Threat Actors Exploit Recent CrowdStrike Outage to Ramp Up Suspicious Domain Creation

On July 19^th, 2024, CrowdStrike, a leading cybersecurity provider of advanced end-point security detection and protection solutions, released a sensor configuration update to Windows systems. This update contained a logic error that resulted in system crashes and Blue Screen of Death (BSOD) incidents. The faulty software update caused widespread disruptions on Friday, affecting critical services in banks, airlines, hospitals, stock markets, and IT industries globally. On July 20^th,2024, CrowdStrike released technical details explaining that a logic error in a channel file caused the BSOD. This buggy channel file was designed to detect newly observed malicious named pipes for identifying standard C2 (Command and Control) frameworks in cyberattacks. CrowdStrike also mentioned conducting a thorough root cause analysis to understand how this logic error occurred.

While the entire world is grappling with the outbreak and working to resolve the issues, Threat Actors (TAs) are exploiting this situation to their advantage. Within 24 hours of the incident, TAs created several malicious domains to target individuals/Organizations interested in closely following this incident. The cybersecurity community quickly identified these malicious domains and shared the information via platforms like X (formerly Twitter), LinkedIn, etc.

SANS shared a post on X about a domain named “crowdstrikeclaim.com,” offering a form for impacted organizations to request a free claim review. The form asks for detailed information, including phone number, first name, last name, and email address. Submitting this personal and organizational data could result in identity theft or unauthorized access to accounts.

A well-known security researcher John Hammond shared a post on X about a domain called “crowdstrikebluescreen.com,” which offers services to affected organizations. Verifying such services is crucial, as engaging with misleading or fraudulent offers could lead to additional operational problems and divert resources and attention away from addressing the original incident.

Bernardo Quintero, founder of Virus Total, shared a post on X about TAs exploiting the CrowdStrike incident by distributing malware disguised as a hotfix. The file name suggests that the TAs have created zip domains to distribute the malware.

Conclusion:

The emergence of malicious domains and fraudulent services illustrates the need for heightened caution and verification when dealing with offers and requests related to security incidents. These threats pose risks of identity theft and unauthorized access and can divert valuable resources and attention from resolving the core problem. Furthermore, the distribution of malware disguised as a hotfix demonstrates the adaptability and persistence of TAs in exploiting current events for their gain. In navigating these challenges, it is essential for organizations to remain alert, verify the legitimacy of any claims or services, and maintain robust security practices to safeguard against such threats.

Our Recommendations:

• Avoid submitting personal or organizational information on sites offering “free claim reviews” or other services related to the incident. These may be scams designed to steal sensitive information.
• Before engaging with any service or offer related to the incident, verify the provider’s legitimacy.
• Only follow remediation steps and instructions from CrowdStrike’s official support channels.
• Use updated antivirus and anti-malware tools to scan for and block malicious files or domains. Stay informed about the latest threats and security measures to protect your systems.
• Educate employees and stakeholders about recognizing and avoiding scams and phishing attempts.

Indicators of Compromise (IOCs)

Indicator	Indicator Type	Description
crowdstrikeupdate.com	Domain	Malicious domain
crowdstrikefix.zip	Domain	Malicious domain
crowdstrikereport.com	Domain	Malicious domain
crowdstrike-helpdesk.com	Domain	Malicious domain
microsoftcrowdstrike.com	Domain	Malicious domain
crowdstrikeoutage.info	Domain	Malicious domain
crowdstrikebsod.com	Domain	Malicious domain
crowdfalcon-immed-update.com	Domain	Malicious domain
whatiscrowdstrike.com	Domain	Malicious domain
fix-crowdstrike-bsod.com	Domain	Malicious domain
fix-crowdstrike-apocalypse.com	Domain	Malicious domain
crowdstuck.org	Domain	Malicious domain
crowdstriketoken.com	Domain	Malicious domain
crowdstrikefix.com	Domain	Malicious domain
crowdstrikedoomsday.com	Domain	Malicious domain
crowdstrikebluescreen.com	Domain	Malicious domain
crowdstrike0day.com	Domain	Malicious domain
crowdstrike-bsod.com	Domain	Malicious domain
crowdstrike-hotfix.zip	Domain	Malicious domain
crowdstrikeclaim.com	Domain	Malicious domain
1e84736efce206dc973acbc16540d3e5 fef212ec979f2fe2f48641160aadeb86b83f7b35 c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2	MD5 SHA1 SHA256	crowdstrike-hotfix.zip (Remcos RAT)