Key Points

  • On July 19, 2024, a CrowdStrike update caused millions of Windows users globally to experience the blue screen of death (BSOD), leading to system shutdowns. CrowdStrike has identified and fixed the issue.
  • ReliaQuest warns of fake PowerShell and Batch scripts posing as fixes, likely to appear on platforms like GitHub. These scripts can install dangerous software like Cobalt Strike, enabling unauthorized access.
  • A surge in new domains claiming to offer fixes has been detected. These domains may be used for phishing or malware distribution. Users must verify the authenticity of any site or email before taking action.
  • The confusion from the outage creates opportunities for social engineering attacks. Cybercriminals may impersonate IT personnel or cybersecurity firms, tricking users into revealing sensitive information or downloading malware.
  • July 22 update: Attackers are distributing malware disguised as a CrowdStrike fix or via Microsoft Word docs that contain harmful macro code.
  • July 22 update: Microsoft has introduced an updated recovery tool that offers two repair options to help IT administrators speed up the repair process.

Updated July 22

Attackers Distribute Malicious Recovery Files

On July 22, ReliaQuest identified threat actors distributing malware masquerading as a fix for the Crowdstrike Blue Screen of Death (BSOD) error. In one instance, attackers are sending phishing emails with a ZIP file named “crowdstrike-hotfix.zip,” which deploys malware known as “Remcos RAT.”

IoCs:

  • fef212ec979f2fe2f48641160aadeb86b83f7b35
  • 66fbe2b33e545062a1399a4962b9af4fbbd4b356
  • 5b2f56953b3c925693386cae5974251479f03928
  • 4491901eff338ab52c85a77a3fbd3ce80fda738046ee3b7da7be468da5b331a3
  • 19001dd441e50233d7f0addb4fcd405a70ac3d5e310ff20b331d6f1a29c634f0
  • 213[.]5[.]130[.]58

Additionally, attackers have been observed distributing malicious Microsoft Word documents containing harmful macro code. When these macros are enabled and executed, they download information-stealing malware.

IoCs:

  • 803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
  • 4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a
  • 172[.]104[.]160[.]126

Microsoft Releases Recovery Tool

Following the issue with the CrowdStrike Falcon agent affecting Windows clients and servers, Microsoft has introduced an updated recovery tool that offers two repair options to help IT administrators speed up the repair process.

  • Recover from WinPE: This option creates boot media to aid in repairing the device.
  • Recover from Safe Mode: This option generates boot media allowing impacted devices to boot into safe mode. Users can then log in with an account that has local admin privileges and follow the remediation steps.

Microsoft includes detailed instructions found here.

Initial Coverage, July 19

On July 19, 2024, a critical issue stemming from a CrowdStrike update resulted in millions of Windows users globally experiencing the blue screen of death (BSOD) error, causing their systems to shut down or restart. CrowdStrike has acknowledged the problem, attributing it to updates made to its Falcon Sensor. CrowdStrike has provided workaround steps for impacted users and stated that the issue has been identified and isolated and a fix deployed. They have assured users that Linux and Mac hosts remain unaffected and confirmed that this incident is not the result of a cyber attack.

Users on cybercriminal forums were quick to begin discussing the issue. For instance, a user with the moniker “ART 46,” who purported to represent a new hacking group, claimed responsibility for the incident. This claim was widely dismissed by forum users and moderators, who demanded evidence for the allegation. Due to the lack of proof, the user was subsequently banned by the forum moderator and the claim dismissed (see Figure 1).

At the time of writing, there is no indication of threat actor involvement in the incident, but there is clear evidence that cybercriminals are aware of the situation. As businesses around the world respond to events related to CrowdStrike outages, threat actors are exploiting the ensuing chaos to prey on organizations at their weakest. This Spotlight details areas that may be abused by threat actors, helping organizations to shore up their defenses and remain vigilant against potential threats.

XSS forum moderator dismisses cybercriminal involvement in CrowdStrike outage image

Figure 1: Forum moderator dismisses cybercriminal involvement in CrowdStrike outage

Potential Cybercriminal Activity

Fake Scripts

Threat actors are poised to prey on users desperately seeking solutions to the CrowdStrike update issue by crafting malicious scripts masquerading as genuine fixes. ReliaQuest warns that, in the immediate future, these malicious PowerShell and Batch scripts will likely proliferate on popular code-sharing platforms like GitHub. Once executed, these scripts can infect systems and install additional dangerous software such as Cobalt Strike or remote monitoring and management (RMM) tools, paving the way for unauthorized access and control. The urgency to resolve the update problem makes users particularly vulnerable to these sophisticated traps. Stay vigilant and verify the authenticity of any script before execution to protect your systems from further harm.

Recommendations to Combat This Threat

  • Only follow official vendor recommendations to remediate the update issue.
  • Verify the source of any scripts created to automate the remediation process.
  • Advise users not to download any software that advertises itself as a USB solution to restore impacted machines. Threat actors may promote fake fixes that, when downloaded, infect the initial system.

