Inthe wake of a recent software update CrowdStrike, which led to a majordisruption affecting millions of Windows systems, threat actors have seized theopportunity to launch targeted cyber-attacks. As companies scramble to addressissues caused by the faulty update, researchers and government agencies havenoted a troubling uptick in phishing attempts and malware distribution aimed atexploiting the chaos.
Increased Phishing Scams Amidst CrowdStrike Outage
CrowdStrike’s problematic content update led to significantcrashes across Windows hosts globally. The company has since issued astatement, confirming its commitment to assisting affected customers and urgingvigilance.
George Kurtz, CEO of CrowdStrike, emphasized the importanceof verifying communication through official channels: “I encourage everyone toremain vigilant and ensure that you’re engaging with official CrowdStrikerepresentatives. Our blog and technical support will continue to be theofficial channels for the latest updates.”
The U.K. National Cyber Security Center (NCSC) has reporteda rise in phishing emails aimed at exploiting the outage. Automated malwareanalysis platform AnyRun observed a surge in attempts to impersonateCrowdStrike, which could lead to successful phishing attacks.
Malware Masquerading as Updates
Cybersecurity researcher g0njxa highlighted a maliciouscampaign targeting BBVA bank customers. Attackers offered a fake CrowdStrikehotfix through a phishing site disguised as a BBVA Intranet portal. Thisfraudulent update was actually a vehicle for the Remcos remote access tool.
The deceptive update was accompanied by instructions urgingemployees to install it to avoid connectivity errors. Once executed, the fakeupdate deployed HijackLoader, which then installed Remcos on the compromisedsystem.
In another alarming development, AnyRun reported that someattackers are distributing a data wiper disguised as a CrowdStrike update. Thismalicious software obliterates files on affected systems, reporting its actionsover Telegram. The pro-Iranian hacktivist group Handala claimed responsibility,sending phishing emails from a domain resembling CrowdStrike’s and targetingIsraeli companies.
These emails contained PDFs with instructionsfor running the fake update, linking to a ZIP archive with a maliciousexecutable named 'Crowdstrike.exe.' Upon execution, the data wiper was extractedand activated, leading to data destruction.
The Scope of the Disruption
The impact of CrowdStrike’s update failure was substantial.According to Microsoft, the glitch affected approximately 8.5 million Windowsdevices, a small fraction but significant in scope, causing widespreaddisruptions in flights, financial institutions, hospitals, media organizations,railways, and emergency services.
CrowdStrike’s post-mortem blog reveals that the issuestemmed from a channel file update for Windows hosts (version 7.11 and above),which triggered a logic error and subsequent crashes. While the faulty file hasbeen identified and corrected, companies still grappling with systemrestorations are encouraged to follow CrowdStrike’s guidance for recoveringindividual hosts, BitLocker Keys, and cloud environments.
As the situation continues to evolve, stayinginformed and cautious is crucial. Ensure all updates and communications areverified through official CrowdStrike channels to avoid falling victim to theseopportunistic cyber threats.
What Are Indicators of Compromise (IoCs)?
Cybercriminals are capitalizing on the CrowdStrike BlueScreen of Death (BSOD) error by distributing malware disguised as a fix. In onescheme, attackers are sending phishing emails with a ZIP file named“crowdstrike-hotfix.zip,” which actually deploys the Remcos RAT malware.
Indicators of Compromise (IoCs):
- SHA1 Hashes:
fef212ec979f2fe2f48641160aadeb86b83f7b35
66fbe2b33e545062a1399a4962b9af4fbbd4b356
5b2f56953b3c925693386cae5974251479f03928
4491901eff338ab52c85a77a3fbd3ce80fda738046ee3b7da7be468da5b331a3
19001dd441e50233d7f0addb4fcd405a70ac3d5e310ff20b331d6f1a29c634f0
- IP Address:
213.5.130.58
Additionally, malicious Microsoft Word documents withharmful macro code have been observed. Enabling and executing these macros canresult in the download of information-stealing malware.
