A routine software update by CrowdStrike on July 19, 2024, unintentionally stirred a major disruption across various infrastructures and organizations. The update triggered the notorious Blue Screen of Death (BSOD), rendering many systems unusable. While initially not deemed a cybersecurity incident, the situation underscores the fragility of digital security and the potential for such disruptions to become serious security threats.
Initial Fallout of BSOD
Problems arose soon after users installed CrowdStrike’s latest update. System crashes and the feared BSOD became widespread, leading to significant operational disruptions. Even though it wasn’t a direct cybersecurity breach, keeping systems operational is vital for security.
CrowdStrike’s CEO, George Kurtz, emphasized that the incident wasn’t a cyberattack. However, he acknowledged the severity of the disruption and assured customers a fix was underway. His statement highlighted the importance of robust incident response measures even in non-malicious disruption scenarios.
How Are Cybercriminals Trying to Exploit BSOD
The disruption caused by CrowdStrike has unfortunately created openings for opportunistic threat actors. Cybercriminals have been quick to capitalize on the situation through social engineering attacks. They’ve set up scam domains and phishing pages disguised as solutions to the BSOD issue. For instance, one malicious domain redirected users to payment pages requesting cryptocurrencies like Bitcoin and Ethereum under the pretense of offering a fix.
Another domain has surfaced, claiming to offer support services to companies affected by the issue. Caution is advised as these claims are potentially misleading and could pose additional security risks.
What Are the Indicators of Compromise (IoCs)?
Be on the lookout for indicators of compromise (IoCs) that might signal malicious activity. Here’s a list of suspicious domains that threat actors might use:
- hxxp://crowdstrikestore[.]com[.]br/
- hxxp://crowdstrike-bsod[.]com/
- hxxp://crowdstrike[.]buzz/
- hxxp://crowdstrike[.]life/
- hxxp://crowdstrike[.]live/
- hxxp://crowdstrike[.]site/
- hxxp://crowdstrike[.]technology/
- hxxp://crowdstrike[.]us[.]org/
- hxxp://crowdstrike0day[.]com/
- hxxp://crowdstrikebluescreen[.]com/
- hxxp://crowdstrikebsod[.]com/
- hxxp://crowdstrikeconnectingevents[.]com/
- hxxp://crowdstrikeconnects[.]com/
- hxxp://crowdstrikedoomsday[.]com/
- hxxp://crowdstrikedown[.]site/
- hxxp://crowdstrikeevents[.]com/
- hxxp://crowdstrikeeventshub[.]com/
- hxxp://crowdstrikeeventsplatform[.]com/
- hxxp://crowdstrikeeventsplus[.]com/
- hxxp://crowdstrikefix[.]com/
- hxxp://crowdstrikeoptimizer[.]com/
- hxxp://crowdstrikeredbird[.]com/
- hxxp://crowdstrikestore[.]com[.]br/
- hxxp://crowdstriketoken[.]com/
- hxxp://crowdstrikewhisper[.]com/
- hxxp://crowdstrikexdr[.]in/
- hxxp://fix-crowdstrike-apocalypse[.]com/
- hxxp://fix-crowdstrike-bsod[.]com/
- hxxp://microsoftcrowdstrike[.]com/
- hxxp://okta-crowdstrike[.]com/
- hxxp://crowdstrike[.]us[.]org/
- hxxp://whatiscrowdstrike[.]com
- www[.]crowdstrike-falcon[.]online
- www[.]crowdstrike-helpdesk[.]com
- crowdstrikereport[.]com
- crowdstrikefix[.]zip
- crowdstrike[.]mightywind[.]com
- crowdstrikeclaim[.]com
- crowdstrikeoutage[.]com
- www[.]crowdstrikeoutage[.]com
- crowdstrikeupdate[.]com
- crowdstrikerecovery1[.]blob[.]core[.]windows[.]net
- crowdstrike[.]woccpa[.]com
- crowdstrike[.]es
- www[.]crowdstrokeme[.]me
- 1512178658959801095[.]crowdstriek[.]com
- www[.]crowdstrikeclaim[.]com
- lab-crowdstrike-manage[.]stashaway[.]co
- crowdstrokeme[.]me
- crowdstrike-bsod[.]com
- crowdstrike0day[.]com
- crowdstrikebluescreen[.]com
- crowdstrikedoomsday[.]com
- crowdstrikedown[.]site
- crowdstrikefix[.]com
- crowdstriketoken[.]com
- crowdstuck[.]org
- fix-crowdstrike-apocalypse[.]com
- fix-crowdstrike-bsod[.]com
- microsoftcrowdstrike[.]com
- whatiscrowdstrike[.]com
- crowdfalcon-immed-update[.]com
- crowdstrikebsod[.]com
- crowdstrikeoutage[.]info
Falcon Sensor Issue Used to Target CrowdStrike Customers
CrowdStrike Intelligence recommends that organizations ensure they are communicating with CrowdStrike representatives through official channels and they adhere to technical guidance the CrowdStrike support teams have provided. The following CrowdStrike Falcon LogScale query hunts for domains provided above.
CISA Warns Organizations to Remain Vigilant of Malicious Actors
Meanwhile, US cybersecurity agency CISA has warned that hackers are trying to take advantage of Microsoft outage.
“CISA is aware of the widespread outage affecting Microsoft Windows hosts due to an issue with a recent CrowdStrike update and is working closely with CrowdStrike and federal, state, local, tribal and territorial (SLTT) partners, as well as critical infrastructure and international partners to assess impacts and support remediation efforts,” it said in a statement.
“Threat actors continue to use the widespread IT outage for phishing and other malicious activity. CISA urges organizations to ensure they have robust cybersecurity measures to protect their users, assets, and data against this activity,” CISA added.
This incident serves as a stark reminder of our dependence on technology and the potential consequences of software malfunctions. The global scale of the outage caused significant disruptions to businesses, governments, and individuals alike. While CrowdStrike is working on a fix, it’s crucial for organizations to stay vigilant and implement robust cybersecurity measures to protect themselves from future threats.
