CrowdStrike Falcon Outage Exploited for Social Engineering

A widespread IT outage stemming from a defect found in a single CrowdStrike content update began at around 1:00 a.m. ET on July 19, 2024. The outage affected a significant number of Windows hosts globally, including direct impacts to U.S. State, Local, Tribal, and Territorial (SLTT) government entities.^[1] In an official statement, CrowdStrike advised they had isolated the issue and deployed a fix.^[2]

While SLTTs continue to work to maintain critical operations and restore access to Windows-hosted systems running CrowdStrike Falcon sensors, the CIS CTI team has observed cyber threat actors (CTAs) exploiting the situation to tailor phishing lures, typosquatted¹ domains, and a malicious archive ZIP file posing as CrowdStrike support and legitimate CrowdStrike infrastructure.³ The CIS CTI team will continue to monitor related threat context and actively disseminate observed context and indicators of compromise (IOCs) through the MS-ISAC indicator sharing program and the Malicious Domain Blocking and Reporting (MDBR) service.⁴ 

In this blog post, the CIS CTI team will detail the threat activity it observed in the first few days following the CrowdStrike Falcon outage.

The Impact of the CrowdStrike Falcon Outage on SLTTs

The MS-ISAC initially observed significant disruptions to SLTT members’ systems, and it expects some organizations to continue to experience disruptions while administrators work to effectively deploy CrowdStrike’s fix.² Reporting indicates there were significant disruptions to airlines, railways, healthcare, and financial institutions. Reports also noted that a few 911 centers relied on backup systems to receive emergency calls, not to mention additional reported impacts to other SLTT subsectors.⁵

This incident highlights the potential scale of disruption to SLTTs and critical infrastructure when their systems partially depend on a single vendor. CTAs are almost certain to further recognize these dependencies and leverage that insight to inform future cyber attacks.

CTAs' Attempts to Abuse the CrowdStrike Incident   

The CIS CTI team identified CTAs standing up infrastructure, such as recently created domains imitating CrowdStrike. Those domains are likely designed for social engineering to take advantage of the urgency and uncertainty of the situation. Generally, they follow a common theme of posing as authorized CrowdStrike infrastructure and support.

Additionally, CrowdStrike Intelligence released a report on July 20, 2024, detailing that they had observed CTAs delivering a malicious ZIP archive containing HijackLoader posing as a legitimate hot fix file.⁶ The CIS CTI team assesses that IOCs at the end of this report are likely not associated with CrowdStrike and could be used for malicious purposes.

In the past, the CTI team has observed CTAs leveraging chaotic situations and a heightened sense of urgency to socially engineer unsuspecting users into visiting malicious websites and responding to phishing emails that mimic legitimate entities.^{7, 8}

Impacted Sectors

During the initial disruption, the CrowdStrike content update caused interruptions to several SLTT subsectors and other sectors posing downstream impacts to SLTTs. Some examples are listed below:

• Government administrative functions⁹    
  • Department of Motor Vehicles in several locations^{10, 11, 12}  
  • The Social Security Administration¹³
  • Reports indicate “some computers” at the Department of Justice (DOJ) were impacted¹⁴
•  Mass transit systems    
  • A major metro rail system suffered disruptions but has since recovered¹⁵
•  Hospitals/Healthcare^{16, 17} 
  • At least 11 health systems reported that the disruption impacted their ability to administer care
    • Some of these disruptions resulted in canceled surgeries or diverted ambulances
•  Air travel^{18, 19}
  • According to Flightaware, as of July 19, 2024, at 12:56 p.m. ET:
    • Total delays: 31,307
    • Total delays within, into, or out of the United States: 6,169
    • Total cancellations: 3,566
    • Total cancellations within, into, or out of the United States: 2,219
• Financial Services²⁰
• Payment systems^{21, 22}
• Pharmacies²³
  • Resulting in the inability to dispense medication

Indicators of Compromise

The following IOCs include likely malicious domains CIS CTI analysts identified that pose as legitimate CrowdStrike infrastructure.