Indicators of Compromise (IoCs):
- SHA1 Hashes:
803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a
- IP Address:
172.104.160.126
Be vigilant for indicators of compromises (IoCs) that maysignal malicious activity. Here are some of the suspicious domains that can beused by threat actors:
- crowdstrike-helpdesk[.]com
- crowdstrikebluescreen[.]com
- crowdstrike-bsod[.]com
- crowdstrikedown[.]site
- crowdstrike0day[.]com
- crowdstrikedoomsday[.]com
- crowdstrikefix[.]com
- crashstrike[.]com
- crowdstriketoken[.]com
- fix-crowdstrike-bsod[.]com
- bsodsm8rLIxamzgjedu[.]com
- crowdstrikebsodfix[.]blob[.]core[.]windows[.]net
- crowdstrikecommuication[.]app
- fix-crowdstrike-apocalypse[.]com
- crowdstrikeoutage[.]info
- clownstrike[.]co[.]uk
- whatiscrowdstrike[.]com
- clownstrike[.]co
- microsoftcrowdstrike[.]com
- crowdfalcon-immed-update[.]com
- crowdstuck[.]org
- failstrike[.]com
- winsstrike[.]com
- crowdpass[.]
- supportfalconcrowdstrikel[.]com
- crowdstrikehealthcare[.]com
- crowdstrikeclaim[.]com
- crowdstrikebug[.]com
- crowdstrikeupdate[.]com
- crowdstrikefail[.]com
- crowdstrikeoopsie[.]com
- crowdstrike[.]fail
- crowdstrike[.]woccpa[.]com
- crowdstrikereport[.]com
- crowdstrike-cloudtrail-storage-bb-126d5e[.]s3[.]us-west-1[.]amazonaws[.]com
- hoo[.]be/crowdstrike
- crowdstrike[.]orora[.]group
- sinkhole-d845c7b471d9adc14942f95105d5ffcf.crowdstrikeupdate[.]com
- crowdstrike-falcon[.]online
- crowdstrikerecovery1[.]blob[.]core[.]windows[.]net
- crowdstrikeoutage[.]com
- sedo[.]com/search/details/?partnerid=324561&language=es&domain=crowdstrike[.]es&or
- isitcrowdstrike[.]com
- crowdstrike[.]black
- crowdstrikefix[.]zip
- crowdstrikeold[.]com
- crowdstrikeout[.]com
- crowdstrike-out[.]com
- crowdstrikeoops[.]com
- crowdstrikefixer[.]com
- crowdstrikesucks[.]com
- crowdstrikeclaims[.]com
- crowdstrikeglitch[.]com
- crowdstrikelawsuit[.]com
- crowdstrikesuporte[.]com
- crowdstrikezeroday[.]com
- crowdstrikerecovery[.]com
- crowdstrike-bluescreen[.]com
- crowdstrikeclassaction[.]com
- crowdstrikewindowsoutage[.]com
- 96dec6e07229201a02f538310815c695cf6147c548ff1c6a0def2fe38f3dcbc8
- 4491901eff338ab52c85a77a3fbd3ce80fda738046ee3b7da7be468da5b331a3
- 70865e5a49b8c270eb8175c36cd2a2032c05445c0daf59dc67e78dad545ff9e4
- 1bbb795ce19f4dcc4ac9f8e8c12f3452f1f07c68a53ef631c76e392e1d06ea43
- crowdstrike[.]com[.]vc
- update@crowdstrike[.]com[.]vc
- crowdstrike[.]phpartners[.]org
How do I Remediate Impacted Hosts?
If hosts are still crashing and unable to stay online toreceive the Channel File update, the remediation steps below can be used.
How do I Remediate Individual Hosts? Updated 2024-07-21 0932 UTC
Reboot the host to give it an opportunity to download thereverted channel file. We strongly recommend putting the host on a wirednetwork (as opposed to WiFi) prior to rebooting as the host will acquireinternet connectivity considerably faster via ethernet.
If the host crashes again on reboot:
· Option 1 – Manual
Please see this Microsoft article for detailed steps.
Note: Bitlocker-encrypted hosts may require a recovery key.
· Option 2 – Automated via bootable USB key
Follow the instructions in this KB article (pdf) or log into view in the support portal.
Note: Bitlocker-encrypted hosts may require arecovery key.
