Updated 2024-07-26 1830 UTC
On July 19, 2024, an issue present in a single content update for the CrowdStrike Falcon® sensor impacting Windows operating systems was identified, and a fix was deployed.1
CrowdStrike Intelligence has monitored for malicious activity leveraging the event as a lure theme and received reports that threat actors are conducting the following activity:
- Sending phishing emails posing as CrowdStrike support to customers
- Impersonating CrowdStrike staff in phone calls
- Posing as independent researchers, claiming to have evidence the technical issue is linked to a cyberattack and offering remediation insights
- Selling scripts purporting to automate recovery from the content update issue
Figure 1 provides a list of domains identified on July 19, 2024, that impersonate CrowdStrike’s brand. Some domains in this list are not currently serving malicious content or could be intended to amplify negative sentiment. However, these sites may support future social-engineering operations.
crowdstrike0day[.]com
crowdstrikebluescreen[.]com
crowdstrike-bsod[.]com
crowdstrikeupdate[.]com
crowdstrikebsod[.]com
www.crowdstrike0day[.]com
www.fix-crowdstrike-bsod[.]com
crowdstrikeoutage[.]info
www.microsoftcrowdstrike[.]com
crowdstrikeodayl[.]com
crowdstrike[.]buzz
www.crowdstriketoken[.]com
www.crowdstrikefix[.]com
fix-crowdstrike-apocalypse[.]com
microsoftcrowdstrike[.]com
crowdstrikedoomsday[.]com
crowdstrikedown[.]com
whatiscrowdstrike[.]com
crowdstrike-helpdesk[.]com
crowdstrikefix[.]com
fix-crowdstrike-bsod[.]com
crowdstrikedown[.]site
crowdstuck[.]org
crowdfalcon-immed-update[.]com
crowdstriketoken[.]com
crowdstrikeclaim[.]com
crowdstrikeblueteam[.]com
crowdstrikefix[.]zip
crowdstrikereport[.]com
Figure 1. Identified malicious domains
CrowdStrike Intelligence recommends that organizations ensure they are communicating with CrowdStrike representatives through official channels and they adhere to technical guidance the CrowdStrike support teams have provided.2
The following CrowdStrike Falcon® LogScale query hunts for domains provided in Figure 1.
// Potentially malicious domains impersonating CrowdStrike (CSA-240832)
// hunting rule for indicators (CSA-240832)
in("DomainName", values=["crowdfalcon-immed-update.com", "crowdstrike-bsod.com", "crowdstrike-helpdesk.com", "crowdstrike.buzz", "crowdstrike0day.com", "crowdstrikebluescreen.com", "crowdstrikeblueteam.com", "crowdstrikebsod.com", "crowdstrikeclaim.com", "crowdstrikedoomsday.com", "crowdstrikedown.com", "crowdstrikedown.site", "crowdstrikefix.com", "crowdstrikefix.zip", "crowdstrikeodayl.com", "crowdstrikeoutage.info", "crowdstrikereport.com", "crowdstriketoken.com", "crowdstrikeupdate.com", "crowdstuck.org", "fix-crowdstrike-apocalypse.com", "fix-crowdstrike-bsod.com", "microsoftcrowdstrike.com", "whatiscrowdstrike.com", "www.crowdstrike0day.com", "www.crowdstrikefix.com", "www.crowdstriketoken.com", "www.fix-crowdstrike-bsod.com", "www.microsoftcrowdstrike.com"]) | table([cid, aid, #event_simpleName, ComputerName])
Figure 2. Falcon LogScale Query
Additional Resources
- For more information, this blog post is being updated regularly: Statement on Falcon Content Update for Windows Hosts.
- Read this message from George Kurtz, CrowdStrike Founder and CEO: To Our Customers and Partners.
- For technical information, see this blog post: Technical Details: Falcon Content Update for Windows Hosts.
- Read another blog post from CrowdStrike Intelligence regarding the Falcon content issue: Likely eCrime Actor Uses Filenames Capitalizing on July 19, 2024, Falcon Sensor Content Issues in Operation Targeting LATAM-Based CrowdStrike Customers.