CrowdStrike Falcon Outage Exploited for Social Engineering
By: The Center for Internet Security® (CIS®) Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center® (MS-ISAC®)
Published July 26, 2024
A widespread IT outage stemming from a defect found in a single CrowdStrike content update began at around 1:00 a.m. ET on July 19, 2024. The outage affected a significant number of Windows hosts globally, including direct impacts to U.S. State, Local, Tribal, and Territorial (SLTT) government entities.[1] In an official statement, CrowdStrike advised they had isolated the issue and deployed a fix.[2]
While SLTTs continue to work to maintain critical operations and restore access to Windows-hosted systems running CrowdStrike Falcon sensors, the CIS CTI team has observed cyber threat actors (CTAs) exploiting the situation to tailor phishing lures, typosquatted1 domains, and a malicious archive ZIP file posing as CrowdStrike support and legitimate CrowdStrike infrastructure.3 The CIS CTI team will continue to monitor related threat context and actively disseminate observed context and indicators of compromise (IOCs) through the MS-ISAC indicator sharing program and the Malicious Domain Blocking and Reporting (MDBR) service.4
In this blog post, the CIS CTI team will detail the threat activity it observed in the first few days following the CrowdStrike Falcon outage.
The Impact of the CrowdStrike Falcon Outage on SLTTs
The MS-ISAC initially observed significant disruptions to SLTT members’ systems, and it expects some organizations to continue to experience disruptions while administrators work to effectively deploy CrowdStrike’s fix.2 Reporting indicates there were significant disruptions to airlines, railways, healthcare, and financial institutions. Reports also noted that a few 911 centers relied on backup systems to receive emergency calls, not to mention additional reported impacts to other SLTT subsectors.5
This incident highlights the potential scale of disruption to SLTTs and critical infrastructure when their systems partially depend on a single vendor. CTAs are almost certain to further recognize these dependencies and leverage that insight to inform future cyber attacks.
CTAs' Attempts to Abuse the CrowdStrike Incident
The CIS CTI team identified CTAs standing up infrastructure, such as recently created domains imitating CrowdStrike. Those domains are likely designed for social engineering to take advantage of the urgency and uncertainty of the situation. Generally, they follow a common theme of posing as authorized CrowdStrike infrastructure and support.
Additionally, CrowdStrike Intelligence released a report on July 20, 2024, detailing that they had observed CTAs delivering a malicious ZIP archive containing HijackLoader posing as a legitimate hot fix file.6 The CIS CTI team assesses that IOCs at the end of this report are likely not associated with CrowdStrike and could be used for malicious purposes.
In the past, the CTI team has observed CTAs leveraging chaotic situations and a heightened sense of urgency to socially engineer unsuspecting users into visiting malicious websites and responding to phishing emails that mimic legitimate entities.7, 8
Impacted Sectors
During the initial disruption, the CrowdStrike content update caused interruptions to several SLTT subsectors and other sectors posing downstream impacts to SLTTs. Some examples are listed below:
- Government administrative functions9
- Department of Motor Vehicles in several locations10, 11, 12
- The Social Security Administration13
- Reports indicate “some computers” at the Department of Justice (DOJ) were impacted14
- Mass transit systems
- A major metro rail system suffered disruptions but has since recovered15
- Hospitals/Healthcare16, 17
- At least 11 health systems reported that the disruption impacted their ability to administer care
- Some of these disruptions resulted in canceled surgeries or diverted ambulances
- At least 11 health systems reported that the disruption impacted their ability to administer care
- Air travel18, 19
- According to Flightaware, as of July 19, 2024, at 12:56 p.m. ET:
- Total delays: 31,307
- Total delays within, into, or out of the United States: 6,169
- Total cancellations: 3,566
- Total cancellations within, into, or out of the United States: 2,219
- According to Flightaware, as of July 19, 2024, at 12:56 p.m. ET:
- Financial Services20
- Payment systems21, 22
- Pharmacies23
- Resulting in the inability to dispense medication
Indicators of Compromise
The following IOCs include likely malicious domains CIS CTI analysts identified that pose as legitimate CrowdStrike infrastructure.
