regardless of operation systems. By promptly addressing vulnerabilities such as the AirPods vulnerability, Apple aims to create a safer digital environment for its users worldwide.

Fixing Several Apple Product Vulnerabilities

Beyond addressing the AirPods vulnerability, the firmware update also includes general bug fixes and performance improvements. This comprehensive approach ensures not only enhanced security but also a smoother user experience across the AirPods ecosystem. Users are encouraged to stay vigilant and keep their devices updated to the latest firmware version. This practice is crucial for safeguarding against potential security risks and maintaining the integrity of personal data. Apple's dedication to security is further demonstrated through its adherence to industry-standard practices, including not disclosing specific security issues until patches or releases are available and thoroughly tested. This approach ensures that users can trust Apple products to protect their privacy and security effectively. For more detailed information about the update and additional security-related matters, users can visit Apple's official security updates page and review the comprehensive product security documentation available.