The Indian Computer Emergency Response Team (CERT-In) has issued a warning about an ongoing phishing campaign that is exploiting a recent outage event involving CrowdStrike’s Falcon Sensor software.
On July 19, 2024, a faulty update to the CrowdStrike Falcon Sensor led to widespread crashes of Microsoft Windows operating systems. Both CrowdStrike and Microsoft have since released official fixes, but cybercriminals are leveraging this incident to target CrowdStrike users.
Details of the Phishing Campaign
The phishing campaign reported by CERT-In involves several malicious activities aimed at exploiting the CrowdStrike issue:
- Phishing Emails: Attackers are sending emails posing as CrowdStrike support to trick customers into providing sensitive information or downloading malware.
- Impersonating CrowdStrike Staff: Fraudsters are making phone calls impersonating CrowdStrike employees to gain the trust of their targets.
- Selling Fake Recovery Scripts: Cybercriminals are selling software scripts that falsely claim to automate recovery from the CrowdStrike update issue.
- Distributing Trojan Malware: Malicious actors are distributing Trojan malware disguised as recovery tools.
These phishing attacks can result in the installation of malware, leading to data leakage, system crashes, and data loss.
CERT-In’s Recommendations
To protect against these phishing attacks, CERT-In advises organizations and individuals to follow best practices and remediation methods:
- Apply Official Fixes: Ensure you apply the remediation methods provided by CrowdStrike and Microsoft. The official CrowdStrike guidance can be found here, and the Microsoft patch update is available here.
- Verify Email and Phone Communications: Do not trust unsolicited emails or phone calls claiming to be from CrowdStrike. Always verify the source before taking any action.
- Avoid Untrusted Websites: Do not browse untrusted websites or follow links from unsolicited emails and SMS messages. Be cautious with attachments, especially those with “.exe” extensions, as they are likely to be malicious.
- Limit Download Sources: Only download software from official and trusted websites to reduce the risk of malware infection.
- Inspect Phone Numbers: Look out for suspicious phone numbers that do not resemble real mobile phone numbers. Scammers often use email-to-text services to mask their identity.
- Research Before Clicking Links: Perform extensive research before clicking on any links provided in messages. Use search engines to verify the legitimacy of the organization’s website.
- Use Safe Browsing Tools: Implement safe browsing tools, antivirus software, and content-based filtering in your firewall and filtering services to protect against malicious websites.
- Caution with Shortened URLs: Be wary of shortened URLs (e.g., bit.ly, tinyurl). Hover over these URLs to see the full website domain or use URL checkers to preview the full URL before clicking.
- Check for Encryption Certificates: Look for valid encryption certificates by checking for the green lock in the browser’s address bar before entering any sensitive information.
Background on the CrowdStrike Outage
On July 19, 2024, a global outage affected Microsoft Windows systems equipped with the CrowdStrike Falcon Sensor. The issue arose from a faulty update to the agent, causing systems to experience crashes and the notorious Blue Screen of Death (BSOD). This critical error indicates a system halt due to hardware or software failure, rendering affected devices inoperable.
CERT-In issued a critical advisory (CIAD-2024-0035) to address the issue, urging organizations to apply the official fixes from CrowdStrike and Microsoft to mitigate the impact of the outage. Despite the availability of these fixes, cybercriminals have seized the opportunity to launch phishing campaigns, further complicating the situation for affected users.
Conclusion
CERT-In’s advisory serves as a crucial reminder for organizations and individuals to adhere to best practices, apply official patches, and remain cautious of unsolicited communications. By following these guidelines, users can mitigate the risks associated with this phishing campaign and protect their systems and sensitive data from malicious actors.