As organizations seek help to fix affected Windows hosts, there’s been a rise in phishing emails exploiting the situation, according to government agencies.
CrowdStrike has announced that it is actively assisting customers impacted by the recent update that crashed millions of Windows hosts worldwide. The company advises customers to ensure they are communicating through the official channels, warning that adversaries will try to exploit such events. CrowdStrike CEO, George Kurtz has emphasized the importance of vigilance in technical support for the latest updates.
There are several attempts to exploit organizations by disguising malware as fixes and updates. Some of them that have happened recently:
- On Saturday, cybersecurity researcher g0njxa reported a malware campaign targeting BBVA bank customers, offering a fake CrowdStrike Hotfix update that installs the Remcos RAT. The fake update was promoted through a phishing site pretending to be a BBVA Intranet portal. Instructions within the malicious archive urged employees and partners to install the update to avoid connection errors.
- The threat actors sent phishing emails from the domain ‘crowdstrike.com.vc,’ instructing recipients to download a malicious ZIP archive containing an executable named ‘Crowdstrike.exe.’ Once executed, the data wiper destroys data stored on the device.
According to Microsoft, the faulty update affected 8.5 million Windows devices. CrowdStrike has explained that the outage was caused by a channel file update to Windows hosts that triggered a logic error, leading to the crashes. CrowdStrike has since identified and corrected the issue, but providing instructions to restore systems to normal operations for companies is difficult because attackers are constantly exploiting this adverse situation through phishing emails.
