Cybersecurity Threats After CrowdStrike Update

Critical Issue in Cybersecurity: CrowdStrike Update and Aftermath

CrowdStrike released a problematic update last week for its Falcon Sensor tool on the Windows operating system. This caused significant disruptions in the daily operations of various organizations, including banks, airlines, and media companies. The problematic update led to numerous Windows PCs being continuously restarted with 0x50 or 0x7E Blue Screen (BSOD) error codes. Following the identification of the issue, CrowdStrike and Microsoft provided affected customers with the necessary guidance to recover their computers.

However, users experiencing major problems in their daily operations were trying to repair affected computers while cybercriminals attempted to exploit this critical situation. CrowdStrike detected that cybercriminals were distributing a malicious ZIP archive named Crowdstrike-hotfix.zip. The SHA256 hash value of this archive was identified as c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2. The Crowdstrike-hotfix.zip archive contains malware and data from a HijackLoader known as RemCos. CrowdStrike believes that the Spanish file names and instructions in the ZIP archive indicate that this campaign likely targeted CrowdStrike customers based in Latin America (LATAM).

In addition to this malware distribution campaign, cybercriminals are also targeting CrowdStrike customers with phishing campaigns. These cybercriminals, looking to take advantage of the situation, send phishing emails that appear to be from CrowdStrike’s support service, impersonate CrowdStrike employees during phone calls, mimic independent researchers to offer remediation insights, and even sell scripts to help users get rid of the CrowdStrike update issue.

Some of the malicious domains created recently for phishing campaigns include:

• crowdstrike.phpartners[.]org
• crowdstrike0day[.]com
• crowdstrikebluescreen[.]com
• crowdstrike-bsod[.]com
• crowdstrikeupdate[.]com
• crowdstrikebsod[.]com
• www.crowdstrike0day[.]com
• www.fix-crowdstrike-bsod[.]com
• crowdstrikeoutage[.]info
• www.microsoftcrowdstrike[.]com
• crowdstrikeodayl[.]com
• crowdstrike[.]buzz
• www.crowdstriketoken[.]com
• www.crowdstrikefix[.]com
• fix-crowdstrike-apocalypse[.]com
• microsoftcrowdstrike[.]com
• crowdstrikedoomsday[.]com
• crowdstrikedown[.]com
• whatiscrowdstrike[.]com
• crowdstrike-helpdesk[.]com
• crowdstrikefix[.]com
• fix-crowdstrike-bsod[.]com
• crowdstrikedown[.]site
• crowdstuck[.]org
• crowdfalcon-immed-update[.]com
• crowdstriketoken[.]com
• crowdstrikeclaim[.]com
• crowdstrikeblueteam[.]com
• crowdstrikefix[.]zip
• crowdstrikereport[.]com

CrowdStrike strongly advises its customers to communicate only through official channels and to follow the technical guidance provided by CrowdStrike and Microsoft. Additionally, Microsoft recently updated its guide to offer an automated method that includes recovery drivers.