Likely Typosquatted CrowdStrike Domains^[3]

• areyouaffectedbycrowdstrike[.]info
• crowdstrike[.]blue
• crowdstrike[.]bot
• crowdstrike[.]cam
• crowdstrike[.]fail
• crowdstrike[.]feedback
• crowdstrike[.]help
• crowdstrike0day[.]com
• crowdstrikebluescreen[.]com
• crowdstrike-bluescreen[.]com
• crowdstrikebsod[.]co
• crowdstrike-bsod[.]co
• crowdstrikebsod[.]com
• crowdstrike-bsod[.]com
• crowdstrikebug[.]com
• crowdstrikebug[.]info
• crowdstrikeclaim[.]com
• crowdstrikeclaims[.]com
• crowdstrikeclassaction[.]com
• crowdstrikecure[.]com
• crowdstriked[.]net
• crowdstrikedoomsday[.]com
• crowdstrikedown[.]com
• crowdstrikedown[.]site
• crowdstrikefail[.]com
• crowdstrikefix[.]blog
• crowdstrikefix[.]co
• crowdstrikefix[.]com
• crowdstrike-fix[.]com
• crowdstrikefix[.]in
• crowdstrikefix[.]info
• crowdstrikefix[.]lol
• crowdstrikefix[.]zip
• crowdstrike-fix[.]zip
• crowdstrikefixer[.]com
• crowdstrikeglitch[.]com
• crowdstrikehelp[.]com
• crowdstrikehelp[.]info
• crowdstrike-helpdesk[.]com
• crowdstrikekernelcar[.]com
• crowdstrikelawsuit[.]com
• crowdstrikemedaddy[.]com
• crowdstrikeold[.]com
• crowdstrikeoops[.]com
• crowdstrikeoopsie[.]com
• crowdstrikeoopsies[.]com
• crowdstrikeout[.]com
• crowdstrike-out[.]com
• crowdstrikeoutage[.]com
• crowdstrikeoutage[.]info
• crowdstrikepatch[.]com
• crowdstrikeplatform[.]com
• crowdstrikeplatform[.]info
• crowdstrikerecovery[.]com
• crowdstrikerecovery[.]info
• crowdstrikerecovery[.]live
• crowdstrikerecovery[.]lol
• crowdstrikerecovery[.]pro
• crowdstrikereport[.]com
• crowdstrikesettlement[.]com
• crowdstrikesucks[.]com
• crowdstrikesuporte[.]com
• crowdstrikesupport[.]info
• crowdstriketoken[.]com
• crowdstrikeupdate[.]com
• crowdstrikewatch[.]com
• crowdstrikewindowsoutage[.]com
• crowdstrikeyou[.]xyz
• crowdstrikezeroday[.]com
• crowdstuck[.]org
• fixcrowdstrike[.]com
• fix-crowdstrike[.]com
• fix-crowdstrike-apocalypse[.]com
• fix-crowdstrike-bsod[.]com
• fixmycrowdstrike[.]com
• fuckcrowdstrike[.]com
• fuckingcrowdstrike[.]com
• howtofixcrowdstrikeissue[.]com
• iscrowdstrikedown[.]com
• iscrowdstrikefixed[.]com
• iscrowdstrikestilldown[.]com
• isitcrowdstrike[.]com
• microsoftcrowdstrike[.]com
• microsoftoutagescrowdstrike[.]com
• recoverycrowdstrike[.]com
• secure-crowdstrike[.]com
• suportecrowdstrike[.]com
• supportcrowdstrike[.]blog
• supportcrowdstrike[.]lol
• whatiscrowdstrike[.]com

Malicious ZIP File Masquerading as Legitimate Hot Fix²⁴

 

Archive name	SHA256 Hash
Crowdstrike-hotfix.zip	c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2
sqlite3.dll	02f37a8e3d1790ac90c04bc50de73cd1a93e27caf833a1e1211b9cc6294ecee5
vclx120.bpl	2bdf023c439010ce0a786ec75d943a80a8f01363712bbf69afc29d3e2b5306ed
instrucciones.txt	4f450abaa4daf72d974a830b16f91deed77ba62412804dca41a6d42a7d8b6fd0
maddisAsm_.bpl	52019f47f96ca868fa4e747c3b99cba1b7aa57317bf8ebf9fcbf09aa576fe006
Setup.exe	5ae3838d77c2102766538f783d0a4b4205e7d2cdba4e0ad2ab332dc8ab32fea9
datastate.dll	6010e2147a0f51a7bfa2f942a5a9eaad9a294f463f717963b486ed3f53d305c2
madexcept_.bpl	835f1141ece59c36b18e76927572d229136aeb12eff44cb4ba98d7808257c299
maidenhair.cfg (HijackLoader configuration)	931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6
rtl120.bpl	b1fcb0339b9ef4860bb1ed1e5ba0e148321be64696af64f3b1643d1311028cb3
vcl120.bpl	b6f321a48812dc922b26953020c9a60949ec429a921033cfaf1e9f7d088ee628
battuta.flv	be074196291ccf74b3c4c8bd292f92da99ec37a25dc8af651bd0ba3f0d020349
madBasic_.bpl (HijackLoader first-stage)	d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea
RemCos Payload	48a3398bbbf24ecd64c27cb2a31e69a6b60e9a69f33fe191bcf5fddbabd9e184
RemCos C2 Address	213.5.130[.]58[:]443