Likely Typosquatted CrowdStrike Domains[3]
- areyouaffectedbycrowdstrike[.]info
- crowdstrike[.]blue
- crowdstrike[.]bot
- crowdstrike[.]cam
- crowdstrike[.]fail
- crowdstrike[.]feedback
- crowdstrike[.]help
- crowdstrike0day[.]com
- crowdstrikebluescreen[.]com
- crowdstrike-bluescreen[.]com
- crowdstrikebsod[.]co
- crowdstrike-bsod[.]co
- crowdstrikebsod[.]com
- crowdstrike-bsod[.]com
- crowdstrikebug[.]com
- crowdstrikebug[.]info
- crowdstrikeclaim[.]com
- crowdstrikeclaims[.]com
- crowdstrikeclassaction[.]com
- crowdstrikecure[.]com
- crowdstriked[.]net
- crowdstrikedoomsday[.]com
- crowdstrikedown[.]com
- crowdstrikedown[.]site
- crowdstrikefail[.]com
- crowdstrikefix[.]blog
- crowdstrikefix[.]co
- crowdstrikefix[.]com
- crowdstrike-fix[.]com
- crowdstrikefix[.]in
- crowdstrikefix[.]info
- crowdstrikefix[.]lol
- crowdstrikefix[.]zip
- crowdstrike-fix[.]zip
- crowdstrikefixer[.]com
- crowdstrikeglitch[.]com
- crowdstrikehelp[.]com
- crowdstrikehelp[.]info
- crowdstrike-helpdesk[.]com
- crowdstrikekernelcar[.]com
- crowdstrikelawsuit[.]com
- crowdstrikemedaddy[.]com
- crowdstrikeold[.]com
- crowdstrikeoops[.]com
- crowdstrikeoopsie[.]com
- crowdstrikeoopsies[.]com
- crowdstrikeout[.]com
- crowdstrike-out[.]com
- crowdstrikeoutage[.]com
- crowdstrikeoutage[.]info
- crowdstrikepatch[.]com
- crowdstrikeplatform[.]com
- crowdstrikeplatform[.]info
- crowdstrikerecovery[.]com
- crowdstrikerecovery[.]info
- crowdstrikerecovery[.]live
- crowdstrikerecovery[.]lol
- crowdstrikerecovery[.]pro
- crowdstrikereport[.]com
- crowdstrikesettlement[.]com
- crowdstrikesucks[.]com
- crowdstrikesuporte[.]com
- crowdstrikesupport[.]info
- crowdstriketoken[.]com
- crowdstrikeupdate[.]com
- crowdstrikewatch[.]com
- crowdstrikewindowsoutage[.]com
- crowdstrikeyou[.]xyz
- crowdstrikezeroday[.]com
- crowdstuck[.]org
- fixcrowdstrike[.]com
- fix-crowdstrike[.]com
- fix-crowdstrike-apocalypse[.]com
- fix-crowdstrike-bsod[.]com
- fixmycrowdstrike[.]com
- fuckcrowdstrike[.]com
- fuckingcrowdstrike[.]com
- howtofixcrowdstrikeissue[.]com
- iscrowdstrikedown[.]com
- iscrowdstrikefixed[.]com
- iscrowdstrikestilldown[.]com
- isitcrowdstrike[.]com
- microsoftcrowdstrike[.]com
- microsoftoutagescrowdstrike[.]com
- recoverycrowdstrike[.]com
- secure-crowdstrike[.]com
- suportecrowdstrike[.]com
- supportcrowdstrike[.]blog
- supportcrowdstrike[.]lol
- whatiscrowdstrike[.]com
Malicious ZIP File Masquerading as Legitimate Hot Fix24
Archive name |
SHA256 Hash |
Crowdstrike-hotfix.zip |
c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2 |
sqlite3.dll |
02f37a8e3d1790ac90c04bc50de73cd1a93e27caf833a1e1211b9cc6294ecee5 |
vclx120.bpl |
2bdf023c439010ce0a786ec75d943a80a8f01363712bbf69afc29d3e2b5306ed |
instrucciones.txt |
4f450abaa4daf72d974a830b16f91deed77ba62412804dca41a6d42a7d8b6fd0 |
maddisAsm_.bpl |
52019f47f96ca868fa4e747c3b99cba1b7aa57317bf8ebf9fcbf09aa576fe006 |
Setup.exe |
5ae3838d77c2102766538f783d0a4b4205e7d2cdba4e0ad2ab332dc8ab32fea9 |
datastate.dll |
6010e2147a0f51a7bfa2f942a5a9eaad9a294f463f717963b486ed3f53d305c2 |
madexcept_.bpl |
835f1141ece59c36b18e76927572d229136aeb12eff44cb4ba98d7808257c299 |
maidenhair.cfg (HijackLoader configuration) |
931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6 |
rtl120.bpl |
b1fcb0339b9ef4860bb1ed1e5ba0e148321be64696af64f3b1643d1311028cb3 |
vcl120.bpl |
b6f321a48812dc922b26953020c9a60949ec429a921033cfaf1e9f7d088ee628 |
battuta.flv |
be074196291ccf74b3c4c8bd292f92da99ec37a25dc8af651bd0ba3f0d020349 |
madBasic_.bpl (HijackLoader first-stage) |
d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea |
RemCos Payload |
48a3398bbbf24ecd64c27cb2a31e69a6b60e9a69f33fe191bcf5fddbabd9e184 |
RemCos C2 Address |
213.5.130[.]58[:]443 |
MITRE ATT&CK Patterns Observed25
- T1566 — Phishing
- T1583.001 — Acquire Infrastructure: Domains
- T1204.002 — User Execution: Malicious File
- TA0005 — Defense Evasion
- TA0011 — Command and Control
Analytic Confidence of the CIS CTI Team
Analytic confidence in this assessment is moderate to high, as the CIS CTI team continues to receive updated information on the developing incident. Source reliability is high with minimal conflict among sources. Time was several hours to research this topic, and the topic itself was not overly complex. The analyst used a timeline and brainstorming structured method in this analysis, and the analyst worked as part of a small group to complete this product.
