Attackers Exploit Business Disruption from CrowdStrike’s Faulty Update
While businesses are seeking support to fix affected Windows servers, researchers and government agencies have detected an increase in phishing emails attempting to exploit the situation.
In an update yesterday, CrowdStrike stated they are “focused on supporting customers” affected by the recent faulty update that caused millions of Windows servers worldwide to crash.
The company urged customers to verify they are contacting legitimate representatives through official channels because “threat actors and bad actors will try to exploit this event.”
“I encourage everyone to remain vigilant and ensure you are interacting with official CrowdStrike representatives. Our blog and technical support are the official channels for the latest information,” said George Kurtz, CEO of CrowdStrike.
The UK’s National Cyber Security Centre (NCSC) also warned of an increase in phishing messages taking advantage of the outage.
Automated malware analysis platform AnyRun noted “an increase in activities impersonating CrowdStrike that could lead to phishing” .
Malware Disguised as Fixes and Updates
On Saturday, cybersecurity researcher g0njxa first reported a malware campaign targeting BBVA bank customers by offering a fake CrowdStrike Hotfix update used to install Remcos RAT.
The fake patch was promoted through a phishing site, portalintranetgrupobbva[.]com, masquerading as BBVA’s internal portal. The malicious file came with instructions urging employees and partners to install the update to avoid errors when connecting to the company’s internal network.
AnyRun, who also shared about the same campaign, reported that the fake fix delivers HijackLoader, which then installs the Remcos remote access tool on the infected system.
In another warning, AnyRun stated that attackers are spreading wiper malware disguised as updates from CrowdStrike. AnyRun mentioned, “It destroys the system by overwriting files with zero-byte content and then reporting via #Telegram.”
Hacker group Handala claimed responsibility for the campaign, stating on Twitter that they impersonated CrowdStrike in emails sent to Israeli companies to distribute wiper malware.
Attackers impersonated CrowdStrike by sending emails from the domain ‘crowdstrike.com.vc’, informing customers of a tool to bring Windows systems back online.
The emails included a PDF with detailed instructions on running the fake update, as well as a link to download a malicious ZIP file containing an executable named ‘Crowdstrike.exe’.
Once the fake CrowdStrike update is executed, the wiper malware is extracted to a directory in %Temp% and launched to erase stored data on the device.
Millions of Windows Servers Crash
The faulty CrowdStrike software update had a significant impact on Windows systems of many organizations, creating an opportunity for cybercriminals to exploit. According to Microsoft, the faulty update “affected 8.5 million Windows devices or less than one percent of all Windows machines.”
Damage occurred within 78 minutes, from 04:09 UTC to 05:27 UTC. Despite the low percentage of affected systems and CrowdStrike’s swift efforts to resolve the issue, the impact was substantial.
The computer outage led to thousands of flight cancellations, disruptions in financial companies, hospitals, media organizations, railways, and even affected emergency services.
In a blog post following the incident on Saturday, CrowdStrike explained that the issue was caused by an update to a Channel file (sensor configuration) for Windows servers (version 7.11 and above), leading to a logic error and subsequent crashes.
Although the problematic file has been identified and no longer causes issues, companies struggling to restore normal operations can follow CrowdStrike’s instructions to recover individual servers, BitLocker Keys, and cloud environments.