This report provides additional details of the CrowdStrike Falcon outage that occurred on July 19, 2024, the malware campaigns, and registrar details of the phishing domains. The incident stemmed from a flawed software update that caused widespread system crashes and boot loops, impacting critical infrastructure across various industries. CYFIRMA’s research team has conducted a comprehensive analysis of the tactics, techniques, and procedures (TTPs) used by the attackers in our previous analysis.
On July 19, 2024, CrowdStrike experienced a significant outage due to issues in a software update for its Falcon sensor. The update, intended to enhance functionality or security, contained a flaw that caused the sensor to malfunction on Windows operating systems, resulting in systems crashing or becoming stuck in a continuous boot loop. The outage had widespread impacts, disrupting critical servers and endpoints globally for many organizations that rely on CrowdStrike Falcon. In response, CrowdStrike quickly deployed a corrective update to address the issue and restore normal functionality, but not before threat actors exploited the situation through attacks or phishing campaigns. The incident underscored the crucial role of EDR solutions in cybersecurity and the need for effective incident response and communication strategies.
Malicious activities were directed toward organizations grappling with disruptions and reduced security. Phishing campaigns were launched, with deceptive communications designed to mimic CrowdStrike or related entities, tricking individuals into divulging sensitive information. To exploit the confusion further, attackers deployed information stealers to collect valuable data, including login credentials and personal details. Malware was also distributed to compromised systems, and some threat actors engaged in domain spoofing, creating counterfeit domains that closely resembled legitimate ones.
Facts & Figures
The outage impacted numerous industries: financial services faced disruptions in transactions and data security, while healthcare providers struggled with system interruptions affecting patient care. Government agencies and technology companies encountered operational challenges, and retailers experienced issues with transactions and inventory management. Manufacturing and energy sectors saw disruptions in production and infrastructure management, and telecommunications providers faced network management challenges. The widespread impact highlighted the critical need for robust cybersecurity across all sectors which led to significant financial losses, including operational disruptions that affected productivity for many organizations.
Financial costs were incurred as a result of the incident response, recovery efforts, and potential compliance penalties. The outage also damaged CrowdStrike’s reputation, impacting client trust and future business. Clients faced financial losses due to downtime and compromised data security, and the incident increased security risks, potentially leading to further breaches and associated costs. Around 150 phishing domains were identified, created by threat actors to mimic legitimate sites, or CrowdStrike itself, designed to trick users into revealing sensitive information or credentials, further compounding the impact of the outage.
A Microsoft Word document was also distributed by the threat actors, which contained a recovery tool with a malicious macro that installs stealer malware.
CrowdStrike issued an apology via email:
Following the incident, the company sent an apology via email to affected IT workers, which included a $10 Uber Eats voucher as a gesture of goodwill. The email expressed gratitude for the additional work caused by the incident, stating, “We recognize the inconvenience this has caused and offer our heartfelt thanks. To show our appreciation, your next cup of coffee or late-night snack is on us! Use code: [code number] to access your Uber Eats credit.”
Problems with Voucher Redemption
Some users encountered difficulties redeeming the vouchers, receiving error messages indicating that the gift cards had been “canceled by the issuing party and are no longer valid.” In response, CrowdStrike informed ET that it did not distribute gift cards to customers or clients – the vouchers were only sent to the company’s teammates and partners. The spokesperson explained that Uber flagged the vouchers as fraudulent due to unusually high usage rates.
During the CrowdStrike Falcon outage, the phishing domains used by attackers were registered with a variety of domain registrars. Some of the registrars typically involved in such incidents include GoDaddy, Namecheap, Tucows, Google Domains, Enom, CSC CORPORATE DOMAINS, INC, and Public Domain Registry. The choice of registrar often depends on the attackers’ needs and their ability to quickly secure and manage these domains. These registrars were used to set up deceptive sites that mimicked legitimate ones, including those related to CrowdStrike, aiming to trick users into divulging sensitive information.
CrowdStrike users were targeted by the Lumma Stealer
This campaign reduced security postures resulting from the outage. Lumma Stealer typically works by infecting systems through phishing emails or malicious downloads and then extracting valuable information from compromised devices. The increased targeting of CrowdStrike users highlights the risks associated with security disruptions and the importance of vigilant cybersecurity practices.
Attackers Spread Ramcos Rat Malware
The Falcon update was leveraged by cybercriminals to distribute a zip file containing a hijack loader and in turn launched the Remcos RAT malware. This Trojan, which provides remote access to infected systems, was spread through phishing emails and malicious attachments. The security lapse from the update allowed attackers to gain control over affected devices, leading to potential data breaches and further exploitation.
Wiper Malware
Data wiper malware, or simply wiper malware, is a type of malicious software specifically designed to erase or destroy data on infected devices. The primary function of wiper malware is to wipe (erase) the hard disk of the victim’s machine, effectively rendering the data irretrievable. This type of malware aims to cause significant disruption by deleting files, corrupting system data, and making recovery difficult or impossible. Wiper malware is a severe threat due to its destructive nature and the potential impact on business continuity and data integrity.
Attackers Target CrowdStrike Users with Infostealer Malware
Designed to capture sensitive data, such as login credentials and personal information, malware has been spread through various malicious tactics. The attackers used the chaos from the update mishap to target vulnerable systems, posing significant security risks and leading to potential data breaches.
In conclusion, the ongoing fallout is continuing to be exploited by those looking to gain from this situation. CYFIRMA’s research team is monitoring and will continue to provide ongoing updates.