How it Happened
A defective content update provided by cybersecurity firm CrowdStrike caused Microsoft Windows systems to crash, disrupting airline travel, healthcare, government services and many other critical industries and organizations globally.
This blog article by Mo Cashman and Trellix Advanced Research Center is focused on what to do now and how Trellix can keep you safe during this crisis.
Need Help to Recover?
CrowdStrike published steps to recover and we recommend you follow those procedures: CrowdStrike Issue Landing Page.
Accessing Safe Mode on Encrypted Systems:
For impacted systems using Trellix Encryption Software please refer to the following knowledge article: Accessing Safe Mode when using Trellix Encryption Software
For customers using Bitlocker:
BitLocker recovery in Microsoft Azure
BitLocker recovery in Microsoft environments using SCCM
BitLocker recovery in Microsoft environments using Active Directory and GPOs
BitLocker recovery in Microsoft environments using Ivanti Endpoint Manager
Additionally, you can leverage Trellix Endpoint Forensics to search and verify the location of defect files or malicious files. Trellix Forensics provides an enterprise search capability by file hash and verifies the Crowdstrike .sys files are in the proper “C:\WINDOWS\SYSTEM32\DRIVERS\CROWDSTRIKE\” directory.
If you are a Trellix customer, please refer to the Trellix Thrive support portal for more info. If you are not a Trellix customer, Trellix Support is available to assist all impacted companies. Refer to our Customer Support information for contact information by country.
NEW! Threat and Protections Update – Day 7 – July 25, 2024
Note that all indicators of compromise (IoCs) present in the update can be found within Trellix Insights.
Gift Card Fraud
Since the news broke that CrowdStrike offered apology gift cards to those who are helping out impacted people, actors have been impersonating CrowdStrike to likely scam gift cards and/or personal information. Domains with the keywords “CrowdStrike” and “gift card” have been registered. This shows, once again, that actors are quick to jump on events and adapt their attack plan accordingly. Below is a post on X from TechCrunch that mentioned the gift cards and not long after this, the first domains related to CrowdStrike and gift cards appeared online.
Infostealers Mainly Found in Adapted Campaigns
Since the start of the outage, CrowdStrike themed malware has surfaced. In the past week, information stealers have been the main payloads. Below, the observed stealers are listed in order of discovery by the security community, along with a brief summary.
- RemcosRAT (July 19, 2024)
Named “CrowdStrike-hotfix.zip”, which contains the HijackLoader that subsequently loads RecmosRAT
The Spanish notes within the ZIP archive potentially indicate a target demographic of Spanish speaking victims in Latin America
- Daolpu (July 22, 2024)
A macro within a Word document, named
“New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm”
was sent to victims. Once executed, the malware collects credentials such as login data and cookies stored in Chrome, Edge, and Mozilla browsers
Daolpu stealer also targets Cốc Cốc, a web browser primarily used in Vietnam, possibly indicating the malware’s origin
The name is “Upload” in reverse
- Connecio (July 23, 2024)
Connecio Stealer is a Python-based information stealer delivered via a malicious ZIP file
The ZIP file uses the filename CrowdStrike Falcon.zipin an attempt to masquerade as a Falcon update. The file CrowdStrike Falcon.exe with the ZIP file is a self-extracting RAR that contains and executes a Python-compiled executable, containing the Connecio infostealer
- Lumma (July 23,2024)
Lumma Stealer was observed in a phishing campaign impersonating CrowdStrike
The domain “crowdstrike-office365[.]com” (registered on July 23, 2024) was used to deliver malicious ZIP and RAR files containing a Microsoft Installer (MSI), which ultimately executes the (packed with CypherIt) Lumma Stealer
Crowdstrike Threat Actor Information Allegedly Being Leaked and Offered in the Underground
A well-known underground threat actor, USDoD, published a post on Breachforums offering the entire CrowdStrike threat actor library. USDoD provided a preview of the data, which Trellix ARC reviewed for authenticity. We can confirm that the data is structured as a threat actor library, including industry synonyms, activities, and countries of origin. The reviewed snippet did not contain any sensitive or customer data. USDoD also claimed to have additional data on indicators of compromise (IoC) and databases from an oil company and a pharmaceutical company. However, Trellix was unable to verify the authenticity of the IoCs or the databases.
Curious to learn more on the topic? Read the whole article here.
___
If this information is helpful to you read our blog for more interesting and useful content, tips, and guidelines on similar topics. Contact the team of COMPUTER 2000 Bulgaria now if you have a specific question. Our specialists will be assisting you with your query.
Content curated by the team of COMPUTER 2000 on the basis of news in reputable media and marketing materials provided by our partners, companies, and other vendors.
CONTACT US
Let’s walk through the journey of digital transformation together.