On Thursday, cybersecurity company CrowdStrike released a problematic update to its Falcon Sensor agent on Windows, causing major disruptions to the day-to-day operations of various organizations, including banks, airlines, and media companies. This problematic update caused nearly 8.5 million Windows PCs to continuously reboot with error code 0x50 or 0x7E Blue Screen of Death (BSOD) errors.
Since then, CrowdStrike and Microsoft have provided guidance to affected customers to recover their PCs. You can check out CrowdStrike's official guide here and Microsoft's official guide here.
While the world scrambles to fix the CrowdStrike-affected PCs, cybercriminals are taking advantage of this critical situation. CrowdStrike noticed that cybercriminals are distributing a malicious ZIP archive named crowdstrike-hotfix.zip (SHA256 hash: c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2).
The crowdstrike-hotfix.zip archive is malware and contains a HijackLoader payload that loads RemCos. CrowdStrike believes that the Spanish filenames and instructions within the ZIP archive indicate this campaign likely targets Latin America-based (LATAM) CrowdStrike customers.
In addition to the malware campaign, cybercriminals are also targeting CrowdStrike customers with phishing campaigns. They are sending phishing emails posing as CrowdStrike support, impersonating CrowdStrike employees in phone calls, posing as independent researchers to offer remediation insights, and even selling scripts to automate recovery from the CrowdStrike update issue.
The following malicious domains were recently created for phishing campaigns:
crowdstrike.phpartners[.]org crowdstrike0day[.]com crowdstrikebluescreen[.]com
crowdstrike-bsod[.]com crowdstrikeupdate[.]com crowdstrikebsod[.]com
www.crowdstrike0day[.]com www.fix-crowdstrike-bsod[.]com
crowdstrikeoutage[.]info www.microsoftcrowdstrike[.]com crowdstrikeodayl[.]com
crowdstrike[.]buzz www.crowdstriketoken[.]com www.crowdstrikefix[.]com fix-
crowdstrike-apocalypse[.]com microsoftcrowdstrike[.]com crowdstrikedoomsday[.]com crowdstrikedown[.]com whatiscrowdstrike[.]com crowdstrike-helpdesk[.]com crowdstrikefix[.]com fix-crowdstrike-bsod[.]com
crowdstrikedown[.]site crowdstuck[.]org crowdfalcon-immed-update[.]com
crowdstriketoken[.]com crowdstrikeclaim[.]com crowdstrikeblueteam[.]com
crowdstrikefix[.]zip crowdstrikereport[.]com
CrowdStrike advises its customers to connect with CrowdStrike representatives only through official channels and stick to technical guidance provided by CrowdStrike and Microsoft. Microsoft has also recently updated their guide to offer an automated method involving recovery drives, which you can read about here.
While CrowdStrike and Microsoft have worked to mitigate the immediate damage, the ongoing phishing and malware campaigns underscore the persistence of cybercriminals seeking to capitalize on chaos.
- npo33770
-
1
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.