A faulty software update from U.S-based cybersecurity provider CrowdStrike caused a massive outage for Microsoftโs Windows-based devices globally on Friday.
It has been observed that threat actors are exploiting this glitchy update to target companies with data wipers and remote access tools.
For those unaware, 8.5 million Windows devices were impacted due to a malfunction of the CrowdStrike Falcon sensor, a security solution installed on Windows devices, causing them to crash and display the Blue Screen of Death (BSOD) error message on affected devices.
Following the outage, CrowdStrike acknowledged the problem, rolled back the problematic update, and deployed a fix. It also published relevant vendor guidance so that affected businesses and organizations can take the necessary action.
Even Microsoft has released a Recovery Tool to deal with the CrowdStrike issue.
Despite these preventive measures, researchers and government agencies have noticed an increase in phishing emails that are urging companies and individuals to download and install a legitimate-looking hotfix for the problem.
This incident wasย first reported by cybersecurity researcher g0njxa on Saturday. It concerns a malware campaign that installs the Remcos RAT and is delivered as a fake CrowdStrike Hotfix update targetingย BBVA bank customers.
The malicious file installs HijackLoader, which then delivers theย Remcos RAT (remote access tool)ย to the infected system.
The name of the ZIP archive file that carried the malware is โcrowdstrike-hotfixโ, and was distributed through a phishing site, hxxps://portalintranetgrupobbva[.]com, which pretended to be a BBVA Intranet portal.
In addition, attackers have been spotted distributing a data wiper via fake CrowdStrike hotfixes.
Malware analysis platform AnyRun has reportedย indications that malicious actors are attempting to impersonate CrowdStrike through phishing scams.
“It decimates the system by overwriting files with zero bytes and then reports it over #Telegram,”ย AnyRun says.
In connection with this data wiper, the pro-Iranian hacktivist group Handala claimed responsibility for the attack.
It stated on Twitter that it had sent emails to Israeli companies disguised as CrowdStrike delivering the data wiper.
The threat actors sent emails from the domain โcrowdstrike.com.vcโ convincing customers to download a tool that would fix the CrowdStrike problem and bring Windows systems back to normalcy.
Further, the phishing email sent by Handala to targeted companies included a PDF seen by BleepingComputerย that contained detailed instructions onย how to apply the fake update and a link for downloading a ZIP file, which comprised an executable zip file named ‘Crowdstrike.exe.’
When this fake CrowdStrike update is executed, the data wiper is downloaded and extracted to a folder under %Temp% and then launched to overwrite files and data stored on the device.
In a separate blog post, CrowdStrike too has warned about the increase in phishing emails claiming to be from CrowdStrike support, impersonating CrowdStrike staff in phone calls, posing as independent researchers, claiming to have evidence the technical issue is linked to a cyberattack and offering remediation insights, and sale of scripts claiming to automate recovery from the content update issue.
George Kurtz, CrowdStrike Founder and CEO, has urged customers to remain vigilant and ensure that they engage with official CrowdStrike representatives, as they expect adversaries and bad actors to exploit this incident.
โCustomers are advised to check the support portal for updates. We will also continue to provide the latest information here and on our blog as itโs available.
We recommend organizations verify they are communicating with CrowdStrike representatives through official channels,โ the company wrote in a blog post.