For questions or comments, please contact us at [email protected]. For further information on our analytic tradecraft, please refer to our blog post outlining these standards.
Remain Vigilant in the Face of Social Engineering
SLTTs who need further information about restoring access to their systems should refer to CrowdStrike’s official statement, Microsoft’s recovery tool, and any ongoing communications.
Additionally, organizations should monitor indicators of compromise published by CIS CTI, as the team continues to identify and share timely and relevant IOCs through STIX/TAXII and MDBR .
SLTT members should also be mindful that CTAs are likely to continue to attempt to exploit this incident with social engineering lures. Administrators should advise their organizations to remain vigilant in response to unsolicited emails and exercise extra caution when reviewing CrowdStrike support materials.
For further guidance on mitigating the threat of social engineering tactics, please refer to Phishing Guidance: Stopping the Attack Cycle at Phase One and A Short Guide for Spotting Phishing Attempts.
References
- https://apnews.com/live/internet-global-outage-crowdstrike-microsoft-downtime
- https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/
- https://www.crowdstrike.com/blog/likely-ecrime-actor-capitalizing-on-falcon-sensor-issues/
- https://www.cisecurity.org/ms-isac/services/mdbr
- https://apnews.com/live/internet-global-outage-crowdstrike-microsoft-downtime#00000190-caf9-d1bdabfb-fef9e5a70000
- https://www.crowdstrike.com/blog/likely-ecrime-actor-capitalizing-on-falcon-sensor-issues/
- https://www.cpomagazine.com/cyber-security/uk-water-supplier-suffered-a-clop-ransomware-attack-during-major-drought-victim-initially-misidentified-as-uks-largest-water-utility/
- https://thehackernews.com/2020/03/covid-19-coronavirus-hacker-malware.html
- https://statescoop.com/state-city-government-crowdstrike-update-flaw/
- https://www.ctinsider.com/connecticut/article/microsoft-crowdstrike-outage-ct-19583790.php
- https://www.dispatch.com/story/news/local/2024/07/19/ohio-bmv-columbus-hospitals-disrupted-by-globalcrowdstrike-outages/74467317007/
- https://abc11.com/post/ncdmv-north-carolina-hospitals-among-several-services-significantly/15071591/
- https://www.ssa.gov/agency/emergency/
- https://www.bloomberg.com/news/articles/2024-07-20/us-federal-agencies-hit-in-outage-caused-by-crowdstrike-glitch
- https://abcnews.go.com/US/american-airlines-issues-global-ground-stop-flights/story?id=112092372
- https://6abc.com/post/network-issues-linked-microsoft-systems-causing-outages-businesses/15070489/
- https://www.azcentral.com/story/news/local/phoenix-breaking/2024/07/19/phoenix-area-emergencyresponse-systems-down/74465872007/
- https://www.cnn.com/2024/07/19/business/delta-american-airlines-flights-outage-intl-hnk/index.html
- https://www.flightaware.com/live/cancelled
- https://www.bbc.com/news/articles/cp4wnrxqlewo
- https://www.abc12.com/news/business/crowdstrike-linked-to-global-computer-outage/article_ae50ce14-36b9-532b-91c6-4137198c7b06.html
- https://www.bbc.com/news/articles/cp4wnrxqlewo
- https://www.pharmacytimes.com/view/crowdstrike-reports-global-outage-affecting-hospitals-businesses-across-the-world
- https://www.crowdstrike.com/blog/likely-ecrime-actor-capitalizing-on-falcon-sensor-issues/
- https://attack.mitre.org/
[1] Typosquatting involves the purchase and registration of malicious domains that are visually similar to an existing domain with the intention of deceiving unsuspecting users into visiting the page. Typosquatters often target high-traffic and/or sensitive websites to exploit the greatest number of users or to gain unauthorized access to restricted information.
[2] Microsoft reported that Azure users may experience unresponsiveness and startup failures on Windows machines leveraging the CrowdStrike Falcon agent, which impacts both on-premises and several cloud platforms including Microsoft Azure, Amazon Web Services, and Google Cloud.
[3] The CIS CTI team has observed domains resembling typosquats registered to Crowdstrike. This is likely a result of Crowdstrike’s efforts to proactively register similar domains to pre-empt CTA action. This list does not include any of those domains.
About the Author: The CIS CTI team at the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC® and EI-ISAC®) functions as the premier CTI source for all SLTT entities and election offices. With decades of combined experience in all types of industries, the CIS CTI team pushes out curated SLTT-centric threat intelligence reporting as well as malicious indicators via near real-time threat feeds. This information helps SLTTs anticipate and proactively defend against emerging cyber threats and shifts in adversarial tactics, techniques, and procedures. Additional information: team tradecraft and indicator feeds.
Supported via cooperative agreement No. 23CISMSI00003-01-01 - 09/29/2025 awarded through the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security (U.S. DHS). The analysis, findings, and conclusions or recommendations expressed in this document are those of the MS-ISAC and EI-ISAC.