Cybercrime
,
Fraud Management & Cybercrime
,
Incident & Breach Response
Hackers Spread Malicious Recovery Files and Certificates
Friday’s global computer outage caused by an update gone wrong from cybersecurity firm CrowdStrike continues to bring out hucksters seeking to capitalize on the incident.
See Also: Supporting Malware Analysis at Scale
Self-proclaimed hacktivist group USDoD appears the latest to mount a claim, posting Wednesday on a criminal forum a spreadsheet containing an “entire threat actor list” and promising to later publish “their entire IOC list,” referring to indicators of compromise.
The Texas company sounded a dismissive note Thursday, saying that “the threat intel data noted in this report is available to tens of thousands of customers, partners and prospects – and hundreds of thousands of users.”
The spreadsheet of threat actors is time-stamped June, the company said. That is weeks before CrowdStrike pushed out a buggy update to its flagship anti-malware platform, triggering an incident that has caused an estimated $5.4 billion in direct losses (see: CrowdStrike Outage Losses Will Hit Healthcare, Banking Hard).
USDoD has made exaggerated claims in the past. Malware researchers vx-underground also reviewed the leaked USDoD data, after finding it publically available.
Hackers began milking the incident almost immediately. In one campaign, they used a domain name resembling that of CrowdStrike to spread the Lumma info stealer. “The threat actor also leveraged advanced social engineering techniques, such as using spam floods and voice phishing (vishing), to deliver malicious binaries,” CrowdStrike said.
The company uncovered a phishing campaign that disguised a previously unseen malware variant called “Daolpu” as a CrowdStrike recovery file. In another campaign, hackers targeted Latin America-based CrowdStrike customers through a malicious zip archive named crowdstrike-hotfix.zip
to deliver a RemCos HijackLoader payload, the company said last week.
CrowdStrike this week reiterated that its customers should only use official channels to communicate with the company for any system restoration work. It also urged its customers to check for the legitimacy of CrowdStrike certificates while downloading recovery tools.
On Monday, James Spiteri, principal product marketing manager at security firm Elastic, said at least 141 certificates have been generated using bogus CrowdStrike domains.
Since the majority of the affected services are back online, experts say the incident is reminder for organizations to prioritize having robust business continuity plans.