Cybercriminals Exploit CrowdStrike Outage Chaos
Cybercriminals are leveraging the ongoing mass global IT outage to launch phishing campaigns, according to reports.
CrowdStrike Intelligence warned that threat actors quickly used the IT outage, caused by a bug in a content update for the CrowdStrike Falcon cybersecurity tool, to pose as legitimate sources of help for impacted businesses.
Cybercriminals have been identified sending phishing emails purporting to be CrowdStrike support and impersonating CrowdStrike staff in phone calls.
In other campaigns, threat actors have posed as independent researchers, claiming to have evidence the technical issue is linked to a cyber-attack and offering remediation insights.
Attackers have also been observed selling remediation solutions, such as scripts purporting to automate recovery from the content update issue. In one example highlighted by CrowdStrike, threat actors have been distributing a malicious ZIP archive named crowdstrike-hotfix.zip, claiming to be a utility for automating recovery for the content update issue.
This ZIP archive contains a HijackLoader payloader, which when executed, loads the RemCos malware.
CrowdStrike provided a list of identified domains that impersonate the brand, which are either currently serving as malicious sites to redirect victims to from phishing links, or could be used to do so in the future.
Cybersecurity firm KnowBe4 similarly observed the development of numerous new domains linked to the CrowdStrike in “record time.” These included names like crowdstriketoken[.]com, crowdstrikedown[.]site and crowdstrikefix[.]com.
The UK’s National Cyber Security Centre (NCSC) also reported an increase in phishing attacks referencing the outage in the immediate aftermath.
Impacted customers are recommended to ensure they are communicating with CrowdStrike representatives through official channels and adhere to technical guidance from CrowdStrike support teams.
Global IT Outage Continues, Remediation Solutions Available
The CrowdStrike issue has impacted Microsoft Windows Operating Systems, which are widely used across the world. Therefore, the outage, which started on July 19, has affected organizations across all sectors and geographies, disrupting critical industries like banking, airlines, railways and healthcare.
CrowdStrike explained in a blog on July 20 that a Falcon sensor configuration triggered a logic error resulting in a system crash and blue screen on impacted systems.
Customers running Falcon sensor for Windows version 7.11 and above that downloaded the updated configuration from 04:09 UTC to 05:27 UTC on July 19, were “susceptible” to the crash.
CrowdStrike added it is conducting a thorough root cause analysis to determine how the logic flaw occurred. The issue is not a result of or related to a cyber-attack.
The bug has been remediated, with customers recommended to follow official guidance to achieve remediation.
Microsoft currently estimates that CrowdStrike’s update affected 8.5 million Windows devices, representing less than 1% of all Windows machines.
Microsoft noted that the incident demonstrates the interconnected nature of the technology ecosystem, emphasizing the need for organizations to operate with safe deployment and disaster recovery plans in place.
“While the percentage was small, the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services,” Microsoft stated.
Microsoft has also released an updated recovery tool in coordination with CrowdStrike. This contains two repair options to help IT admins expedite the repair process.
- Recover from WinPE – this option produces boot media that will help facilitate the device repair.
- Recover from safe mode – this option produces boot media so impacted devices can boot into safe mode. The user can then login using an account with local admin privileges and run the remediation steps.
The most suitable option depends on the types of systems used by respective Windows’ customers.
Learning Lessons on Update Rollouts
Speaking to Infosecurity, Dave Stapleton, CISO at ProcessUnity, noted that the issue highlights why software updates should not be deployed on a Friday, a concept known as “Read-Only Friday.”
“The idea is that it’s ill advised to deploy fixes or updates to production on a Friday,” explained Stapleton
“This CrowdStrike scenario is an excellent example of why Read-Only Friday became popular. IT teams around the world will now be spending their weekends, and likely the next couple of weeks, tediously troubleshooting this problem, machine by machine,” he said.
He also noted that the incident may cause organizations to think more carefully before deploying an update, given the huge potential serious disruption if a bad patch is installed.
It continues to be important to deploy security updates as soon as possible amid threat actors increasing exploitation of n-day vulnerabilities.