Latest Headline

In the wake of a widespread system outage caused by a defective update from CrowdStrike, cybercriminals are creating deceptive domains and phishing sites disguised as CrowdStrike support, offering fake fixes that actually distribute malware.

Fletch is constantly monitoring the threat landscape. The data in this guide is most up to date as of publication. Check out CrowdStroke's Threat Board for any updates or create an account with Fletch to be in the know for every threat.

The Original CrowdStrike Incident

On July 19th 2024, a faulty CrowdStrike update caused systems worldwide to go offline, displaying the Windows Blue Screen of Death (BSOD). This led to widespread disruption of businesses from around the globe, including flight cancellations and delays in elective medical treatments. 

CrowdStrike's CEO, George Kurtz, confirmed that the problem is not a security incident or cyberattack but a defect in their Falcon Sensor product. The company has deployed a fix and provided mitigation instructions for affected systems, including booting Windows in Safe Mode and deleting a specific file.

CrowdStroke: Exploiting the Aftermath

Cybercriminals are now opportunistically exploiting this incident through phishing sites that mimic CrowdStrike support and distribute malware disguised as official fixes. For example, phishing emails were sent with attachments such as “crowdstrike-hotfix.zip,” which contained the Remcos RAT, a malware that allows remote control of infected systems​​.

Rapid adaptation to the situation highlights the ad-hoc nature of many cybersecurity operations. These groups swiftly took advantage of the global scale of the CrowdStrike outage to deceive panicked and confused users.

Victims & Motivations

The victims of these cyber exploits include organizations across various sectors such as banking, healthcare, and transportation. The primary motivation for these cybercriminals is data theft, credential harvesting, and financial gain through fraudulent services. The incident had a global impact, affecting users in multiple regions, with significant disruptions reported in Europe and the United States. The attackers aimed to capitalize on the chaos and urgency to fix the affected systems, tricking users into downloading malicious software​.

Tactics

Cybercriminals employed various methodologies, including setting up phishing domains and sites that mimicked official CrowdStrike support pages. They distributed malware disguised as fixes for the CrowdStrike issue, such as the Remcos RAT and data wipers. These malicious tools were often embedded in ZIP files or documents that users were tricked into downloading and executing. The malware then allowed attackers to gain remote access, exfiltrate data, and potentially deploy further malicious software.

Mitigation Advice

At the time of publication, this was the mitigation advice against CrowdStroke:

• Immediately halt the deployment of the faulty CrowdStrike update across all Windows systems within the organization.

• Immediately isolate affected systems to prevent potential spread or further impact of the BSOD issue.

• Block Offending IPs: Temporarily block IP addresses that are identified as sources of excessive requests or suspicious activities.

• Boot affected Windows servers into Safe Mode or the Windows Recovery Environment to bypass the BSOD/boot loop issue.

• For systems already impacted, follow the mitigation instructions provided:   - Boot Windows in Safe Mode or Windows Recovery Environment.   - Navigate to the C:\Windows\System32\drivers\CrowdStrike directory.   - Find and delete the file named "C-00000291*.sys".   - Restart the computer or server normally.

At the time of publication these were the right compliance controls to focus on for Crowdstroke: 

• Install and regularly update antivirus software on all company devices.

• Train your employees to recognize and counter impersonation tricks, such as confirming requests through a phone call or in-person.

• Train employees to recognize and report suspicious emails and attachments.

• Block unknown or unused email attachments like .scr, .exe, .pif, and .cpl.

• You can check out the most recent mitigation measures by creating an account when you join Fletch.

You can check out the most recent mitigation measures when you create an account with Fletch.

Communication

On top of mitigation advice, Fletch also provides AI generated communications so you can educate your different company stakeholders. At the time of publication, this was what was recommended for the following:

For employees with exposure:

For Customers:

For more templates for your different stakeholders, create an account with Fletch.

Takeaway

This incident highlights the critical need for organizations to verify the legitimacy of service providers and use official support channels during crises. Maintaining updated security software, educating employees about phishing and social engineering tactics, and having robust disaster recovery plans are essential measures to mitigate risks from such opportunistic cyber threats. Organizations should be particularly vigilant about unsolicited communications claiming to offer fixes and should only follow official guidance from trusted sources​.

CrowdStroke is just one example of an ever evolving threat that Fletch helps you keep track of, and prioritizes. 

Our AI engine is constantly scanning and indexing the threat landscape for you so you can plug the gaps in your security. You can use Fletch to prioritize your alerts, forecast threats on your horizon, and give you daily advice on what to do.

Join Fletch and try it for yourself.

1. HealthcareInfoSecurity [Fake Websites, Phishing Appear in Wake of CrowdStrike Outage](https://www.healthcareinfosecurity.com/fake-websites-phishing-surface-in-wake-crowdstrike-outage-a-25817)

2. SC Media [5 ways threat actors are taking advantage of the CrowdStrike outage](https://www.scmagazine.com/news/5-ways-threat-actors-are-taking-advantage-of-the-crowdstrike-outage}

3. ReliaQuest [CrowdStrike Outage: Script, Phishing, and Social Engineering Attacks](https://www.reliaquest.com/blog/crowdstrike-outage-script-phishing-and-social-engineering-attacks/)