UPDATE--As organizations around the world continue work to recover from the outage caused by the faulty CrowdStrike update last week, cybercrime groups are using the incident as an opportunity to lure victims with fake recovery tools, instruction manuals, and updates. Meanwhile, CrowdStrike's initial analysis of the incident shows that the root cause was an out-of-bounds read error in a Falcon content update.
The outage, which was the result of a bad content update for CrowdStrike’s Falcon sensors on Windows machines, affected more than 8.5 million machines, according to Microsoft, and caused widespread issues for banks, retailers, airlines, government agencies and many other organizations globally. The update caused Windows hosts to crash and in some cases go into a boot loop. Although CrowdStrike discovered the error relatively quickly and deployed a fix, because many of the affected machines could not be brought back to a good state to get them online, they could not receive the fix, exacerbating the problem. The company has published detailed recovery instructions and Microsoft has released a tool to help affected users, but the scope of the outage is so large that remediating all of the affected machines will likely take many weeks.
On Wednesday, CrowdStrike released a preliminary post-incident review of what caused the crash and concluded that an out-of-bounds read flaw in an InterProcessCommunication (IPC) template was the culprit.
"On July 19, 2024, two additional IPC Template Instances were deployed. Due to a bug in the Content Validator, one of the two Template Instances passed validation despite containing problematic content data. Based on the testing performed before the initial deployment of the Template Type (on March 05, 2024), trust in the checks performed in the Content Validator, and previous successful IPC Template Instance deployments, these instances were deployed into production," the analysis says.
"When received by the sensor and loaded into the Content Interpreter, problematic content in Channel File 291 resulted in an out-of-bounds memory read triggering an exception. This unexpected exception could not be gracefully handled, resulting in a Windows operating system crash (BSOD)."
In the interim, cybercrime groups have begun to take advantage of the incident as a lure in phishing campaigns and targeted attacks. On Friday, the Cybersecurity and Infrastructure Security Agency warned that attackers already were using the CrowdStrike issue as a hook in phishing attacks, and now CrowdStrike is also warning customers about attackers distributing an infostealer by using a fake Microsoft recovery manual as the lure document. The document is titled “New_Recovery_Tool_to_help_with_Crowdstrike_issue_impacting_Windows” and it contains malicious macros, which upon execution, download a DLL that eventually leads to the infostealer, which CrowdStrike has named Daolpu.
“Upon execution, Daolpu invokes taskkill /F /IM chrome.exe to kill the Chrome process. The malware then collects credentials such as login data and cookies stored in Chrome and Mozilla browsers,” the CrowdStrike analysis says.
“The collected data is saved to %TMP%\result.txt and removed after exfiltration. The malware sends the result.txt file to the command-and-control (C2) server http[:]//172.104.160[.]126:5000/Uploadss in an HTTP POST request, which includes the system MAC address and hardcoded key Privatekey@2211#$.”
Over the weekend, CrowdStrike detected a separate campaign targeting CrowdStrike customers in Latin America that used a fake Falcon update as a lure.
“CrowdStrike Intelligence has since observed threat actors leveraging the event to distribute a malicious ZIP archive named crowdstrike-hotfix.zip. The ZIP archive contains a HijackLoader payload that, when executed, loads RemCos. Notably, Spanish filenames and instructions within the ZIP archive indicate this campaign is likely targeting Latin America-based (LATAM) CrowdStrike customers,” the company said.
The scope of this outage and the awareness of it among the general public makes it a prime candidate for continued attention from cybercrime groups and other attackers. As a result of the incident, CrowdStrike says it will conduct more comprehensive testing of rapid response content updates in the future, as well as staged deployment of those updates. Also, the company will "provide customers with greater control over the delivery of Rapid Response Content updates by allowing granular selection of when and where these updates are deployed", something that could have limited the scope of last week's outage.
This story was updated on July 24 to add information from CrowdStrike's PIR.