Cybercriminals are taking advantage of the recent CrowdStrike outage to launch social engineering attacks against the security vendor’s customers, the impact of which has been felt globally. After the incident that disrupted various sectors including transportation, retail, and healthcare, cybersecurity agencies in the US, UK, Canada, and Australia reported an increase in phishing attempts by opportunistic criminals. BforeAI CEO Luigi Lenguito noted that the volume and specificity of these attacks following the CrowdStrike outage are unprecedented compared to typical post-news event cyber threats.
The modus operandi of these CrowdStrike-themed scams is to target organizations affected by the outage, exploiting the disconnection of their systems from the main network to infiltrate and cause harm. Unlike more generic attacks, such as those based on fabricated political events, these scams are tailored to a more informed and tech-savvy audience, making them more challenging to detect and mitigate. Attackers pose as trusted entities like the company itself, technical support providers, or even competitors offering alternative solutions to lure unsuspecting victims into their traps.
The evidence of this targeted approach is reflected in the registration of numerous phishing and typosquatting domains in recent days, such as crowdstrikefix[.]com, crowdstrikeupdate[.]com, and www.microsoftcrowdstrike[.]com. Security researchers have identified over 2,000 suspicious domains created for malicious purposes, indicating a coordinated effort to exploit the CrowdStrike outage for illicit gains. These domains could serve as conduits for malware distribution, as demonstrated by a recent incident where a fake ZIP file containing the notorious RemCos RAT was circulated among CrowdStrike customers in Latin America.
In another instance, attackers circulated a CrowdStrike-themed phishing email accompanied by a poorly crafted PDF attachment leading to a malicious executable file disguised as an update. Once executed, the file initiated a wiping operation erasing critical data, with the pro-Hamas group “Handala” claiming responsibility for the attack. Such incidents highlight the complexity and severity of the threats posed by cybercriminals leveraging the CrowdStrike outage for nefarious activities.
To safeguard against these evolving threats, organizations are advised to implement blocklists, protective DNS tools, and exercise caution when seeking technical support, particularly from unverified sources. By relying on official channels provided by CrowdStrike for assistance, businesses can reduce the risk of falling victim to fraudulent schemes. Moreover, patience may also be a virtue in combating these attacks, as Lenguito predicts a gradual decline in cyber threats related to the CrowdStrike outage over the next few weeks, based on past campaign trends lasting two to three weeks.
In conclusion, the aftermath of the CrowdStrike outage serves as a stark reminder of the persistent and adaptive nature of cyber threats, underscoring the need for heightened vigilance and proactive measures to mitigate risks effectively. By staying informed, maintaining robust cybersecurity practices, and exercising discretion in online interactions, organizations can fortify their defenses against emerging threats and safeguard their digital assets from malicious actors.