The malicious activity is being observed as CrowdStrike customers continue to recover from the July 18 outage.
Cybercriminals and hacktivists are taking advantage of the situation with newly registered domains, malware attached to files with CrowdStrike-themed names, and at least one apparent instance of a data wiper, five days after a faulty update to CrowdStrike’s Falcon security software hampered millions of Windows computers worldwide.
A Word document containing the Daolpu information stealer and a zip file containing the HijackLoader malware, which is typically used to deliver other malware packages, as well as a Python-based information stealer known as “Connecio,” are two examples of the likely criminal activity that is connected to the incident.
According to sandbox company ANY.RUN, one of the most “sophisticated” outage-related attacks thus far, a phishing email with a PDF claiming to explain how to fix the Falcon issue last week also delivered a zip file with wiper malware.
“Handala Hack,” a pro-Palestinian hacktivist persona known for attacking Israeli targets, claimed responsibility for the wiper attack mentioned by ANY.RUN. In a June 21 Telegram post, they asserted — without providing evidence — that they had targeted “thousands of Zionist organizations!”
Tom Hegel, head threat researcher with SentinelLabs, told CyberScoop that Handala is known for its “broad targeting scope,” has recently executed wiper attacks on the two Windows and Linux systems, and engaged in hack-and-leak operations.
Hegel stated, “While the group presents itself as a hacktivist entity, there remains speculation about possible Iranian backing as we have frequently observed active in the Middle East since last year.” Although the full scope of these CrowdStrike-themed intrusions is unknown, the attacker has publicly stated to have dozens of victims.
A request for clarification regarding the threats that are taking advantage of the situation was not received by CrowdStrike on Tuesday. George Kurtz, the founder and CEO of CrowdStrike, advised customers to “ensure that you’re engaging with official CrowdStrike representatives” in an update on July 19. He stated that the company was aware that “adversaries and bad actors will try to exploit events like this.”
Over 2,000 CrowdStrike-related domains have been registered in the last seven days, according to threat research director at Splunk Jose Enrique Hernandez in a post on X on Tuesday. Hernandez wrote that an analysis of the top 25 shows that “most of them are looking pretty funky.”
James Spiteri, a director of product management with Elastic, wrote in a LinkedIn post Sunday that he had reported in excess of 141 endorsements produced for what looks “like (for the most part) bogus [CrowdStrike] domains. I hope this list helps people keep an eye out for phishing emails. Tuesday afternoon, 193 names had been added to the list.
The malicious activity occurs as CrowdStrike users continue to recover from the outage, which Microsoft estimates disabled at least 8.5 million Windows devices. The Transportation Department, for instance, is looking into Delta Airlines because the outage forced it to cancel thousands of flights.
CyberScoop was informed on Tuesday by a spokesperson for the Cybersecurity and Infrastructure Security Agency that the organization was “working closely with our government and industry partners to continue to mitigate the impact of the global IT outage.”
The representative didn’t answer inquiries concerning malicious activity connected with the outage targeting federal networks, criminal etc.,although the incident caused technical issues at multiple federal agencies, FedScoop reported Friday.
In line with statements made by cybersecurity officials in Australia, Canada, and the United Kingdom, ISA had previously stated that it was aware of malicious activity associated with the event.