Phishing Domains

ReliaQuest has detected a surge in new impersonating domains following the CrowdStrike outage, many of which claim to offer fixes and helpful information. Users should exercise caution; cybercriminals are highly adept at creating impersonating domains to distribute malware or execute phishing attacks. Even seemingly legitimate domains can be weaponized to send phishing emails that lure victims into downloading malicious software or divulging sensitive information, such as credentials or payment card details. America’s Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) have already reported an uptick in phishing campaigns exploiting this outage. Threat actors are seizing this opportunity to deceive and compromise unsuspecting users. It is important to stay vigilant and verify the authenticity of any site or email before taking action.

Below are several domains we observed being created today that have the potential to be used for phishing campaigns or scams.

crowdstrike[.]fail crowdstrikeoopsie[.]com
crowdstrike-bsod[.]com crowdstrikefix[.]zip
crowdstrikebug[.]com crowdstrikedown[.]site
crowdstrikebluescreen[.]com crowdstrikeoutage[.]info
crowdstrikedoomsday[.]com crowdstriketoken[.]com
crowdstrikeoutage[.]com crowdstrikeupdate[.]com
isitcrowdstrike[.]com crowdstrikebsod[.]com
fix-crowdstrike-bsod[.]com crowdstrike-helpdesk[.]com
crowdstrike0day[.]com crowdstrikeclaim[.]com
crowdstrikedown[.]com crowdstrikefail[.]com
crowdstrikefix[.]com crowdstrikereport[.]com
fix-crowdstrike-apocalypse[.]com microsoftcrowdstrike[.]com
iscrowdstrikedown[.]com suportecrowdstrike[.]com
whatiscrowdstrike[.]com

Recommendations to Combat This Threat

  • Be cautious of links posted on social media unless they come from an official or trusted source.
  • Report suspicious emails and do not click on links received from unsolicited emails regarding the outage.
  • Visit the vendor’s legitimate website for recommendations and consult reliable IT or security providers for additional support.

Social Engineering

This incident has plunged millions of users into chaos and confusion, creating a prime opportunity for cybercriminals to strike. Amid this turmoil, threat actors will exploit the situation for financial gain or to breach security defenses. History has shown that adversaries often leverage current events—be it tax season or significant cyber attacks—to deceive unsuspecting victims. With the widespread disruption caused by the update, it is highly likely that attackers will target affected companies with social engineering attacks.

Using tools like Down Detector, cybercriminals can easily identify impacted organizations and launch sophisticated phishing or vishing (voice phishing) campaigns. These malicious actors may impersonate IT personnel from the affected company or even representatives from cybersecurity firms like CrowdStrike, promising to fix the issue or provide preventative measures. In such scenarios, users might unwittingly divulge sensitive information, visit malicious websites, or download unauthorized applications, potentially leading to compromised credentials or granting remote access to attackers. The sense of urgency and desire for resolution makes users especially susceptible, making it crucial for everyone to remain vigilant and skeptical of unsolicited offers of help.

Recommendations to Combat This Threat

  • Educate users to be extra cautious about potential phishing emails, suspicious phone calls, or unusual user behaviors.
  • Implement certificate-based authentication policies and use digital certificates to verify user authenticity during the login process.
  • Incorporate alternative authentication methods, such as biometrics and adaptive authentication, to enhance security.

Threat Forecast

In the coming days and weeks, financially motivated threat actors will exploit the confusion and concern caused by the CrowdStrike outage to launch targeted attacks on individuals and organizations. These adversaries may exploit the situation by crafting malicious scripts disguised as legitimate fixes, ready to infect systems with harmful software. They might also conduct phishing campaigns to trick users into downloading malware and compromising their credentials. Furthermore, they may execute social engineering attacks, posing as IT personnel to deceive and manipulate victims. We have just explored three options here, but there are many other ways in which attackers may take advantage of the situation. Organizations must recognize this heightened threat and strictly adhere to official remediation advice to safeguard against these opportunistic exploits.

What ReliaQuest Is Doing

To help organizations mitigate the risk, ReliaQuest is actively watching out for impersonating domains, as well as additional dark web communications discussing attacks or developing threats. We will continue to monitor the situation and release new updates as they become available.

Official Remediation Advice

Currently, no global remediation is available to mass deploy the recommended script. Each host will need manual remediation, increasing remediation times to weeks instead of days or hours.

CrowdStrike customers will need to forcibly shut down and reboot their systems to download the reverted update file. If the system continues to crash, the following work around steps are recommended.

  • Boot Windows into Safe Mode or the Windows Recovery Environment
  • Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
  • Locate the file matching “C-00000291*.sys” and delete it
  • Boot the host normally

It is important to note that hosts using BitLocker encryption may require recovery keys. Additional information from CrowdStrike on remediation can be found here.