Trending

ee-track">
Link copied!

Threat Actors Exploit Recent CrowdStrike Outage to Ramp Up Suspicious Domain Creation

Cyble analyzes the suspicious domains created by threat actors who took advantage of CrowdStrike outage.

July 20, 2024 · 3 min read
Threat Actors Exploit Recent CrowdStrike Outage to Ramp Up Suspicious Domain Creation

On July 19th, 2024, CrowdStrike, a leading cybersecurity provider of advanced end-point security detection and protection solutions, released a sensor configuration update to Windows systems. This update contained a logic error that resulted in system crashes and Blue Screen of Death (BSOD) incidents. The faulty software update caused widespread disruptions on Friday, affecting critical services in banks, airlines, hospitals, stock markets, and IT industries globally. On July 20th,2024, CrowdStrike released technical details explaining that a logic error in a channel file caused the BSOD. This buggy channel file was designed to detect newly observed malicious named pipes for identifying standard C2 (Command and Control) frameworks in cyberattacks. CrowdStrike also mentioned conducting a thorough root cause analysis to understand how this logic error occurred.

While the entire world is grappling with the outbreak and working to resolve the issues, Threat Actors (TAs) are exploiting this situation to their advantage. Within 24 hours of the incident, TAs created several malicious domains to target individuals/Organizations interested in closely following this incident. The cybersecurity community quickly identified these malicious domains and shared the information via platforms like X (formerly Twitter), LinkedIn, etc.

SANS shared a post on X about a domain named “crowdstrikeclaim.com,” offering a form for impacted organizations to request a free claim review. The form asks for detailed information, including phone number, first name, last name, and email address. Submitting this personal and organizational data could result in identity theft or unauthorized access to accounts.

SANS post on X about "crowdstrikeclaim.com

A well-known security researcher John Hammond shared a post on X about a domain called “crowdstrikebluescreen.com,” which offers services to affected organizations. Verifying such services is crucial, as engaging with misleading or fraudulent offers could lead to additional operational problems and divert resources and attention away from addressing the original incident.

image 14

Bernardo Quintero, founder of Virus Total, shared a post on X about TAs exploiting the CrowdStrike incident by distributing malware disguised as a hotfix. The file name suggests that the TAs have created zip domains to distribute the malware.

Crowdstrike hotfix zip

Conclusion:

The emergence of malicious domains and fraudulent services illustrates the need for heightened caution and verification when dealing with offers and requests related to security incidents. These threats pose risks of identity theft and unauthorized access and can divert valuable resources and attention from resolving the core problem. Furthermore, the distribution of malware disguised as a hotfix demonstrates the adaptability and persistence of TAs in exploiting current events for their gain. In navigating these challenges, it is essential for organizations to remain alert, verify the legitimacy of any claims or services, and maintain robust security practices to safeguard against such threats.

Our Recommendations:

  • Avoid submitting personal or organizational information on sites offering “free claim reviews” or other services related to the incident. These may be scams designed to steal sensitive information.
  • Before engaging with any service or offer related to the incident, verify the provider’s legitimacy.
  • Only follow remediation steps and instructions from CrowdStrike’s official support channels.
  • Use updated antivirus and anti-malware tools to scan for and block malicious files or domains. Stay informed about the latest threats and security measures to protect your systems.
  • Educate employees and stakeholders about recognizing and avoiding scams and phishing attempts.

Indicators of Compromise (IOCs)

IndicatorIndicator TypeDescription
crowdstrikeupdate.comDomainMalicious domain
crowdstrikefix.zipDomainMalicious domain
crowdstrikereport.comDomainMalicious domain
crowdstrike-helpdesk.comDomainMalicious domain
microsoftcrowdstrike.comDomainMalicious domain
crowdstrikeoutage.infoDomainMalicious domain
crowdstrikebsod.comDomainMalicious domain
crowdfalcon-immed-update.comDomainMalicious domain
whatiscrowdstrike.comDomainMalicious domain
fix-crowdstrike-bsod.comDomainMalicious domain
fix-crowdstrike-apocalypse.comDomainMalicious domain
crowdstuck.orgDomainMalicious domain
crowdstriketoken.comDomainMalicious domain
crowdstrikefix.comDomainMalicious domain
crowdstrikedoomsday.comDomainMalicious domain
crowdstrikebluescreen.comDomainMalicious domain
crowdstrike0day.comDomainMalicious domain
crowdstrike-bsod.comDomainMalicious domain
crowdstrike-hotfix.zipDomainMalicious domain
crowdstrikeclaim.comDomainMalicious domain
1e84736efce206dc973acbc16540d3e5 fef212ec979f2fe2f48641160aadeb86b83f7b35 c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2  MD5 SHA1 SHA256crowdstrike-hotfix.zip (Remcos RAT)

 

AI Threat Intelligence

Stop Executive Threats
Before They Strike

Monitor dark web chatter, detect lookalike domains, and protect your C-suite from targeted impersonation — in real time, across 50+ countries.

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams