How it Happened

A defective content update provided by cybersecurity firm CrowdStrike caused Microsoft Windows systems to crash, disrupting airline travel, healthcare, government services and many other critical industries and organizations globally.

This blog article by Mo Cashman and Trellix Advanced Research Center is focused on what to do now and how Trellix can keep you safe during this crisis.

 

Need Help to Recover?

CrowdStrike published steps to recover and we recommend you follow those procedures: CrowdStrike Issue Landing Page.

Accessing Safe Mode on Encrypted Systems:

For impacted systems using Trellix Encryption Software please refer to the following knowledge article: Accessing Safe Mode when using Trellix Encryption Software

For customers using Bitlocker:

BitLocker recovery in Microsoft Azure

BitLocker recovery in Microsoft environments using SCCM

BitLocker recovery in Microsoft environments using Active Directory and GPOs

BitLocker recovery in Microsoft environments using Ivanti Endpoint Manager

Additionally, you can leverage Trellix Endpoint Forensics to search and verify the location of defect files or malicious files. Trellix Forensics provides an enterprise search capability by file hash and verifies the Crowdstrike .sys files are in the proper “C:\WINDOWS\SYSTEM32\DRIVERS\CROWDSTRIKE\” directory.

If you are a Trellix customer, please refer to the Trellix Thrive support portal for more info. If you are not a Trellix customer, Trellix Support is available to assist all impacted companies. Refer to our Customer Support information for contact information by country.

NEW! Threat and Protections Update – Day 7 – July 25, 2024

Note that all indicators of compromise (IoCs) present in the update can be found within Trellix Insights.

 

 

Gift Card Fraud

Since the news broke that CrowdStrike offered apology gift cards to those who are helping out impacted people, actors have been impersonating CrowdStrike to likely scam gift cards and/or personal information. Domains with the keywords “CrowdStrike” and “gift card” have been registered. This shows, once again, that actors are quick to jump on events and adapt their attack plan accordingly. Below is a post on X from TechCrunch that mentioned the gift cards and not long after this, the first domains related to CrowdStrike and gift cards appeared online.

 

 

Infostealers Mainly Found in Adapted Campaigns

Since the start of the outage, CrowdStrike themed malware has surfaced. In the past week, information stealers have been the main payloads. Below, the observed stealers are listed in order of discovery by the security community, along with a brief summary.

  • RemcosRAT (July 19, 2024)

Named “CrowdStrike-hotfix.zip”, which contains the HijackLoader that subsequently loads RecmosRAT

The Spanish notes within the ZIP archive potentially indicate a target demographic of Spanish speaking victims in Latin America

  • Daolpu (July 22, 2024)

A macro within a Word document, named

“New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm”

was sent to victims. Once executed, the malware collects credentials such as login data and cookies stored in Chrome, Edge, and Mozilla browsers

Daolpu stealer also targets Cốc Cốc, a web browser primarily used in Vietnam, possibly indicating the malware’s origin

The name is “Upload” in reverse

  • Connecio (July 23, 2024)

Connecio Stealer is a Python-based information stealer delivered via a malicious ZIP file

The ZIP file uses the filename CrowdStrike Falcon.zipin an attempt to masquerade as a Falcon update. The file CrowdStrike Falcon.exe with the ZIP file is a self-extracting RAR that contains and executes a Python-compiled executable, containing the Connecio infostealer

  • Lumma (July 23,2024)

Lumma Stealer was observed in a phishing campaign impersonating CrowdStrike

The domain “crowdstrike-office365[.]com” (registered on July 23, 2024) was used to deliver malicious ZIP and RAR files containing a Microsoft Installer (MSI), which ultimately executes the (packed with CypherIt) Lumma Stealer

 

Crowdstrike Threat Actor Information Allegedly Being Leaked and Offered in the Underground

A well-known underground threat actor, USDoD, published a post on Breachforums offering the entire CrowdStrike threat actor library. USDoD provided a preview of the data, which Trellix ARC reviewed for authenticity. We can confirm that the data is structured as a threat actor library, including industry synonyms, activities, and countries of origin. The reviewed snippet did not contain any sensitive or customer data. USDoD also claimed to have additional data on indicators of compromise (IoC) and databases from an oil company and a pharmaceutical company. However, Trellix was unable to verify the authenticity of the IoCs or the databases.

 Curious to learn more on the topic? Read the whole article here.

___

If this information is helpful to you read our blog for more interesting and useful content, tips, and guidelines on similar topics. Contact the team of COMPUTER 2000 Bulgaria now if you have a specific question. Our specialists will be assisting you with your query. 

Content curated by the team of COMPUTER 2000 on the basis of news in reputable media and marketing materials provided by our partners, companies, and other vendors.

Follow us to learn more

CONTACT US

Let’s walk through the journey of digital transformation together.

By clicking on the SEND button you agree to the processing of personal data. In accordance with our Privacy Policy

11 + 3 =