Ongoing Phishing Campaign Targeting CrowdStrike Users

Update on 22 July 2024

There are also reports of ongoing malware campaign targeting CrowdStrike users with fake hotfix update. This fake hotfix delivers HijackLoader, which then drops the Remcos remote access tool on the infected system. In another update, threat actors are also distributing a data wiper under the pretense of delivering an update from CrowdStrike. Once installed, it will wipe out all the data stored on the system.

System administrators may wish to configure their firewall rules to block connections to the domains associated with the latest campaign, perform anti-virus scans with the updated definition to detect possible malware infection and regularly backups important data.

***

On 19 July 2024, CrowdStrike, a major cybersecurity company, experienced a significant global outage that affected numerous organisations worldwide. The issue stemmed from a faulty update to CrowdStrike's Falcon Sensor software, which is widely used by many companies and government bodies.

There are reports of an ongoing phishing campaign targeting CrowdStrike users with threat actors leveraging the aforementioned events as lure themes to conduct the following activities:

• Sending phishing emails posing as CrowdStrike support to customers

• Impersonating CrowdStrike staff in phone calls

• Posing as independent researchers, claiming to have evidence that the technical issue is linked to a cyberattack and offering remediation insights

• Selling scripts purporting to automate recovery from the content update issue

Possible malicious domains identified associated with the ongoing campaign that impersonate CrowdStrike’s brand are shown in the table below. System administrators may wish to configure their firewall rules to block connections to the following domains associated with the campaign.

System administrators may also use the following CrowdStrike Falcon LogScale query to hunt for the domains provided in the table above:

in("DomainName", values=["crowdfalcon-immed-update.com", "crowdstrike-bsod.com", "crowdstrike-helpdesk.com", "crowdstrike.buzz", "crowdstrike0day.com", "crowdstrikebluescreen.com", "crowdstrikeblueteam.com", "crowdstrikebsod.com", "crowdstrikeclaim.com", "crowdstrikedoomsday.com", "crowdstrikedown.com", "crowdstrikedown.site", "crowdstrikefix.com", "crowdstrikefix.zip", "crowdstrikeodayl.com", "crowdstrikeoutage.info", "crowdstrikereport.com", "crowdstriketoken.com", "crowdstrikeupdate.com", "crowdstuck.org", "fix-crowdstrike-apocalypse.com", "fix-crowdstrike-bsod.com", "microsoftcrowdstrike.com", "whatiscrowdstrike.com", "www.crowdstrike0day.com", "www.crowdstrikefix.com", "www.crowdstriketoken.com", "www.fix-crowdstrike-bsod.com", "www.microsoftcrowdstrike.com"]) | table([cid, aid, #event_simpleName, ComputerName])

It is advised that organisations ensure they are communicating with CrowdStrike representatives through official channels and adhere to technical guidance the CrowdStrike support teams have provided.

More information is available here:
https://www.crowdstrike.com/blog/falcon-sensor-issue-use-to-target-crowdstrike-customers/
https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/
https://www.bleepingcomputer.com/news/security/fake-crowdstrike-fixes-target-companies-with-malware-data-wipers/