IT management, Incident Response, Business continuity, Phishing, Malware, Channel partners

Cyber Pros Spot Spike in Malicious Activity Over CrowdStrike Outage

Share
Phishing Alert text button on keyboard

Predictably, it didn’t take long after the massive global IT outage from a faulty CrowdStrike Falcon update for threat actors to begin perpetrating phishing scams, deploying malware and stealing data.

The outage that hit an estimated 8.5 million Windows machines on Friday raised concern among MSSPs, MSPs and cybersecurity vendors of increased threat activity. In fact, Bolster, a multi-channel phishing protection provider, announced on Monday that its free CheckPhish site had detected a spike in malicious activities, with more than 40 phishing and phony lookalike domains created in the first 24 hours following the CrowdStrike incident.

Tony UcedaVélez, CEO and founder of VerSprite, an Atlanta, Georgia-based MSSP, told MSSP Alert that he has also noticed an uptick in threat actor activity.

“We are seeing a spike in threat campaigns in vendor perpetration mostly where CrowdStrike is being perpetrated to IT targets,” he said. “These phishing attempts look to leverage CrowdStrike-related remediation efforts that may pertain to their computing endpoints or product systems in the environment.”

He added that given the bulk of the impact was on the Windows 10 OS, he believes that “Microsoft comes across as partly sharing the blame due to not being able to mitigate a process identifier (PID) that abends and is able to subjugate an endpoint.”

Max Gannon, cyber threat intelligence manager at Cofense, an email and phishing security specialist headquartered in Leesburg, Virginia, said his company has also seen threat actors spoofing CrowdStrike and publicly claiming ownership.

“We are also likely to see threat actors spoofing Microsoft and every relevant company including ‘updates’ from one’s own company relating to the incident," Gannon said. "As with anything that shows up in the news, if you receive an email about it you should pause to evaluate rather than giving in to the implied urgency of the topic."

Itai Tevet, CEO of Intezer, a cybersecurity vendor company that integrates with CrowdStrike Falcon Next-Gen SIEM for their MSSP customers, stressed the importance of warning clients and employees to immediately report phishing emails, texts or possible scam calls trying to take advantage of the CrowdStrike outage.

“Attackers frequently use big news events for phishing lures and social engineering, especially when they can take advantage of a crisis and create a false sense of urgency to trick someone into sharing credentials or clicking a link,” he said. “Intezer detects malicious and deceptive content in user-reported phishing emails using AI, including attempts to impersonate a large cybersecurity brand like CrowdStrike."

For that matter, CrowdStrike warned of expected attempts to impersonate their brand, published a report about a RemCos payload and warned about a fake recovery manual that uses a Word document containing malicious macros). 

Five Ways Threat Actors are Taking Advantage of the Outage

MSSP Alert sister site SC Media reports five ways threat actors are taking advantage of the CrowdStrike outage.

1.) Dozens of CrowdStrike-related phishing domains registered

Several of these domains, such as “crowdstrikebluescreen[.]com” and “crowdstrikefix[.]com” were registered within hours of the outage, as reported by JCyberSEc_ via X on Friday. Since then, dozens more malicious domains have been identified by numerous security researchers and organizations, including SentinelOne and Bolster.

2.) RemCos RAT spread through “CrowdStrike hotfix” ZIP file

In another advisory published Saturday, CrowdStrike warned that threat actors were distributing a ZIP file named “crowdstrike-hotfix.zip” that led to infection with the RemCos remote access trojan (RAT). The campaign appears to target Latin America-based CrowdStrike customers and was noted by X user g0njxa and malware analysis platform ANY.RUN to use the domain portalintranetgrupobbva[.]com, which impersonates BBVA bank.

3.) Word document containing Microsoft Recovery Tool instructions drops infostealer

Installing recovery tools and patches only when they come directly from official sites is crucial, as one campaign reported by Zscaler ThreatLabz Monday directly impersonates the aforementioned Microsoft Recovery Tool.

The campaign involves distribution of a Word document containing the same instructions found on Microsoft’s own blog post announcing the Recovery Tool, including a seemingly legitimate Microsoft URL. However, the document contains a malicious macro that installs infostealer malware when activated.

4.) Handala hacking group claims wiper attack leveraging fake CrowdStrike fix

While the RemCos RAT attack identified by CrowdStrike and infostealer attack reported by Zscaler have not been attributed to specific threat actors, another campaign impersonating CrowdStrike in the aftermath of the outage was claimed by the Handala hacking group. According to Cyberint, Handala is a pro-Hamas hacktivist group that targets Israeli organizations.

5.) Threat actors setting up for attacks that could outlast CrowdStrike outage

Bolster identified some domains specifically advertising legal services, rather than recovery tools. For example, one site impersonates the law firm Parker Waichman LLP and entices businesses with the opportunity to file a legal claim against CrowdStrike for “compensation” related to the IT outage.

Bolster Reports Growing Typosquat Activity

Bolster said it has identified multiple types of phishing scams, from malicious domains offering technical or legal support, to CrowdStrike crypto tokens and sites still under construction. The CheckPhish community has created a growing list of “CrowdStrike” typosquats. Typosquats are lookalike domains resembling a legitimate domain but with variations, such as common misspellings or additional characters.

“In the early hours of July 19, scammers began trying to lure victims into various scams,” Abhilash Garimella, vice president of research at Bolster, said in a statement. “Within the first 24 hours, more than 40 typosquat domains were targeting CrowdStrike users and had been added to the CheckPhish site."

CheckPhish is a free, real-time URL scanner that uses an array of machine learning algorithms to determine if a site is malicious or not, Bolster said.

In-Depth Coverage of the CrowdStrike Outage on MSSP Alert

Read coverage of the CrowdStrike outage from MSSP Alert

SC Media journalist Laura French contributed to this story.

Jim Masters

Jim Masters is Managing Editor of MSSP Alert, and holds a B.A. degree in Journalism from Northern Illinois University. His career has spanned governmental and investigative reporting for daily newspapers in the Northwest Indiana Region and 16 years in a global internal communications role for a Fortune 500 professional services company. Additionally, he is co-owner of the Lake County Corn Dogs minor league baseball franchise, located in Crown Point, Indiana. In his spare time, he enjoys writing and recording his own music, oil painting, biking, volleyball, golf and cheering on the Corn Dogs.