Jump to content
  • Cybercriminals Exploit CrowdStrike Update Mishap to Distribute Remcos RAT Malware

    aum

    • 222 views
    • 3 minutes
     Share


    • 222 views
    • 3 minutes

    Cybersecurity firm CrowdStrike, which is facing the heat for causing worldwide IT disruptions by pushing out a flawed update to Windows devices, is now warning that threat actors are exploiting the situation to distribute Remcos RAT to its customers in Latin America under the guise of providing a hotfix.

     

    The attack chains involve distributing a ZIP archive file named "crowdstrike-hotfix.zip," which contains a malware loader named Hijack Loader (aka DOILoader or IDAT Loader) that, in turn, launches the Remcos RAT payload.

     

    Specifically, the archive file also includes a text file ("instrucciones.txt") with Spanish-language instructions that urges targets to run an executable file ("setup.exe") to recover from the issue.

     

    "Notably, Spanish filenames and instructions within the ZIP archive indicate this campaign is likely targeting Latin America-based (LATAM) CrowdStrike customers," the company said, attributing the campaign to a suspected e-crime group.

     

    On Friday, CrowdStrike acknowledged that a routine sensor configuration update pushed to its Falcon platform for Windows devices on July 19 at 04:09 UTC inadvertently triggered a logic error that resulted in a Blue Screen of Death (BSoD), rendering numerous systems inoperable and sending businesses into a tailspin.

     

    The event impacted customers running Falcon sensor for Windows version 7.11 and above, who were online between 04:09 and 05:27 a.m. UTC.

     

    Malicious actors have wasted no time capitalizing on the chaos created by the event to set up typosquatting domains impersonating CrowdStrike and advertise services to companies affected by the issue in return for a cryptocurrency payment.

     

    Customers who are impacted are recommended to "ensure they are communicating with CrowdStrike representatives through official channels and adhere to technical guidance the CrowdStrike support teams have provided."

     

    Microsoft, which has been engaging with CrowdStrike in remediation efforts, said the digital meltdown crippled 8.5 million Windows devices globally, or less than one percent of all Windows machines.

     

    The development – which has once again brought to fore the risks associated with relying on monocultural supply chains – marks the first time the true impact and scale of what's likely to be the most disruptive cyber event in history has been officially made public. Mac and Linux devices were not affected by the outage.

     

    "This incident demonstrates the interconnected nature of our broad ecosystem — global cloud providers, software platforms, security vendors and other software vendors, and customers," the tech giant said. "It’s also a reminder of how important it is for all of us across the tech ecosystem to prioritize operating with safe deployment and disaster recovery using the mechanisms that exist."


    Update

     

    Microsoft has made available a new recovery tool to help IT admins repair Windows machines that were impacted by CrowdStrike's faulty update that crashed 8.5 million Windows devices.

     

    CrowdStrike has also published a new Remediation and Guidance Hub that serves as a one-stop shop for all details pertaining to the incident, listing ways to identify impacted hosts and resolve them, including those that have been encrypted with BitLocker.

     

    The move comes as reports have since emerged of CrowdStrike updates that caused all Debian Linux servers in an unnamed civic tech lab to crash simultaneously and refuse to boot as well as trigger kernel panics in Red Hat and Rocky Linux distributions.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...