Computer Security Scam Alert! Cybercriminals Exploit CrowdStrike Outage...

Scam Alert! Cybercriminals Exploit CrowdStrike Outage with Fix Updates Containing Malware

In the wake of last week's CrowdStrike outage, cybercriminals have seized the opportunity to launch a wave of social engineering attacks aimed at the security vendor's customers. This event, which disrupted air travel, closed stores, and affected medical facilities, has been followed by a surge in phishing activities reported by national cybersecurity agencies in the US, UK, Canada, and Australia.

According to Luigi Lenguito, CEO of BforeAI, these post-CrowdStrike attacks are notably more prolific and targeted compared to typical attacks that follow major news events. "In the attack last week on Trump, we saw a spike on the first day of 200 related cyber threats, which then flattened to 40-50 a day," Lenguito noted. "Here, you're looking at a spike that is three times as big. We're seeing about 150 to 300 attacks per day, which is not the normal volume for news-related attacks."

Profile of a CrowdStrike-Themed Scam

The strategy behind these scams is clear: with many large corporations' users unable to connect to CrowdStrike's services, cybercriminals exploit this vulnerability. The targeted nature of these attacks differentiates them from other themed scams, such as those related to political events. The victims are often more technically adept and knowledgeable about cybersecurity.

Attackers have been impersonating CrowdStrike, related technical support, or even competing companies offering their own "fixes." Phishing and typosquatting domains such as crowdstrikefix[.]com, crowdstrikeupdate[.]com, and www.microsoftcrowdstrike[.]com have emerged, with over 2,000 such domains identified.

These domains are being used to distribute malware, including a ZIP file posing as a hotfix that contains HijackLoader (also known as IDAT Loader), which subsequently loads the RemCos RAT. This file was first reported from Mexico and included Spanish-language filenames, suggesting a focus on CrowdStrike customers in Latin America.

In another instance, attackers sent a phishing email with a poorly designed PDF attachment. The PDF contained a link to download a ZIP file with an executable. When launched, the executable asked for permission to install an update, which turned out to be a wiper. The pro-Hamas hacktivist group "Handala" claimed responsibility, stating that "dozens" of Israeli organizations had lost several terabytes of data as a result.

Protecting Against These Threats

Organizations can protect themselves by implementing blocklists, using protective DNS tools, and ensuring they only seek support from CrowdStrike's official website and customer service channels. Lenguito suggests that the surge in attacks is still in its early stages but is likely to taper off over the coming weeks. "Generally, these campaigns last two to three weeks," he observed.

By staying vigilant and relying on verified sources for technical support, organizations can mitigate the risks posed by these sophisticated and targeted phishing attacks.

Loading...