Breaking! Hackers Started Exploiting CrowdStrike Issue in Cyber Attacks - Beware!

Cybersecurity experts have uncovered a concerning development following the recent CrowdStrike Falcon sensor issue that affected Windows systems on July 19, 2024. Threat actors are now actively exploiting this incident to target CrowdStrike customers through various malicious activities.

The original issue stemmed from a content update for the CrowdStrike Falcon sensor on Windows hosts, which caused system crashes and blue screens on affected machines.

While CrowdStrike quickly identified, isolated, and deployed a fix for the problem, opportunistic hackers have seized upon the situation to launch new attacks.

CrowdStrike Intelligence has reported several tactics being employed by these malicious actors:

1. Phishing campaigns: Cybercriminals are sending fraudulent emails posing as CrowdStrike support, attempting to trick customers into revealing sensitive information or granting unauthorized access.
2. Social engineering: There have been instances of threat actors impersonating CrowdStrike staff during phone calls, likely aiming to manipulate victims into compromising their security.
3. Disinformation: Some attackers are presenting themselves as independent researchers, falsely claiming to have evidence linking the technical issue to a cyberattack and offering dubious remediation advice.
4. Malicious software distribution: Criminals are attempting to sell scripts that supposedly automate recovery from the content update issue, which may instead introduce malware or create new vulnerabilities.

Numerous domains impersonating CrowdStrike's brand were identified to support these malicious activities on July 19, 2024.

crowdstrike.phpartners[.]org
crowdstrike0day[.]com
crowdstrikebluescreen[.]com
crowdstrike-bsod[.]com
crowdstrikeupdate[.]com
crowdstrikebsod[.]com
www.crowdstrike0day[.]com
www.fix-crowdstrike-bsod[.]com
crowdstrikeoutage[.]info
www.microsoftcrowdstrike[.]com
crowdstrikeodayl[.]com
crowdstrike[.]buzz
www.crowdstriketoken[.]com
www.crowdstrikefix[.]com
fix-crowdstrike-apocalypse[.]com
microsoftcrowdstrike[.]com
crowdstrikedoomsday[.]com
crowdstrikedown[.]com
whatiscrowdstrike[.]com
crowdstrike-helpdesk[.]com
crowdstrikefix[.]com
fix-crowdstrike-bsod[.]com
crowdstrikedown[.]site
crowdstuck[.]org
crowdfalcon-immed-update[.]com
crowdstriketoken[.]com
crowdstrikeclaim[.]com
crowdstrikeblueteam[.]com
crowdstrikefix[.]zip
crowdstrikereport[.]com        

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

While some of these domains may not currently host malicious content, they could be used in future social engineering operations.

Threat Actors Exploit Falcon Sensor Issues to Target LATAM CrowdStrike Customers

Threat actors have since exploited this event to distribute malicious files targeting Latin America-based (LATAM) CrowdStrike customers.

A malicious ZIP archive named crowdstrike-hotfix.zip was uploaded to an online malware-scanning service by a Mexico-based submitter.

This archive contains a HijackLoader payload that, when executed, loads RemCos. The Spanish filenames and instructions within the ZIP archive suggest a targeted campaign against LATAM customers.

Technical Breakdown:

• The ZIP archive (SHA256: c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2) contains instructions in Spanish, posing as a utility to fix the content update issue.
• Users are prompted to run Setup.exe (SHA256: 5ae3838d77c2102766538f783d0a4b4205e7d2cdba4e0ad2ab332dc8ab32fea9), which loads HijackLoader via DLL search-order hijacking.
• HijackLoader is a modular loader designed to evade detection, and it uses a configuration file named maidenhair.cfg (SHA256: 931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6) to execute the final RemCos payload.
• The RemCos payload contacts a command-and-control (C2) server at 213.5.130[.]58[:]433.

Indicators of Compromise (IOCs)

- Hash: c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2

Files Inside ZIP:

- sqlite3.dll: 02f37a8e3d1790ac90c04bc50de73cd1a93e27caf833a1e1211b9cc6294ecee5

- vclx120.bpl: 2bdf023c439010ce0a786ec75d943a80a8f01363712bbf69afc29d3e2b5306ed

- instrucciones.txt: 4f450abaa4daf72d974a830b16f91deed77ba62412804dca41a6d42a7d8b6fd0

- maddisAsm_.bpl: 52019f47f96ca868fa4e747c3b99cba1b7aa57317bf8ebf9fcbf09aa576fe006

- Setup.exe: 5ae3838d77c2102766538f783d0a4b4205e7d2cdba4e0ad2ab332dc8ab32fea9

- datastate.dll: 6010e2147a0f51a7bfa2f942a5a9eaad9a294f463f717963b486ed3f53d305c2

- madexcept_.bpl: 835f1141ece59c36b18e76927572d229136aeb12eff44cb4ba98d7808257c299

- maidenhair.cfg (HijackLoader configuration): 931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6

- rtl120.bpl: b1fcb0339b9ef4860bb1ed1e5ba0e148321be64696af64f3b1643d1311028cb3

- vcl120.bpl: b6f321a48812dc922b26953020c9a60949ec429a921033cfaf1e9f7d088ee628

- battuta.flv: be074196291ccf74b3c4c8bd292f92da99ec37a25dc8af651bd0ba3f0d020349

- madBasic_.bpl (HijackLoader first-stage): d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea

Payloads:

- RemCos Payload: 48a3398bbbf24ecd64c27cb2a31e69a6b60e9a69f33fe191bcf5fddbabd9e184

- RemCos C2 Address: 213.5.130[.]58[:]443

In response to these emerging threats, CrowdStrike Intelligence strongly advises organizations to:

1. Verify communication channels: Ensure all interactions with CrowdStrike representatives occur through official, verified channels.
2. Follow official guidance: Adhere strictly to the technical guidance provided by CrowdStrike support teams.
3. Remain vigilant: Be cautious of unsolicited communications related to the recent incident, especially those requesting sensitive information or promoting quick-fix solutions.
4. Educate employees: Inform staff about these new threats and reinforce best practices for identifying and reporting suspicious activities.

It's important to note that the original CrowdStrike issue was not a security incident or cyberattack but a technical defect in a content update for Windows hosts. Mac and Linux systems were not affected by this problem.

As the situation evolves, organizations are advised to stay informed through official CrowdStrike channels and implement robust security measures to protect against these opportunistic attacks.

You can also download a pdf for an automated Recovery from Blue Screen on Windows Instances in GCP.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.