Individuals and organizations have been warned that threat actors are leveraging the CrowdStrike incident for phishing, scams, and malware delivery.
Many organizations across the world suffered major disruptions on Friday after cybersecurity giant CrowdStrike pushed out a routine sensor configuration update that triggered a logic error and caused a Blue Screen of Death (BSOD) on Windows systems.
CrowdStrike, Microsoft and others have provided tools and other resources to help impacted organizations restore impacted systems.
As it typically happens with major global events, threat actors — particularly financially motivated groups — have jumped on the opportunity, leveraging the chaos and the fact that many people and organizations have been scrambling to find information and fixes.
Threat intelligence firm ThreatMon reported seeing archive files named ‘crowdstrike-hotfix’ delivering HijackLoader payloads to its customers in Latin America.
Malware analysis service Any.Run has also seen these malicious hotfixes and found that HijackLoader delivers Remcos, a RAT that enables attackers to take control of infected devices. In one case, the malware was delivered from a website purportedly belonging to a bank.
FalconFeeds reported that Palestinian hacktivists have leveraged the CrowdStrike incident in an attempt to trick Israeli organizations into installing wiper malware on their systems.
Dozens of domains referencing CrowdStrike have been registered since Friday and many of them could be used for nefarious purposes.
These domains can host phishing pages, malware or scams. In some instances, such domains offer ‘fixes’ that users have to pay for in cryptocurrency.
McAfee reported seeing various scams. “These scams range from phishing attacks related to flight rescheduling, to cybercrooks posing as banks to steal login information, and even retailers requesting alternate payment methods,” the security firm noted.
Government agencies have also issued alerts to warn users and organizations. The UK’s NCSC warned of an “increase in phishing referencing this outage” and the US’s CISA has also mentioned seeing phishing and other malicious activity.
“CISA urges organizations and individuals to remain vigilant and only follow instructions from legitimate sources. CISA recommends organizations to remind their employees to avoid clicking on phishing emails or suspicious links,” CISA said.
The bad CrowdStrike update caused major outages across several industries, including aviation, financial, healthcare, and education. CNN reported on Sunday that more than 1,500 flights were canceled and thousands more were delayed for the third day in a row.
Microsoft said 8.5 million Windows devices across the world were impacted, but the tech giant noted that this represents less than one percent of computers running its operating system. Still, this will likely be remembered as one of the biggest IT failures in history.
The CrowdStrike incident had little or no impact in countries such as China and Russia, which is not surprising considering that organizations here typically do not use American products.
Additional news coverage from SecurityWeek and around the web:
