Summary:
A recent cyberattack targeting Israeli companies has been attributed to the Iranian threat actor, Handala. The campaign leveraged the CrowdStrike outage as a pretext to distribute malicious software. Victims were enticed to download a purported CrowdStrike update through a phishing email disguised as a support notification coupled with a fake update tool. Upon execution via opening the PDF attachment, the malware, identified as infostealer-like, compromised system credentials, browsed for sensitive information and exfiltrated data to Command & Control servers. The threat actors employed various defense evasion techniques, including registry modifications that hide C2 activity, file creation with unusual extensions, and the installation of trusted certificates. Various processes are executed to create directories and launch potentially malicious commands. This incident underscores the critical importance of maintaining robust cybersecurity defenses, even in the face of service disruptions.

Security Officer Comments:
The Handala cyberattack serves as a stark reminder of the rapid evolution of threat landscapes and the persistent exploitation of human error. The attackers' ability to capitalize on the CrowdStrike outage highlights the critical need for organizations to implement comprehensive incident response plans. Furthermore, the use of sophisticated evasion techniques emphasizes the importance of advanced threat detection and response capabilities. This campaign underscores the ongoing challenge of combating credential theft, a fundamental component of many cyberattacks. Organizations must prioritize the protection of user credentials through strong password policies, multi-factor authentication, and employee awareness training. Additionally, the reliance on social engineering tactics by the attackers highlights the necessity of robust security awareness programs to equip employees with the skills to identify and report suspicious activities. This incident serves as a valuable case study for understanding the tactics, techniques, and procedures employed by cyber adversaries.

Suggested Corrections:
IOCs are available in the IT-ISAC enclave in TruStar.

To protect against attacks similar to the Handala infostealer campaign, organizations should implement a multi-layered defense strategy. This includes bolstering email security with robust spam filters and advanced threat protection capabilities to prevent phishing emails from reaching end-users. Employee cybersecurity awareness training is paramount to equip staff with the ability to identify and report suspicious emails and attachments. Strong password policies, coupled with mandatory multi-factor authentication, significantly reduce the risk of credential theft. Regularly patching systems and applications is essential to address vulnerabilities exploited by malware. Network segmentation and access controls limit the lateral movement of attackers within the environment. Combining these measures can help organizations significantly enhance their resilience against infostealer campaigns and other cyberattacks that utilizing phishing for initial access.

Link(s):
https://perception-point.io/blog/attackers-crowdstrike-with-infostealer-malware/