Update as of 22 July 2024, 1137hrs
The Situation
CrowdStrike, a prominent cybersecurity company, released a defective content update to the Falcon sensor product on 19 July 2024, causing widespread disruptions to 8.5 million Windows devices. The glitch led to systems crashing as well as displaying a blue screen error and becoming stuck in rebooting loops.
The global IT outage had significant economic and societal impacts, highlighting the reliance of enterprises running critical services on CrowdStrike. In the aftermath of the CrowdStrike incident, opportunistic cybercriminals and threat actors wasted no time in attempting to take advantage of the situation.
There has already been a sharp rise in CrowdStrike-themed domain registrations – threat actors are registering new websites made to look official and potentially trick IT personnel or members of the public into downloading malicious software or handing over sensitive private details. Unofficial code is being released claiming to help organisations recover from the widespread outages.
Phishing Campaign Targeting CrowdStrike Users
• Sending phishing emails posing as CrowdStrike support to customers
• Impersonating CrowdStrike staff in phone calls
• Posing as independent researchers, claiming to have evidence that the technical issue is linked to a cyberattack and offering remediation insights
• Selling scripts purporting to automate recovery from the content update issue
Our Recommendations
CrowdStrike has released remediation guidance available for customers via their CrowdStrike Customer Support Portal.
Exercise hyper vigilance, and only act on information from the official CrowdStrike channels.
How Ensign can help
Ensign will continue to provide updates on the incident and inform you of additional recommendations. Talk to us about taking pre-emptive measures and building up cyber resilience to protect your assets. Contact us at marketing@ensigninfosecurity.com for more information.
Indicators of Compromise
Here are some of the suspicious domains:
• crowdstrike-helpdesk[.]com
• crowdstrikebluescreen[.]com
• crowdstrike-bsod[.]com
• crowdstrikedown[.]site
• crowdstrike0day[.]com
• crowdstrikedoomsday[.]com
• crowdstrikefix[.]com
• crashstrike[.]com
• crowdstriketoken[.]com
• fix-crowdstrike-bsod[.]com
• bsodsm8rLIxamzgjedu[.]com
• crowdstrikebsodfix[.]blob[.]core[.]windows[.]net
• crowdstrikecommuication[.]app
• fix-crowdstrike-apocalypse[.]com
• crowdstrikeoutage[.]info
• clownstrike[.]co[.]uk
• whatiscrowdstrike[.]com
• clownstrike[.]co
• microsoftcrowdstrike[.]com
• crowdfalcon-immed-update[.]com
• crowdstuck[.]org
• failstrike[.]com
• winsstrike[.]com
• crowdpass[.]
• supportfalconcrowdstrikel[.]com
• crowdstrikeclaim[.]com
• crowdstrikebug[.]com
• crowdstrikeupdate[.]com
• crowdstrikefail[.]com
• crowdstrikeoopsie[.]com
• crowdstrike[.]fail
• crowdstrike[.]woccpa[.]com
• crowdstrikereport[.]com
• crowdstrike-cloudtrail-storage-bb-126d5e[.]s3[.]us-west-1[.]amazonaws[.]com
• hoo[.]be/crowdstrike
• crowdstrike[.]orora[.]group
• sinkhole-d845c7b471d9adc14942f95105d5ffcf.crowdstrikeupdate[.]com
• crowdstrike[.]okta[.]com/app/coupa/exkqmsghe0qkvea070x7/sso/saml
• crowdstrike-falcon[.]online
• crowdstrikerecovery1[.]blob[.]core[.]windows[.]net
• crowdstrikeoutage[.]com
• sedo[.]com/search/details/?partnerid=324561&language=es&domain=crowdstrike[.]es&ori…
• isitcrowdstrike[.]com
• crowdstrike[.]black
• crowdstrikefix[.]zip
• crowdstrikeold[.]com
• crowdstrikeout[.]com
• crowdstrike-out[.]com
• crowdstrikeoops[.]com
• crowdstrikefixer[.]com
• crowdstrikesucks[.]com
• crowdstrikeclaims[.]com
• crowdstrikeglitch[.]com
• crowdstrikelawsuit[.]com
• crowdstrikesuporte[.]com
• crowdstrikezeroday[.]com
• crowdstrikerecovery[.]com
• crowdstrike-bluescreen[.]com
• crowdstrikeclassaction[.]com
• crowdstrikewindowsoutage[.]com
• crowdstrikedown[.]com
• crowdstrike.phpartners[.]org
• crowdstrikebsod[.]com
• www.crowdstrike0day[.]com
• www.fix-crowdstrike-bsod[.]com
• www.microsoftcrowdstrike[.]com
• crowdstrikeodayl[.]com
• crowdstrike[.]buzz
• www.crowdstriketoken[.]com
• www.crowdstrikefix[.]com
• crowdstrikeblueteam[.]com
References:
• https://www.csa.gov.sg/alerts-advisories/alerts/2024/al-2024-091
• https://socradar.io/suspicious-domains-exploiting-the-recent-crowdstrike-outage/