The massive global IT outage, which hit an estimated 8.5 million Windows machines on Friday due to a faulty CrowdStrike Falcon update, was quickly exploited by threat actors to conduct scams, steal data and deploy malware.
The CrowdStrike outage incident exposed both widespread security shortcomings across organizations and the ruthless, opportunistic nature of cybercriminals in the wake of a worldwide disaster.
Here are five examples of threat actors moving quickly to leverage CrowdStrike outages for their own gain:
1. Dozens of CrowdStrike-related phishing domains registered
One of the first signs of threat actors activity relating to the CrowdStrike update incident was the emergence of several suspicious domains related to CrowdStrike and the infamous “blue screen of death” (BSOD) affecting millions of machines Friday.
Several of these domains, such as “crowdstrikebluescreen[.]com” and “crowdstrikefix[.]com” were registered within hours of the outage, as reported by JCyberSEc_ via X on Friday.
Since then, dozens more malicious domains have been identified by numerous security researchers and organizations, including SentinelOne and Bolster. Bolster’s CheckPhish URL scanning platform detected a spike in malicious sites directly after the incident.
“Within the first 24 hours, more than 40 typosquat domains were targeting CrowdStrike users and had been added to the CheckPhish site,” Abhilash Garimella, vice president of research at Bolster, said in a statement.
Visiting these sites can lead to a range of scams, with some soliciting payment for phony BSOD fixes and some directing users to speak with a fake CrowdStrike support representative.
Other scams targeted additional outage-related woes, such as users’ difficulty accessing their bank accounts or need to reschedule flights in the chaotic aftermath of the incident, according to McAfee.
CrowdStrike itself also published an advisory Friday warning of phishing activity, including phishing emails and phone calls impersonating CrowdStrike staff or posing as independent researchers and claiming the outage was part of a cyberattack.
Users are urged to be highly skeptical of unsolicited communications claiming to come from CrowdStrike or Microsoft and to only communicate with CrowdStrike, if needed, directly through its official channels.
2. RemCos RAT spread through “CrowdStrike hotfix” ZIP file
In another advisory published Saturday, CrowdStrike warned that threat actors were distributing a ZIP file named “crowdstrike-hotfix.zip” that led to infection with the RemCos remote access trojan (RAT).
The campaign appears to target Latin America-based CrowdStrike customers and was noted by X user g0njxa and malware analysis platform ANY.RUN to use the domain portalintranetgrupobbva[.]com, which impersonates BBVA bank.
The ZIP file comes with Spanish-language instructions that direct the user to run an executable in order to apply the purported “hotfix” for the CrowdStrike issue. In reality, the file executes the HijackLoader malware loader, which subsequently installs and executes the RemCos RAT from the attacker’s command-and-control (C2) server.
RemCos RAT is a malware-as-a-service (MaaS) offering that has been around since at least 2016, according to Fortinet. The RAT establishes backdoor persistence on the infected machine, enabling the attacker to surveil the device, exfiltrate data back to the C2 server, and potentially load additional malicious software.
Users who are still working to recover from the CrowdStrike outage should either follow CrowdStrike’s manual workaround instructions or use Microsoft’s official Recovery Tool published Saturday. Any purported “fixes” or “patches” that don’t come directly from CrowdStrike or Microsoft’s official channels should be avoided to prevent malware infection.
3. Word document containing Microsoft Recovery Tool instructions drops infostealer
Installing recovery tools and patches only when they come directly from official sites is crucial, as one campaign reported by Zscaler ThreatLabz Monday directly impersonates the aforementioned Microsoft Recovery Tool.
The campaign involves distribution of a Word document containing the same instructions found on Microsoft’s own blog post announcing the Recovery Tool, including a seemingly legitimate Microsoft URL. However, the document contains a malicious macro that installs infostealer malware when activated.
The infostealer, which exfiltrates data to the attacker via an HTTP POST request, is only detected as malicious by six out of 74 security vendors, according to VirusTotal. This highlights the importance of awareness about the risk of opening suspicious Word documents and running document macros.
4. Handala hacking group claims wiper attack leveraging fake CrowdStrike fix
While the RemCos RAT attack identified by CrowdStrike and infostealer attack reported by Zscaler have not been attributed to specific threat actors, another campaign impersonating CrowdStrike in the aftermath of the outage was claimed by the Handala hacking group.
According to Cyberint, Handala is a pro-Hamas hacktivist group that targets Israeli organizations and has previously claimed a cyberattack against Hewlett Packard Enterprise subsidiary Zerto and a ransomware attack against the Ma’agan Michael Kibbutz in June.
On Sunday, Morphisec Malware Researcher Arnold Osipov and ANY.RUN both reported the distribution of a phishing PDF that included a link to a fake recovery tool for the CrowdStrike-related Windows outage. The link leads to wiper malware that overwrites files with zero bytes and communities with a machine labeled “Gaza Hackers Team Handala Machine.”
Screenshots posted Monday by ThreatMon show Handala taking responsibility for the attack, claiming “dozens of Zionist organizations have lost more than several terabytes of their data,” and saying it will publish a list of affected organizations if the Israeli National Cyber Directorate does not do so.
5. Threat actors setting up for attacks that could outlast CrowdStrike outage
The window of opportunity to trick users into installing false CrowdStrike outage fixes and BSOD recovery tools is gradually closing as legitimate tools and workarounds are rolled out, but some attackers have already begun priming for secondary attacks in the post-recovery period.
Bolster identified some domains specifically advertising legal services, rather than recovery tools, in response to the CrowdStrike outage. For example, one site impersonates the law firm Parker Waichman LLP and entices businesses with the opportunity to file a legal claim against CrowdStrike for “compensation” related to the IT outage.
Given the financial losses likely to be incurred due to the widespread outage, many individuals and businesses may seek to recoup their losses through legal action or government assistance, creating a fresh opportunity for threat actors to strike. Business leaders should remain wary of potential scams such as phony recovery funds or website impersonating law firms as they work to recover from the incident.
Bolster also noted cryptocurrency scams invoking CrowdStrike’s name, and CrowdStrike-related domains that appear to be “under construction,” such as “crowdstrike0day[.]com” and “crowdstrike-helpdesk[.]com.”
“Security teams should add the list of typosquat domains to their email blocklists to prevent BEC [business email compromise] and phishing emails sent to their employees,” Garimella wrote. “Double-check URLs and domains before entering information, especially if they were sent to you via an email or an SMS.”
