On Thursday, cybersecurity company CrowdStrike released a problematic update to its Falcon Sensor agent on Windows, causing major disruptions to the day-to-day operations of various organizations, including banks, airlines, and media companies. This problematic update caused nearly 8.5 million Windows PCs to continuously reboot with error code 0x50 or 0x7E Blue Screen of Death (BSOD) errors.
Since then, CrowdStrike and Microsoft have provided guidance to affected customers to recover their PCs. You can check out CrowdStrike's official guide here and Microsoft's official guide here.
While the world scrambles to fix the CrowdStrike-affected PCs, cybercriminals are taking advantage of this critical situation. CrowdStrike noticed that cybercriminals are distributing a malicious ZIP archive named crowdstrike-hotfix.zip (SHA256 hash: c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2).
The crowdstrike-hotfix.zip archive is malware and contains a HijackLoader payload that loads RemCos. CrowdStrike believes that the Spanish filenames and instructions within the ZIP archive indicate this campaign likely targets Latin America-based (LATAM) CrowdStrike customers.
In addition to the malware campaign, cybercriminals are also targeting CrowdStrike customers with phishing campaigns. They are sending phishing emails posing as CrowdStrike support, impersonating CrowdStrike employees in phone calls, posing as independent researchers to offer remediation insights, and even selling scripts to automate recovery from the CrowdStrike update issue.
The following malicious domains were recently created for phishing campaigns:
crowdstrike.phpartners[.]org crowdstrike0day[.]com crowdstrikebluescreen[.]com crowdstrike-bsod[.]com crowdstrikeupdate[.]com crowdstrikebsod[.]com www.crowdstrike0day[.]com www.fix-crowdstrike-bsod[.]com crowdstrikeoutage[.]info www.microsoftcrowdstrike[.]com crowdstrikeodayl[.]com crowdstrike[.]buzz www.crowdstriketoken[.]com www.crowdstrikefix[.]com fix-crowdstrike-apocalypse[.]com microsoftcrowdstrike[.]com crowdstrikedoomsday[.]com crowdstrikedown[.]com whatiscrowdstrike[.]com crowdstrike-helpdesk[.]com crowdstrikefix[.]com fix-crowdstrike-bsod[.]com crowdstrikedown[.]site crowdstuck[.]org crowdfalcon-immed-update[.]com crowdstriketoken[.]com crowdstrikeclaim[.]com crowdstrikeblueteam[.]com crowdstrikefix[.]zip crowdstrikereport[.]com
CrowdStrike advises its customers to connect with CrowdStrike representatives only through official channels and stick to technical guidance provided by CrowdStrike and Microsoft. Microsoft has also recently updated their guide to offer an automated method involving recovery drives, which you can read about here.
While CrowdStrike and Microsoft have worked to mitigate the immediate damage, the ongoing phishing and malware campaigns underscore the persistence of cybercriminals seeking to capitalize on chaos.
Source: CrowdStrike
5 Comments - Add comment