Ongoing Phishing Campaign Targeting CrowdStrike Users

Published on 20 Jul 2024

Update on 22 July 2024

There are also reports of ongoing malware campaign targeting CrowdStrike users with fake hotfix update. This fake hotfix delivers HijackLoader, which then drops the Remcos remote access tool on the infected system. In another update, threat actors are also distributing a data wiper under the pretense of delivering an update from CrowdStrike. Once installed, it will wipe out all the data stored on the system.

System administrators may wish to configure their firewall rules to block connections to the domains associated with the latest campaign, perform anti-virus scans with the updated definition to detect possible malware infection and regularly backups important data.

TYPEINDICATOR
DOMAINportalintranetgrupobbva[.]com
DOMAINcrowdstrike[.]com[.]vc
FILE NAMEinstrucciones[.]txt
EXECUTABLECrowdstrike[.]exe


***

On 19 July 2024, CrowdStrike, a major cybersecurity company, experienced a significant global outage that affected numerous organisations worldwide. The issue stemmed from a faulty update to CrowdStrike's Falcon Sensor software, which is widely used by many companies and government bodies.

There are reports of an ongoing phishing campaign targeting CrowdStrike users with threat actors leveraging the aforementioned events as lure themes to conduct the following activities:

  • Sending phishing emails posing as CrowdStrike support to customers
  • Impersonating CrowdStrike staff in phone calls
  • Posing as independent researchers, claiming to have evidence that the technical issue is linked to a cyberattack and offering remediation insights
  • Selling scripts purporting to automate recovery from the content update issue

Possible malicious domains identified associated with the ongoing campaign that impersonate CrowdStrike’s brand are shown in the table below. System administrators may wish to configure their firewall rules to block connections to the following domains associated with the campaign.

TYPE INDICATOR
DOMAINcrowdstrike.phpartners[.]org
DOMAIN crowdstrike0day[.]com
DOMAIN crowdstrikebluescreen[.]com
DOMAIN crowdstrike-bsod[.]com
DOMAIN crowdstrikeupdate[.]com
DOMAIN crowdstrikebsod[.]com
DOMAIN www.crowdstrike0day[.]com
DOMAIN www.fix-crowdstrike-bsod[.]com
DOMAIN crowdstrikeoutage[.]info
DOMAIN www.microsoftcrowdstrike[.]com
DOMAIN crowdstrikeodayl[.]com
DOMAIN crowdstrike[.]buzz
DOMAIN www.crowdstriketoken[.]com
DOMAIN www.crowdstrikefix[.]com
DOMAIN fix-crowdstrike-apocalypse[.]com
DOMAIN microsoftcrowdstrike[.]com
DOMAIN crowdstrikedoomsday[.]com
DOMAIN crowdstrikedown[.]com
DOMAIN whatiscrowdstrike[.]com
DOMAIN crowdstrike-helpdesk[.]com
DOMAIN crowdstrikefix[.]com
DOMAIN fix-crowdstrike-bsod[.]com
DOMAIN crowdstrikedown[.]site
DOMAIN crowdstuck[.]org
DOMAIN crowdfalcon-immed-update[.]com
DOMAIN crowdstriketoken[.]com
DOMAIN crowdstrikeclaim[.]com
DOMAIN crowdstrikeblueteam[.]com
DOMAIN crowdstrikefix[.]zip
DOMAIN crowdstrikereport[.]com


System administrators may also use the following CrowdStrike Falcon LogScale query to hunt for the domains provided in the table above:

in("DomainName", values=["crowdfalcon-immed-update.com", "crowdstrike-bsod.com", "crowdstrike-helpdesk.com", "crowdstrike.buzz", "crowdstrike0day.com", "crowdstrikebluescreen.com", "crowdstrikeblueteam.com", "crowdstrikebsod.com", "crowdstrikeclaim.com", "crowdstrikedoomsday.com", "crowdstrikedown.com", "crowdstrikedown.site", "crowdstrikefix.com", "crowdstrikefix.zip", "crowdstrikeodayl.com", "crowdstrikeoutage.info", "crowdstrikereport.com", "crowdstriketoken.com", "crowdstrikeupdate.com", "crowdstuck.org", "fix-crowdstrike-apocalypse.com", "fix-crowdstrike-bsod.com", "microsoftcrowdstrike.com", "whatiscrowdstrike.com", "www.crowdstrike0day.com", "www.crowdstrikefix.com", "www.crowdstriketoken.com", "www.fix-crowdstrike-bsod.com", "www.microsoftcrowdstrike.com"]) | table([cid, aid, #event_simpleName, ComputerName])

It is advised that organisations ensure they are communicating with CrowdStrike representatives through official channels and adhere to technical guidance the CrowdStrike support teams have provided.

More information is available here:
https://www.crowdstrike.com/blog/falcon-sensor-issue-use-to-target-crowdstrike-customers/
https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/
https://www.bleepingcomputer.com/news/security/fake-crowdstrike-fixes-target-companies-with-malware-data-wipers/