Threat actors moved quickly to exploit the CrowdStrike outage in July 2024 by creating malicious domains and fraudulent services tied to the incident, aiming to harvest data and mislead affected organizations. This episode underscores how current events can drive phishing, domain-based scams, and malware distribution disguised as legitimate fixes. #CrowdStrikeOutage #RemcosRAT
Keypoints
- The CrowdStrike sensor update on July 19, 2024 contained a logic error causing widespread BSODs and service disruptions across multiple sectors.
- Within 24 hours, threat actors began creating malicious domains to capitalize on the incident and attract victims seeking updates or information.
- Fraudulent domains and services (e.g., crowdstrikeclaim.com, crowdstrikebluescreen.com) were promoted to extract personal and organizational data and push misleading “solutions.”
- SANS highlighted a domain offering a “free claim review” form, creating risk of identity theft or credential exposure from submitted data.
- Malware distribution was reported as being disguised as a hotfix (Remcos RAT) via zip-like domains and hosted files.
- Recommendations stress verifying legitimacy, avoiding sharing sensitive data on incident-related sites, and adhering to CrowdStrike’s official channels and updated defenses.
MITRE Techniques
- [T1071.001] Application Layer Protocol: Web Protocols – Attackers create malicious domains and fraudulent services that use web protocols for C2 or phishing; “Within 24 hours of the incident, TAs created several malicious domains to target individuals/Organizations interested in closely following this incident.”
- [T1071.003] Application Layer Protocol: Mail Protocols – The use of fraudulent domains and forms could potentially involve mail protocols for phishing or credential harvesting; “domain named ‘crowdstrikeclaim.com,’ offering a form for impacted organizations to request a free claim review.”
- [T1203] Exploitation for Client Execution – Distribution of malware disguised as a hotfix suggests an exploitation technique to execute malicious code on client systems; “the distribution of malware disguised as a hotfix.”
- [T1070] Indicator Removal on Host – Threat actors may be involved in removing indicators of compromise by disguising malicious software as legitimate updates or fixes; “disguising malicious software as legitimate updates or fixes.”
- [T1193] Spearphishing – The creation of phishing domains (e.g., “crowdstrikeclaim.com”) for collecting personal and organizational information is an example of spearphishing; “phishing domains to collect information.”
- [T1566] Phishing – The use of deceptive domains and forms to gather sensitive information falls under phishing techniques; “deceptive domains and forms to gather sensitive information.”
- [T1497] Virtualization/Sandbox Evasion – Malware disguised as a hotfix might use techniques to evade detection by security tools or sandboxes; “employ evasion techniques to avoid analysis.”
Indicators of Compromise
- [Domain] context – crowdstrikeupdate.com, crowdstrikefix.zip, crowdstrikereport.com, crowdstrike-helpdesk.com, crowdstrikeoutage.info, crowdstrikebsod.com
- [Domain] context – crowdfalcon-immed-update.com, whatiscrowdstrike.com, fix-crowdstrike-bsod.com, crowdstrikeclaim.com, crowdstrike-hotfix.zip
- [Hash] MD5/SHA1/SHA256 – crowdstrike-hotfix.zip – 1e84736efce206dc973acbc16540d3e5fef212ec979f2fe2f48641160aadeb86b83f7b35c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2