In the wake of the widespread IT outage caused by a bug in CrowdStrike’s Falcon software, cybercriminals have launched opportunistic phishing campaigns targeting affected businesses. CrowdStrike Intelligence has warned about these malicious activities, which pose significant risks to organizations grappling with technical issues.
Phishing Tactics Employed by Threat Actors
Cybercriminals are using various deceptive methods to exploit the situation:
- Impersonating CrowdStrike support staff through emails and phone calls
- Posing as independent researchers claiming evidence of a cyber-attack
- Offering fraudulent remediation solutions and malicious scripts
One notable example involves the distribution of a malicious ZIP archive named “crowdstrike-hotfix.zip,” purporting to be a recovery utility. This file contains a HijackLoader payload that, when executed, installs RemCos malware.
Surge in Malicious Domains
Both CrowdStrike and cybersecurity firm KnowBe4 have observed a rapid increase in newly registered domains impersonating the CrowdStrike brand. These domains, such as crowdstriketoken[.]com and crowdstrikefix[.]com, are being used or prepared for use in phishing campaigns.
The UK’s National Cyber Security Centre (NCSC) has also reported an uptick in phishing attacks referencing the outage.
Understanding the CrowdStrike Outage
Cause and Impact
The global IT outage began on July 19, 2024, affecting Microsoft Windows Operating Systems worldwide. CrowdStrike explained that a Falcon sensor configuration triggered a logic error, resulting in system crashes and blue screens on impacted devices.
Customers running Falcon sensor for Windows version 7.11 and above, who downloaded the updated configuration between 04:09 UTC and 05:27 UTC on July 19, were susceptible to the crash.
Scope of the Issue
Microsoft estimates that approximately 8.5 million Windows devices were affected, representing less than 1% of all Windows machines. Despite this relatively small percentage, the outage has caused significant disruptions across various sectors, including banking, airlines, railways, and healthcare.
Remediation and Recovery Efforts
CrowdStrike has since remediated the bug and conducted a thorough root-cause analysis. The company emphasizes that the issue is not related to a cyber-attack.
Microsoft, in coordination with CrowdStrike, has released an updated recovery tool offering two repair options:
- Recover from WinPE: Produces boot media to facilitate device repair
- Recover from safe mode: Enables booting into safe mode for remediation
Affected organizations are advised to follow official guidance from CrowdStrike support teams and ensure communication through authorized channels only.
Lessons Learned and Future Implications
The Importance of “Read-Only Friday”
Dave Stapleton, CISO at ProcessUnity, highlighted the incident as an example of why software updates should not be deployed on Fridays, a concept known as “Read-Only Friday.” This practice avoids situations where IT teams must spend weekends troubleshooting unexpected issues.
Balancing Security and Caution
The CrowdStrike outage may prompt organizations to exercise more caution when deploying updates, given the potential for serious disruptions. However, it remains crucial to implement security updates promptly to protect against increasing exploitation of n-day vulnerabilities by threat actors.