CrowdStrike Warns of New Phishing Scam Targeting German Customers

Summary:
A targeted cyberattack from an unfamiliar threat actor leveraging the recent CrowdStrike Falcon Sensor update incident has been identified. This threat actor is distributing malicious installers disguised as legitimate CrowdStrike software to targeted German-based organizations. This attack, detected on July 24, 2024, involves a phishing campaign designed to deliver a fraudulent CrowdStrike Crash Reporter installer through a deceptively legitimate-looking German website. The imposter website is said to have been created on July 20, a day after the botched update crashed nearly 9 million Windows devices, causing extensive IT disruptions across the world. The website, registered shortly after the Falcon Sensor update issue, employs JavaScript to download and obfuscate the malicious installer within a ZIP archive file. The InnoSetup installer, while bearing CrowdStrike branding and German localization, requires a password for execution, suggesting a highly targeted campaign that utilizes spearphishing techniques. CrowdStrike was unable to recover the final payload deployed via the installer.

Security Officer Comments:
The reported cyberattack demonstrates a rapid exploitation of a high-profile incident to deliver malicious payloads. The threat actor's ability to quickly create a convincing phishing infrastructure and deploy a targeted attack underscores the evolving sophistication of cybercrime. The presence of the German language suggests that the activity is geared towards German-speaking CrowdStrike customers. The use of obfuscation techniques within the installer highlights the adversary's intent and ability to evade detection.

Furthermore, the password-protected nature of the installer indicates a high degree of planning and reconnaissance, suggesting that specific targets within German organizations have been identified. This campaign serves as a stark reminder of the ongoing threat posed by cybercriminals who capitalize on vulnerabilities and security incidents and exploit human error. Organizations must remain vigilant against phishing attacks and implement robust security measures to protect against such threats. Incident response plans should be regularly tested with employees and updated to ensure effective mitigation strategies in the event of a similar attack.

Suggested Corrections:
Recommendations from CrowdStrike:
  • Only accept updates delivered through official CrowdStrike channels, and adhere to CrowdStrike support teams’ technical guidance
  • Check website certificates on the download page to ensure downloaded software originates from a legitimate source
  • Train users to avoid executing files from untrusted sources
  • Enable download protection that can issue warnings about potentially harmful websites or downloads
IOCs for this campaign are published here.

Link(s):
https://thehackernews.com/2024/07/crowdstrike-warns-of-new-phishing-scam.html

https://www.crowdstrike.com/blog/malicious-inauthentic-falcon-crash-reporter-installer-spearphishing/