MITRE ATT&CK Patterns Observed²⁵

• T1566 — Phishing
• T1583.001 — Acquire Infrastructure: Domains 
• T1204.002 — User Execution: Malicious File
• TA0005 — Defense Evasion
• TA0011 — Command and Control

Analytic Confidence of the CIS CTI Team

Analytic confidence in this assessment is moderate to high, as the CIS CTI team continues to receive updated information on the developing incident. Source reliability is high with minimal conflict among sources. Time was several hours to research this topic, and the topic itself was not overly complex. The analyst used a timeline and brainstorming structured method in this analysis, and the analyst worked as part of a small group to complete this product.

For questions or comments, please contact us at [email protected]. For further information on our analytic tradecraft, please refer to our blog post outlining these standards.

Remain Vigilant in the Face of Social Engineering

SLTTs who need further information about restoring access to their systems should refer to CrowdStrike’s official statement, Microsoft’s recovery tool, and any ongoing communications.

Additionally, organizations should monitor indicators of compromise published by CIS CTI, as the team continues to identify and share timely and relevant IOCs through STIX/TAXII and MDBR .

SLTT members should also be mindful that CTAs are likely to continue to attempt to exploit this incident with social engineering lures. Administrators should advise their organizations to remain vigilant in response to unsolicited emails and exercise extra caution when reviewing CrowdStrike support materials. 

For further guidance on mitigating the threat of social engineering tactics, please refer to Phishing Guidance: Stopping the Attack Cycle at Phase One and A Short Guide for Spotting Phishing Attempts.

References

1. https://apnews.com/live/internet-global-outage-crowdstrike-microsoft-downtime 
2. https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/ 
3. https://www.crowdstrike.com/blog/likely-ecrime-actor-capitalizing-on-falcon-sensor-issues/
4. https://www.cisecurity.org/ms-isac/services/mdbr
5. https://apnews.com/live/internet-global-outage-crowdstrike-microsoft-downtime#00000190-caf9-d1bdabfb-fef9e5a70000
6. https://www.crowdstrike.com/blog/likely-ecrime-actor-capitalizing-on-falcon-sensor-issues/
7. https://www.cpomagazine.com/cyber-security/uk-water-supplier-suffered-a-clop-ransomware-attack-during-major-drought-victim-initially-misidentified-as-uks-largest-water-utility/
8. https://thehackernews.com/2020/03/covid-19-coronavirus-hacker-malware.html
9. https://statescoop.com/state-city-government-crowdstrike-update-flaw/
10. https://www.ctinsider.com/connecticut/article/microsoft-crowdstrike-outage-ct-19583790.php
11. https://www.dispatch.com/story/news/local/2024/07/19/ohio-bmv-columbus-hospitals-disrupted-by-globalcrowdstrike-outages/74467317007/
12. https://abc11.com/post/ncdmv-north-carolina-hospitals-among-several-services-significantly/15071591/
13. https://www.ssa.gov/agency/emergency/  
14. https://www.bloomberg.com/news/articles/2024-07-20/us-federal-agencies-hit-in-outage-caused-by-crowdstrike-glitch
15. https://abcnews.go.com/US/american-airlines-issues-global-ground-stop-flights/story?id=112092372
16. https://6abc.com/post/network-issues-linked-microsoft-systems-causing-outages-businesses/15070489/
17. https://www.azcentral.com/story/news/local/phoenix-breaking/2024/07/19/phoenix-area-emergencyresponse-systems-down/74465872007/
18. https://www.cnn.com/2024/07/19/business/delta-american-airlines-flights-outage-intl-hnk/index.html
19. https://www.flightaware.com/live/cancelled
20. https://www.bbc.com/news/articles/cp4wnrxqlewo
21. https://www.abc12.com/news/business/crowdstrike-linked-to-global-computer-outage/article_ae50ce14-36b9-532b-91c6-4137198c7b06.html
22. https://www.bbc.com/news/articles/cp4wnrxqlewo
23. https://www.pharmacytimes.com/view/crowdstrike-reports-global-outage-affecting-hospitals-businesses-across-the-world
24. https://www.crowdstrike.com/blog/likely-ecrime-actor-capitalizing-on-falcon-sensor-issues/
25. https://attack.mitre.org/