This makes sense
Q2793 talks about cyber attacks and infiltration, text in brackets: ['game the sys'][added][Zero-Day][Example]. 1. It is impossible that the CrowdStrike endpoints did not have QA/QC, Cl and an entire workflow pipeline of checks/balances dedicated to ensuring the deployment of proper, thoroughly tested content files to 1 billion client/server machines daily. I put this up there with the SS not knowing about or
properly defending the obvious roof line the 'sniper' used.
-
Yet, a malformed content file (C-00000291-00000000-00000032.sys) somehow bypassed this protection and was deployed worldwide.
-
I think, like the other tech companies (twitter, Goog, FB, SolarWinds etc), the DS has layered many sleeper systems deeply within the CS codebase. There's a good chance the software engineers maintaining it don't even know these embedded systems exist (eg rootkits in the build system, the
edges beyond the content delivery pipeline or even in the hardware routers at the edges(Cisco etc)) 4. The CrowdStrike memory fault/error that caused the BSOD occurred in their legit, code-signed system driver "CSAgent.sys" when trying to read a deployed CS content file (oddly, these files have the "sys" extension too but are not system drivers. They are also not code-signed or appear to have any client side hash checks. Red flag.) What else did the CAgent.sys execute in the past at ring zero access (full control) on a billion plus machines,
across all silos of industry and government? 5. An incredibly valuable attack vector is now destroyed. One that could have been used for a large cyber attack or to help rig an election. The
worldwide effect, while costing time/money, did not do any damage and was a fairly easy (albeit time consuming) fix. So cui bono? CrowdStrike? Reputation in shambles, software being uninstalled, contracts canceled, huge worldwide focus on either a faulty deployment pipeline or a company that has been infiltrated. How about the embedded DS in CS? Why would they ever destroy such a valuable attack asset for a test or a show of force that
didn't accomplish anything? 6. IMO, the most likely scenario is WHs have known about this attack vector for awhile, infiltrated either the embedded system itself or an edge router and then intentionally altered the C-00000291-00000000-00000032.sys content file in such a way (null pointers at exact byte locations) that they knew CSAgent would both crash and crash in way to shine a worldwide flashlight on it. Q pointed at Ghidra, we should be looking at both CAgent.sys and
the CS content files