Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response

Cybercrooks Continue to Capitalize on CrowdStrike Outage

Hackers Spread Malicious Recovery Files and Certificates
Cybercrooks Continue to Capitalize on CrowdStrike Outage
Image: Shutterstock

Friday's global computer outage caused by an update gone wrong from cybersecurity firm CrowdStrike continues to bring out hucksters seeking to capitalize on the incident.

See Also: Gartner Guide for Digital Forensics and Incident Response

Self-proclaimed hacktivist group USDoD appears the latest to mount a claim, posting Wednesday on a criminal forum a spreadsheet containing an "entire threat actor list" and promising to later publish "their entire IOC list," referring to indicators of compromise.

The Texas company sounded a dismissive note Thursday, saying that "the threat intel data noted in this report is available to tens of thousands of customers, partners and prospects - and hundreds of thousands of users."

The spreadsheet of threat actors is time-stamped June, the company said. That is weeks before CrowdStrike pushed out a buggy update to its flagship anti-malware platform, triggering an incident that has caused an estimated $5.4 billion in direct losses (see: CrowdStrike Outage Losses Will Hit Healthcare, Banking Hard).

USDoD has made exaggerated claims in the past. Malware researchers vx-underground also reviewed the leaked USDoD data, after finding it publically available.

Hackers began milking the incident almost immediately. In one campaign, they used a domain name resembling that of CrowdStrike to spread the Lumma info stealer. "The threat actor also leveraged advanced social engineering techniques, such as using spam floods and voice phishing (vishing), to deliver malicious binaries," CrowdStrike said.

The company uncovered a phishing campaign that disguised a previously unseen malware variant called "Daolpu" as a CrowdStrike recovery file. In another campaign, hackers targeted Latin America-based CrowdStrike customers through a malicious zip archive named crowdstrike-hotfix.zip to deliver a RemCos HijackLoader payload, the company said last week.

CrowdStrike this week reiterated that its customers should only use official channels to communicate with the company for any system restoration work. It also urged its customers to check for the legitimacy of CrowdStrike certificates while downloading recovery tools.

On Monday, James Spiteri, principal product marketing manager at security firm Elastic, said at least 141 certificates have been generated using bogus CrowdStrike domains.

Since the majority of the affected services are back online, experts say the incident is reminder for organizations to prioritize having robust business continuity plans.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.