Phishing attacks targetting CrowdStrike users after global outage: CERT-In

A Microsoft Windows outage caused by a faulty CrowdStrike Falcon Sensor update led to system crashes globally. Now a phishing campaign is targeting CrowdStrike users who were impacted by the outage

The Indian Computer Emergency Response Team (CERT-In) has released an advisory alerting users to phishing attacks aimed at those affected by the recent Microsoft Windows outage. CERT-In operates under the Ministry of Electronics and Information Technology and serves as the national cybersecurity agency.
 

A global outage of Microsoft Windows occurred due to a defective update to the CrowdStrike Falcon Sensor software. This outage led to system crashes, affecting flights, businesses, banking and hospital systems worldwide.

CERT-In advisory

In its advisory, CERT-In reports an ongoing phishing campaign targeting CrowdStrike users, exploiting the global tech outage to carry out malicious activities. These activities include sending phishing emails allegedly posing as CrowdStrike support, impersonating CrowdStrike staff in phone calls, and selling software scripts claimed to automate recovery from the content update issue.
 

The advisory also warns that scammers are distributing trojan malware disguised as recovery tools. These attack campaigns can deceive unsuspecting users into installing malware, potentially leading to sensitive data leaks, system crashes, and data loss.

The advisory further recommended that users and organisations configure their firewall rules to block connections to 31 specific types of URLs, such as crowdstrikeoutage[.]info and www.crowdstrike0day[.]com, among others, as well as several hashes.

Additionally, the advisory urged the adoption of several well-known cyber hygiene practices:

- Obtain software patch updates exclusively from authentic websites and sources

- Avoid clicking on documents containing links to ‘.exe’ files, as these are typically malicious files disguised as legitimate documents

- Be wary of suspicious phone numbers, as scammers often use email-to-text services to conceal their actual phone numbers

It also advised users to only click on URLs with clear website domains and use safe browsing and filtering tools, in addition to appropriate firewalls.

The advisory said, “Look out for valid encryption certificates by checking for the green lock in the browser’s address bar, before providing sensitive information such as personal particulars or account login details.”

[With agency inputs]