NCSC: Beware of criminal CrowdStrike opportunists
Financially motivated cyber criminals are already conducting opportunistic attacks on organisations that leverage the CrowdStrike incident, and more targeted attacks are sure to follow
Opportunist cyber criminals are the most pressing immediate threat arising from the 19 July Microsoft outage, which caused millions of machines worldwide to crash as the result of an error made at cyber security firm CrowdStrike during an update, security agencies are warning.
As has been seen repeatedly over the years, malicious actors have been swift to take advantage of major events – in recent history, the 2024 UK General Election; the cost-of-living crisis experienced over the past couple of years; and, in 2020 and 2021, the Covid-19 pandemic, were all swiftly exploited in this way.
The UK’s National Cyber Security Centre (NCSC) said that although it agreed the outages were not the result of a security incident or malicious activity, organisations should still be on high alert.
“An increase in phishing referencing this outage has already been observed, as opportunistic malicious actors seek to take advantage of the situation. This may be aimed at both organisations and individuals,” said the NCSC in a statement.
“Organisations should review NCSC guidance to make sure that multi-layer phishing mitigations are in place, while individuals should be alert to suspicious emails or messages on this topic and know what to look for.”
The United States Cybersecurity and Infrastructure Security Agency (CISA) echoed the NCSC’s warnings: “Cyber threat actors continue to leverage the outage to conduct malicious activity, including phishing attempts. CISA continues to work closely with CrowdStrike and other private sector and government partners to actively monitor any emerging malicious activity.”
And the Australian Cyber Security Centre (ACSC) said it was seeing reports of suspicious activity. “[We] understand a number of malicious websites and unofficial code are being released claiming to help entities recover from the widespread outages caused by the CrowdStrike technical incident,” it said in a statement.
Researchers at ReliaQuest said that financially motivated threat actors would certainly exploit the confusion and concern to launch targeted attacks on individuals and organisations in the coming days and weeks.
“They might … conduct phishing campaigns to trick users into downloading malware and compromising their credentials,” the team wrote in an advisory blog post.
“Furthermore, they may execute social engineering attacks, posing as IT personnel to deceive and manipulate victims … There are many other ways in which attackers may take advantage of the situation. Organisations must recognise this heightened threat and strictly adhere to official remediation advice to safeguard against these opportunistic exploits.”
The ReliaQuest team also reported that at least one individual attempted to claim responsibility for the incident on a dark web forum, but after being unable to provide proof to substantiate their claims to the forum’s moderators, was kicked out and banned.
CrowdStrike confirms fake updates circulating
CrowdStrike said it had itself identified some instances of malicious code circulating, notably a malicious ZIP archive bearing the name crowdstrike-hotfix.zip.
According to its CrowdStrike Intelligence team, this archive is accompanied by Spanish-language instructions that imply its contents are a utility that will automate recovery for the content update issue.
In fact, the archive contains a HijackLoader payload that, when executed, loads the Remcos remote access Trojan (RAT). The archive was first uploaded to an online malware scanning service from a Mexico-based submitter on 19 July, apparently while the outages were ongoing.
The firm added it was also observing an uptick in fake “typo-squatting” domains, which seek to catch out people making spelling mistakes when typing CrowdStrike into their web browsers.
“CrowdStrike Intelligence recommends that organisations ensure they are communicating with CrowdStrike representatives through official channels and adhere to technical guidance the CrowdStrike support teams have provided,” said CrowdStrike Intelligence.
CrowdStrike update chaos explained: What you need to know
A botched software update at cyber security firm CrowdStrike has caused IT chaos around the world. Learn more about the global CrowdStrike update outage as it develops with our expert guide.
