CrowdStrike has issued an alert regarding a new phishing campaign targeting German customers. This campaign, orchestrated by an unidentified threat actor, exploits the recent Falcon Sensor update mishap, which caused extensive disruptions and affected nearly 9 million Windows devices worldwide.
Discovery of the Phishing Campaign
On July 24, 2024, CrowdStrike detected an unauthorized spear-phishing attempt. The attack involved distributing a fake CrowdStrike Crash Reporter installer via a website mimicking a legitimate German entity. The fraudulent website was created on July 20, just a day after the Falcon Sensor update issue emerged, indicating a swift and opportunistic move by the attackers.
Technical Details of the Phishing Attack
According to CrowdStrike’s Counter Adversary Operations team, the phishing website uses a deceptive JavaScript (JS) script disguised as JQuery v3.7.1 to download and obfuscate the installer. This installer, branded with CrowdStrike logos and localized for German users, requires a password for installation, adding a layer of complexity to the attack.
The phishing page directs users to download a ZIP archive containing a malicious InnoSetup installer. This installer is designed to deploy its payload through a JavaScript file named “jquery-3.7.1.min.js,” a tactic intended to evade detection by security tools.
Upon executing the installer, users are prompted to enter a “Backend-Server” to proceed. However, CrowdStrike has not yet been able to retrieve the final payload delivered by this installer. The campaign’s targeted nature is evidenced by the password-protected installer and the use of the German language, indicating that it is aimed specifically at German-speaking customers.
Operational Security and Anti-Forensic Techniques
Analysis reveals that the threat actor behind this campaign is highly knowledgeable about operational security (OPSEC) practices. The attacker registered a subdomain under the it[.]com domain, which hinders historical analysis of domain registration details. Additionally, encrypting the installer contents and requiring a password to continue installation prevents further analysis and attribution efforts.
Related Phishing Campaigns
This new phishing scam is part of a broader wave of attacks exploiting the recent update issue. CrowdStrike has identified several related phishing domains and malicious files:
Crowdstrike-office365[.]com: This domain hosts rogue archive files containing a Microsoft Installer (MSI) loader, which ultimately executes a commodity information stealer called Lumma.
CrowdStrike Falcon.zip: This ZIP file contains a Python-based information stealer named Connecio. Connecio collects system information, external IP addresses, and data from various web browsers, exfiltrating the information to SMTP accounts listed on a Pastebin dead-drop URL.
Response and Apology
In response to the global IT outage caused by the botched update, CrowdStrike’s CEO George Kurtz announced that 97% of the affected Windows devices are now operational. Kurtz expressed deep regret for the disruption caused by the outage and personally apologized to those impacted.
“At CrowdStrike, our mission is to earn your trust by safeguarding your operations. I am deeply sorry for the disruption this outage has caused and personally apologize to everyone impacted,” Kurtz stated. “While I can’t promise perfection, I can promise a response that is focused, effective, and with a sense of urgency.”
Shawn Henry, the company’s chief security officer, also issued an apology, acknowledging the failure to protect users. “The confidence we built in drips over the years was lost in buckets within hours, and it was a gut punch,” Henry said. “We are committed to re-earning your trust by delivering the protection you need to disrupt the adversaries targeting you. Despite this setback, the mission endures.”
Further Analysis by Bitsight
Bitsight, another cybersecurity firm, has conducted an analysis of traffic patterns associated with CrowdStrike machines globally. Their findings revealed two notable data points:
Traffic Spike on July 16: Around 22:00 on July 16, there was a significant spike in traffic, followed by a sharp drop in egress traffic from organizations to CrowdStrike.
Decrease in Unique IPs and Organizations: Between July 19 and July 20, there was a 15-20% decrease in the number of unique IPs and organizations connected to Falcon servers.
Security researcher Pedro Umbelino noted, “While we cannot infer the root cause of the change in traffic patterns on the 16th, it does warrant the foundational question of ‘Is there any correlation between the observations on the 16th and the outage on the 19th?'”
Conclusion
This new phishing campaign targeting German customers underscores the persistent and evolving nature of cyber threats. Swift detection and response highlight the importance of vigilance and robust cybersecurity measures in mitigating such risks. As the investigation continues cybersecurity community remain committed to uncovering and thwarting these malicious activities.
Follow us on (Twitter) for real time updates and exclusive content.
Interesting Article : Critical Vulnerability in Docker Engine Exposes Systems to Authorization Bypass Attacks
Pingback: French Authorities Lead Major Operation to Eliminate PlugX Malware
Magnificent beat I would like to apprentice while you amend your site how can i subscribe for a blog web site The account helped me a acceptable deal I had been a little bit acquainted of this your broadcast offered bright clear idea
My brother recommended I might like this web site He was totally right This post actually made my day You cannt imagine just how much time I had spent for this information Thanks