Summary:
Last Friday, at 04:09 UTC, CrowdStrike automatically pushed out a configuration update (Channel File) to Windows systems for its endpoint detection and response solution, Falcon sensor. This configuration update had buggy code which triggered a logic error, resulting in systems to be stuck in an endless boot loop and experience blue screen errors. While CrowdStrike was able to quickly identify and remediate the issue at 5:27 UTC, systems running Falcon sensor for Windows 7.11 and above that downloaded the updated configuration from 04:09 UTC to 05:27 UTC, were susceptible to a system crash.

Microsoft estimates that a total of 8.5 million Windows devices were impacted. With organizations working towards recovering their systems, CISA and the U.K. National Cyber Security Center have warned of an uptick in phishing messages deployed by actors to take advantage of the CrowdStrike outage. According to a new blog post released by CrowdStrike, threat actors have been observed leveraging the event to distribute a malicious ZIP archive named crowdstrike-hotfix.zip. The ZIP archive contains a HijackLoader payload that when executed, loads RemCos, a remote access trojan.

Similar activity was spotted by cybersecurity researcher g0njxa, who reported to X (formerly known as Twitter), targeting BBVA bank customers by offering a fake CrowdStrike Hotfix update that is designed to install the RemCos RAT. AnyRun, an interactive malware hunting service, also tweeted about the same campaign. However, in a separate notice, it announced that attackers were also distributing a data wiper masquerading as an update from CrowdStrike to target entities in Israel. Handala, a pro-Iranian hacktivist group has claimed responsibility for these attacks, where the actors have been impersonating CrowdStrike in emails from the domain' crowdstrike[.]com[.]vc, under the notion that a tool has been created in which impacted customers can use to bring their systems back online. These emails contain a PDF file that supposedly contains instructions on how to run the fake update, as well as a link to download malicious ZIP archive that contains an executable designed to extract and load the data wiper.

Security Officer Comments:
The impact of the latest outage has been widespread, with thousands of flights being cancelled, hospitals and financial institutions facing operational difficulties, and emergency services including 911 being rendered inoperable. Although organizations have been working rigorously to bring back systems online, actors taking advantage of the situation to deploy phishing attacks has added an additional burden that impacted customers need to deal with.

Suggested Corrections:
CrowdStrike has advised organizations to ensure that they are communicating with CrowdStrike representatives through official channels and adhere to technical guidance the CrowdStrike support teams have provided. In general, customers impacted by the faulty update have been recommended to:

• Boot Windows into Safe Mode or the Windows Recovery Environment. NOTE: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.
• Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
• Locate the file matching “C-00000291*.sys”, and delete it.
• Boot the host normally. Note: Bitlocker-encrypted hosts may require a recovery key.

Microsoft has released an updated recovery tool with two repair options to help IT admins expedite the repair process. The signed Microsoft Recovery Tool can be found in the Microsoft Download Center: https://go.microsoft.com/fwlink/?linkid=2280386

CrowdStrike has also published a hunting query as well as IOCs pertinent to the campaign deploying RemCos RAT, which can be accessed here.

Link(s):
https://www.crowdstrike.com/blog/likely-ecrime-actor-capitalizing-on-falcon-sensor-issues/

https://www.cisa.gov/news-events/alerts/2024/07/19/widespread-it-outage-due-crowdstrike-update

https://www.ncsc.gov.uk/news/major-it-outage
https://www.bleepingcomputer.com/ne...es-target-companies-with-malware-data-wipers/