22 July 2024

Threat actors exploit outage from CrowdStrike’s glitchy update to deploy data wipers and RATs


Threat actors exploit outage from CrowdStrike’s glitchy update to deploy data wipers and RATs

Threat actors are capitalizing on the chaos resulting from a major IT disruption caused by CrowdStrike’s glitchy update to target companies with data wipers and remote access tools (RATs).

Last Friday, a global IT outage related to the interaction between CrowdStrike antivirus and Windows led to widespread disruptions in the operations of airports, banks, media outlets, and telecommunications operators around the world. The outage affected the US, Australia, New Zealand, the UK, Turkey, India, Germany, Ukraine, and other countries.

Airports in Sydney, Scotland, and Berlin temporarily halted operations, flights of SpiceJet and Ryanair were canceled, the London Stock Exchange suspended its activities, and the British channel Sky News and the Australian Broadcasting Corporation were unable to broadcast. McDonald's Japan closed its stores nationwide.

Companies such as Amazon, Visa, Xbox, and Delta were also affected. Many Microsoft users encountered the “blue screen of death.” The failure was reportedly caused by an update from cybersecurity company CrowdStrike, which caused issues with its Falcon Sensor product in Windows. CrowdStrike said that the issue was a content deployment problem and that it has rolled back the changes and provided recommendations for affected users.

Unsurprisingly, the flawed update has led to an increase in phishing emails as businesses seek assistance to fix affected Windows hosts. Researchers and government agencies have noted a surge in malicious activities exploiting this situation.

On Saturday, CrowdStrike issued warnings to its customers, advising them to ensure they are communicating with legitimate representatives through official channels. The UK National Cyber Security Center (NCSC) has also observed an uptick in phishing messages attempting to take advantage of the outage. Additionally, the automated malware analysis platform AnyRun has detected an increase in attempts to impersonate CrowdStrike, which could potentially lead to phishing attacks.

CrowdStrike said that threat actors are using this incident to distribute the Remcos RAT to the company's customers in Latin America, masquerading as a hotfix. The attack chain involves distributing a ZIP archive named "crowdstrike-hotfix.zip," which contains a malware loader known as Hijack Loader (aka DOILoader or IDAT Loader). This loader subsequently launches the Remcos RAT payload.

The ZIP archive also includes a text file, "instrucciones.txt," with Spanish-language instructions urging targets to run an executable file, "setup.exe," to recover from the issue. The use of Spanish filenames and instructions suggests that this campaign is specifically targeting Latin America-based (LATAM) CrowdStrike customers. CrowdStrike attributes the campaign to a suspected e-crime group.

Microsoft reported that the outage affected 8.5 million Windows devices globally, accounting for less than one percent of all Windows machines. The company has released a new recovery tool to assist IT administrators in repairing Windows machines impacted by CrowdStrike's faulty update.

Back to the list

Latest Posts

Cyber Security Week in Review: December 13, 2024

Cyber Security Week in Review: December 13, 2024

In brief: Cleo fixes a critical bug exploited in the wild, Germany sinkholes the BADBOX botnet, and more.
13 December 2024
New EagleMsgSpy surveillance tool linked to Chinese authorities

New EagleMsgSpy surveillance tool linked to Chinese authorities

The Android-based tool has been in operation since at least 2017.
12 December 2024
Russian Turla APT exploits other threat actors’ tools to attack Ukraine

Russian Turla APT exploits other threat actors’ tools to attack Ukraine

Secret Blizzard used the Amadey bot malware to deliver its custom backdoor called “KazuarV2” onto specifically selected systems in Ukraine.
12 December 2024