CyberPeace Alert: Rise in Phishing and Malicious Activities Following CrowdStrike Outage
Overview:
After the blackout on July 19, 2024, which affected CrowdStrike’s services worldwide, cybercriminals began to launch many phishing attacks and distribute malware. These activities mainly affect CrowdStrike customers, using the confusion as a way to extort information through fake support sites. The analysis carried out by the Research Wing of CyberPeace and Autobot Infosec has identified several phishing links and malicious campaigns.
The Exploitation:
Cyber adversaries have registered domains that are similar to CrowdStrike’s brand and have opened fake accounts on social media platforms. These are fake platforms that are employed to defraud users into surrendering their personal and sensitive details for use in other fraudulent activities.
Phishing Campaign Links:
- crowdstrike-helpdesk[.]com
- crowdstrikebluescreen[.]com
- crowdstrike-bsod[.]com
- crowdstrikedown[.]site
- crowdstrike0day[.]com
- crowdstrikedoomsday[.]com
- crowdstrikefix[.]com
- crashstrike[.]com
- crowdstriketoken[.]com
- fix-crowdstrike-bsod[.]com
- bsodsm8r[.]xamzgjedu[.]com
- crowdstrikebsodfix[.]blob[.]core[.]windows[.]net
- crowdstrikecommuication[.]app
- fix-crowdstrike-apocalypse[.]com
- supportportal-crowdstrike-com[.]translate[.]goog
- crowdstrike-cloudtrail-storage-bb-126d5e[.]s3[.]us-west-1[.]amazonaws[.]com
- crowdstrikeoutage[.]info
- clownstrike[.]co[.]uk
- crowdstrikebsod[.]com
- whatiscrowdstrike[.]com
- clownstrike[.]co
- microsoftcrowdstrike[.]com
- crowdfalcon-immed-update[.]com
- crowdstuck[.]org
- failstrike[.]com
- winsstrike[.]com
- crowdpass[.]com
In one case, a PDF file is being circulated with CrowdStrike branding, saying ‘Download The Updater,’ which is a link to a ZIP file. The ZIP file is a compressed file that has an executable file with a virus. This is a clear sign that the hackers are out to take advantage of the current situation by releasing the malware as an update.
In another case, there is a malicious Microsoft Word document that is currently being shared, which claims to offer a solution on how to deal with this CrowdStrike BSOD bug. But there is a hidden risk in the document. When users follow the instructions and enable the embedded macro, it triggers the download of an information-stealing malware from a remote host. This is a form of malware that is used to steal information and is not well recognized by most security software. Also it sends the stolen data to the samesame remote host but with different port number, which likey works as the CnC server for the campaign.
- Name New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows[.]docm
- MD5 dd2100dfa067caae416b885637adc4ef
- SHA-1 499f8881f4927e7b4a1a0448f62c60741ea6d44b
- SHA-256 803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
- URLS http://172.104.160[.]126:8099/payload2.txt, http://172.104.160[.]126:5000/Uploadss
Recent Outage Impact:
On July 19, 2024, CrowdStrike faced a global outage that originated from an update of its Falcon Sensor security software. This outage affected many government organizations and companies in different industries, such as finance, media, and telecommunications. The event led to numerous complaints from the users who experienced problems like blue screen of death and system failure. Although, CrowdStrike has admitted to the problem and is in the process of fixing it.
Preventive Measures:
- Organize regular awareness sessions to educate the employees about the phishing techniques and how they can avoid the phishing scams, emails, links, and websites.
- MFA should be used for login to the sensitive accounts and systems for an improvement on the security levels.
- Make sure all security applications including the antivirus and anti-malware are up to date to help in the detection of phishing scams.
- This includes putting in place of measures such as alert on account activity or login patterns to facilitate early detection of phishing attempts.
- Encourage employees and users to inform the IT department as soon as they have any suspicions regarding phishing attempts.
Conclusion:
The recent CrowdStrike outage is a perfect example of how cybercriminals take advantage of the situation and user’s confusion and anxiety. Thus, people and organizations can keep themselves from these threats and maintain the confidentiality of their information by being cautious and adhering to the proper standards. To get the current information on the BSOD problem and the detailed instructions on its solution, visit CrowdStrike’s support center. Reported problems should be handled with caution and regular backup should be made to minimize the effects.
References:
- https://app.any.run/tasks/2c0ffc87-4059-4d6f-8306-1258cf33aa54/
- https://app.any.run/tasks/48e18e33-2007-49a8-aa60-d04c21e8fa11
- https://www.virustotal.com/gui/file/19001dd441e50233d7f0addb4fcd405a70ac3d5e310ff20b331d6f1a29c634f0/relations
- https://www.virustotal.com/gui/file/803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61/detection
- https://www.joesandbox.com/analysis/1478411#iocs