On July 19th, 2024, CrowdStrike, a leading cybersecurity provider of advanced end-point security detection and protection solutions, released a sensor configuration update to Windows systems. This update contained a logic error that resulted in system crashes and Blue Screen of Death (BSOD) incidents. The faulty software update caused widespread disruptions on Friday, affecting critical services in banks, airlines, hospitals, stock markets, and IT industries globally. On July 20th,2024, CrowdStrike released technical details explaining that a logic error in a channel file caused the BSOD. This buggy channel file was designed to detect newly observed malicious named pipes for identifying standard C2 (Command and Control) frameworks in cyberattacks. CrowdStrike also mentioned conducting a thorough root cause analysis to understand how this logic error occurred.
While the entire world is grappling with the outbreak and working to resolve the issues, Threat Actors (TAs) are exploiting this situation to their advantage. Within 24 hours of the incident, TAs created several malicious domains to target individuals/Organizations interested in closely following this incident. The cybersecurity community quickly identified these malicious domains and shared the information via platforms like X (formerly Twitter), LinkedIn, etc.
SANS shared a post on X about a domain named “crowdstrikeclaim.com,” offering a form for impacted organizations to request a free claim review. The form asks for detailed information, including phone number, first name, last name, and email address. Submitting this personal and organizational data could result in identity theft or unauthorized access to accounts.
A well-known security researcher John Hammond shared a post on X about a domain called “crowdstrikebluescreen.com,” which offers services to affected organizations. Verifying such services is crucial, as engaging with misleading or fraudulent offers could lead to additional operational problems and divert resources and attention away from addressing the original incident.
Bernardo Quintero, founder of Virus Total, shared a post on X about TAs exploiting the CrowdStrike incident by distributing malware disguised as a hotfix. The file name suggests that the TAs have created zip domains to distribute the malware.
Conclusion:
The emergence of malicious domains and fraudulent services illustrates the need for heightened caution and verification when dealing with offers and requests related to security incidents. These threats pose risks of identity theft and unauthorized access and can divert valuable resources and attention from resolving the core problem. Furthermore, the distribution of malware disguised as a hotfix demonstrates the adaptability and persistence of TAs in exploiting current events for their gain. In navigating these challenges, it is essential for organizations to remain alert, verify the legitimacy of any claims or services, and maintain robust security practices to safeguard against such threats.
Our Recommendations:
- Avoid submitting personal or organizational information on sites offering “free claim reviews” or other services related to the incident. These may be scams designed to steal sensitive information.
- Before engaging with any service or offer related to the incident, verify the provider’s legitimacy.
- Only follow remediation steps and instructions from CrowdStrike’s official support channels.
- Use updated antivirus and anti-malware tools to scan for and block malicious files or domains. Stay informed about the latest threats and security measures to protect your systems.
- Educate employees and stakeholders about recognizing and avoiding scams and phishing attempts.
Indicators of Compromise (IOCs)
Indicator | Indicator Type | Description |
crowdstrikeupdate.com | Domain | Malicious domain |
crowdstrikefix.zip | Domain | Malicious domain |
crowdstrikereport.com | Domain | Malicious domain |
crowdstrike-helpdesk.com | Domain | Malicious domain |
microsoftcrowdstrike.com | Domain | Malicious domain |
crowdstrikeoutage.info | Domain | Malicious domain |
crowdstrikebsod.com | Domain | Malicious domain |
crowdfalcon-immed-update.com | Domain | Malicious domain |
whatiscrowdstrike.com | Domain | Malicious domain |
fix-crowdstrike-bsod.com | Domain | Malicious domain |
fix-crowdstrike-apocalypse.com | Domain | Malicious domain |
crowdstuck.org | Domain | Malicious domain |
crowdstriketoken.com | Domain | Malicious domain |
crowdstrikefix.com | Domain | Malicious domain |
crowdstrikedoomsday.com | Domain | Malicious domain |
crowdstrikebluescreen.com | Domain | Malicious domain |
crowdstrike0day.com | Domain | Malicious domain |
crowdstrike-bsod.com | Domain | Malicious domain |
crowdstrike-hotfix.zip | Domain | Malicious domain |
crowdstrikeclaim.com | Domain | Malicious domain |
1e84736efce206dc973acbc16540d3e5 fef212ec979f2fe2f48641160aadeb86b83f7b35 c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2 | MD5 SHA1 SHA256 | crowdstrike-hotfix.zip (Remcos RAT) |
The post Threat Actors Exploit Recent CrowdStrike Outage to Ramp Up Suspicious Domain Creation appeared first on Cyble.
MITRE ATT&CK TTPs – created by AI
Based on the described scenario, here are some MITRE ATT&CK TTPs relevant to the defense evasion techniques and malicious activities mentioned:
-
T1071.001 – Application Layer Protocol: Web Protocols
- Description: TAs are exploiting the incident by creating malicious domains and fraudulent services that use web protocols for C2 communication or phishing attempts.
-
T1071.003 – Application Layer Protocol: Mail Protocols
- Description: Although not explicitly mentioned, the use of fraudulent domains and forms could potentially involve mail protocols for phishing or credential harvesting.
-
T1203 – Exploitation for Client Execution
- Description: Distribution of malware disguised as a hotfix suggests an exploitation technique to execute malicious code on client systems.
-
T1070 – Indicator Removal on Host
- Description: TAs may be involved in removing indicators of compromise (IoCs) by disguising malicious software as legitimate updates or fixes.
-
T1193 – Spearphishing
- Description: The creation of phishing domains (e.g., “crowdstrikeclaim.com”) for collecting personal and organizational information is an example of spearphishing.
-
T1566 – Phishing
- Description: The use of deceptive domains and forms to gather sensitive information falls under phishing techniques.
-
T1497 – Virtualization/Sandbox Evasion
- Description: Although not directly mentioned, malware disguised as a hotfix might use techniques to evade detection by security tools or sandboxes.
These TTPs outline how threat actors exploit security incidents and deceive victims into divulging sensitive information or executing malicious code.