In the wake of last week’s CrowdStrike outage, a surge of cybercriminal activity has emerged, leveraging the chaos to execute social engineering attacks against the security vendor’s clientele. The incident, which disrupted air travel, closed retail operations, and halted medical services, has drawn the attention of national cybersecurity agencies across the US, UK, Canada, and Australia. These agencies have reported a notable uptick in phishing attempts, a trend not uncommon following significant news events. However, BforeAI CEO Luigi Lenguito highlights that the scale and precision of these post-CrowdStrike attacks are unprecedented.
For context, Lenguito notes that during a previous incident involving a high-profile figure, there was a spike of around 200 related cyber threats on the first day, which then stabilized to approximately 40 to 50 daily threats. In stark contrast, the current situation has seen a dramatic increase, with daily attacks ranging from 150 to 300. “This is not the normal volume for news-related attacks,” he asserts.
Profile of a CrowdStrike-Themed Scam
Lenguito elaborates on the modus operandi of these CrowdStrike-themed phishing attacks, explaining that they are particularly insidious due to their targeted nature. “We have these large corporations’ users who are lost, because their computers cannot connect to the mothership, and now they’re trying to get connected. It’s a perfect opportunity for cybercriminals to infiltrate these networks,” he explains.
Unlike broader attacks, these scams are directed at organizations directly impacted by the outage, and the potential victims tend to possess a higher level of technical expertise and cybersecurity awareness. To gain access, attackers have been impersonating the company itself, offering technical support, or even posing as competing firms with enticing “solutions.”
The evidence of this malicious activity is reflected in the proliferation of phishing and typosquatting domains registered in recent days, such as crowdstrikefix[.]com, crowdstrikeupdate[.]com, and www.microsoftcrowdstrike[.]com. One diligent security researcher has identified over 2,000 such domains that have surfaced thus far.
These domains may serve as conduits for malware distribution, exemplified by a ZIP file masquerading as a hotfix that was uploaded to a malware scanning service last weekend. This ZIP file contained HijackLoader, which subsequently loaded the RemCos RAT. The initial report of this file originated from Mexico, with Spanish-language filenames suggesting a targeted campaign against CrowdStrike customers in Latin America.
In another instance, attackers disseminated a CrowdStrike-themed phishing email accompanied by a poorly designed PDF attachment. This PDF contained a link to download a ZIP file that housed an executable. Upon execution, the file prompted the victim for permission to install an update, which turned out to be a wiper. The hacktivist group “Handala” claimed responsibility, asserting that numerous Israeli organizations had suffered significant data losses as a result.
Regardless of the methods employed, Lenguito advises organizations to bolster their defenses by utilizing blocklists, protective DNS tools, and ensuring that they seek technical support exclusively from CrowdStrike’s official channels. Alternatively, he suggests that patience may be a virtue, as these campaigns typically last between two to three weeks. “We’re still early, right? We’ll probably see it taper over the coming weeks,” he concludes.