CrowdStrike’s faulty Falcon Sensor update triggered widespread BSOD crashes on Windows devices worldwide, disrupting multiple sectors. CYFIRMA analyzed the resulting chaos and documented a wave of phishing domains tied to the incident, observed as monetization and credential-theft attempts. #CrowdStrike #Lokibot
Keypoints
- The CrowdStrike Falcon Sensor Windows update was faulty and caused Blue Screen of Death (BSOD) on millions of Windows computers globally, impacting sectors like airports, banks, broadcasters, and healthcare.
- Threat actors quickly leveraged the situation to phishing, spinning up malicious domains aimed at deceiving users and enabling further malicious activity.
- CYFIRMA analyzed a large set of malicious domains related to the incident, noting many domains are non-malicious in themselves, while others are linked to commodity malware or various hosting infrastructures.
- The campaign, named “Reap BlueScreen,” is described as a worldwide spear-phishing effort with 45+ observed domains potentially used to target end users and systems.
- Observed IOCs include domains, IPs associated with major providers (GitHub, Fastly, Microsoft Azure, Namecheap), and a set of file patterns/hashes used in related phishing materials.
- Remediation guidance was provided, including steps to recover affected machines (safe mode, remove specific system files) and the reminder that this is not a security incident but a fixable software issue requiring manual intervention.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – The campaign uses mass-scale phishing domains to target unsuspecting end users. Quote: “mass-scale phishing domains to target unsuspecting end users.”
- [T1204.002] User Execution: Malicious Link – Phishing domains are designed to deceive users and propagate malicious activities. Quote: “designed to deceive users and propagate malicious activities.”
- [T1021] Lateral Movement – Lateral movement across the organization’s network. Quote: “Lateral movement across the organization’s network.”
Indicators of Compromise
- [Domain] crashstrike[.]com – Not delivering malware; resolving history mentions Lokibot via 172.67.206.221. Example: crashstrike[.]com, and 2 more domains related to the incident.
- [Domain] fix-crowdstrike-bsod[.]com – Not delivering malware; reports include hosting details and related infrastructure. Example: fix-crowdstrike-bsod[.]com, and 2 more domains related to the incident.
- [IP Address] 185.199.108.153 – Associated with GitHub/Fastly CDN; used for content delivery, part of the hosting infrastructure observed in the campaign.
- [IP Address] 20.38.122.68 – Resolving to crowdstrike’s related domain; associated with Microsoft Corporation Azure services.
- [File hash] 70DD468AE2CF038F23058BC96D0B842F – PDF downloads linked to remediation content observed in the campaign.
- [File name pattern] C-00000291*.sys – Pattern identified in remediation steps for cleaning up potentially harmful system files.