HQ/EMEAFind out how we can help your business
Hackers are taking advantage of the latest CrowdStrike issue, which occurred last week, by deploying fake updates and compromising targeted businesses. According to reports, the threat actors developed a fake bug fix for the issue to deploy data-wiping malware.
Researchers have noticed a significant spike in phishing emails that contain topics about solutions to the current issue.
On the other hand, CrowdStrike announced earlier this week that it is actively assisting customers affected by the recent content upgrade that crashed millions of Windows hosts globally. The business urges clients to ensure that they engage with official representatives through verified channels since threat actors commonly exploit these events to execute fraudulent activities.
A phoney CrowdStrike hotfix delivers the Remcos RAT.
One of the first phishing attempts to exploit the issue targeted BBVA bank clients. Investigations revealed that the attack used fake CrowdStrike Hotfix updates to deploy the Remcos RAT.
In addition, the researchers stated that the threat actors distributed the fake patch through a malicious website that posed as a BBVA Intranet portal. The malicious package contains instructions for employees and partners to install the update to avoid issues when connecting to the company’s internal network.
Subsequently, the instruction includes a mandatory update of the ‘instrucciones.txt’ file to avoid connection and synchronisation difficulties with the company’s internal network.
In a similar incident, a separate threat group spreads a data wiper under the guise of delivering a software update. The operation wipes down the system by overwriting files with zero bytes and then reporting it via #Telegram.
The Iranian hacktivist group claimed responsibility for the attack after stating on Twitter that they impersonated the affected company in emails to Israeli organisations to distribute the data wiper. The threat actors impersonated CrowdStrike by sending emails from the domain “crowdstrike.com.vc,” informing clients that a program had been developed to bring Windows systems back online.
This zip file contains the program Crowdstrike.exe, which, once a target executes the bogus CrowdStrike update, the operation will extract the data wiper to a folder named %Temp% and start erasing any data stored on the device.
Organisations and users should avoid clicking on unsolicited emails with subjects like CrowdStrike updates, especially if the sender is not verified, helping them from falling into phishing scams that could be infected with malware.
