CrowdStrike: Thousands of typosquatting domains registered after global outage
CrowdStrike says cybercriminals are attempting to install a new infostealer malware through fake fixes
A new wave of cyberattacks has emerged in the wake of last week's CrowdStrike outage, targeting IT admins with a barrage of phishing scams and extortion attempts.
The faulty update delivered by CrowdStrike on 19th July sent countless Windows machines into a Blue Screen of Death (BSOD) loop, causing the largest global IT outage on record.
Now, security researchers are uncovering a surge in malicious activity leveraging the chaos.
Thousands of typosquatting domains – websites with subtly misspelled names mirroring legitimate companies – have sprung up in recent days, aiming to deceive unsuspecting users into divulging sensitive information or parting with their money.
Security firm SentinelOne warns that this number is escalating rapidly, as criminals attempt to exploit the ongoing chaos to maximise their profits.
"As is often the case with major newsworthy incidents, cybercriminals immediately began to use CrowdStrike-themed components in their campaigns in an attempt to capitalize on the misfortune of system administrators and users desperate to get their systems operational," SentinelOne said.
"This includes registering potentially malicious domains and naming files after 'CrowdStrike remediation' themes."
One particularly example is the domain "fix-crowdstrike-apocalypse[.]com," which offered a purported solution to the BSOD errors plaguing CrowdStrike customers for a €500,000. The source code for this alleged remedy was priced even higher.
Other examples of recently registered domains using the CrowdStrike BSOD theme include:
- crashstrike[.]com
- crowdstrikefix[.]com
- crowdstrikebluescreen[.]com
- crowdstrike-helpdesk[.]com
- crowdfalcon-immed-update[.]com
- crowdstrike-bsod[.]com
- crowdstrikebsod[.]com
SentinelOne warned that threat actors are also distributing malicious files disguised as hotfixes, hoping victims will download them to regain control of their systems.
CrowdStrike itself has acknowledged the increased threat landscape, urging customers to maintain vigilance and rely solely on official communication channels.
Cybersecurity firm issued warnings this week about campaigns attempting to deploy a new information-stealing malware disguised as a recovery tool.
CrowdStrike said the malware, dubbed Daolpu, is being delivered through phishing emails containing a fake Microsoft recovery manual - named "New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows. Docm".
This document is a copy of a Microsoft support bulletin providing instructions on how to use a new recovery tool that automates the removal of the problematic CrowdStrike driver from affected Windows devices.
The document, while appearing legitimate, contains malicious macros that download and execute the Daolpu stealer.
Once installed, Daolpu steals account credentials, browser history, and cookies from popular browsers including Chrome, Edge and Firefox. The stolen data is then transmitted to the attackers' command-and-control server.
CrowdStrike offers the following recommendations for staying safe in the current environment:
- Communicate exclusively with CrowdStrike representatives through official channels and follow the technical guidance provided by CrowdStrike support teams.
- Verify the certificates of websites on the download page to ensure that any downloaded software is from a legitimate source.
- Train users to avoid executing files from untrusted sources.
- Adjust browser settings to enable download protection, which can warn about potentially harmful websites or downloads.
- Search for the file "result.txt" in the %TMP% directory, as its presence might indicate a Daolpu infection.