Threat Actors Leveraging CrowdStrike IT Outage Incident

On July 19, 2024, an update for CrowdStrike’s Falcon Sensor End Point Detection and Response (EDR) software caused major disruptions for various companies globally, including the Philippines. This incident affected 8.5 million Windows devices worldwide, resulting in crashes and displaying the iconic Blue Screen of Death (BSOD).

Read the full PSA Report here.

Threat Actors Leveraging Incident

CrowdStrike’s Chief Executive Officer (CEO), George Kurtz, issued a statement on X (formerly Twitter), clarifying that the incident was not the result of a cyber-attack or malicious activity, but rather a “defect found in a single content update.” However, he notes the possibility that threat actors might exploit this situation, advising customers to engage only with “official CrowdStrike representatives.”

“We know that adversaries and bad actors will try to exploit events like this. I encourage everyone to remain vigilant and ensure that you’re engaging with official CrowdStrike representatives. Our blog and technical support will continue to be the official channels for the latest updates.”

-George Kurtz, CrowdStrike CEO

Several reports indicate that numerous domains impersonating CrowdStrike’s brand have begun appearing online shortly after the outage, with some posing as official CrowdStrike support staff and asking for “bitcoin” or Paypal donations or payment. According to CrowdStrike, they have received reports of threat actors leveraging the incident and conducting the following activities:

• Sending phishing emails to customers under the guise of being CrowdStrike support personnel
• Impersonating CrowdStrike staff in phone calls
• Posing as independent researchers, claiming to have evidence the technical issue is linked to a cyberattack and offering remediation insights
• Selling scripts that reportedly automate recovery from the content update issue.

CrowdStrike also released a list of domains to watch for that are impersonating their brand.  According to CrowdStrike, some domains from the list do not serve malicious content but support the mechanisms for social engineering techniques.

The Cybersecurity and Infrastructure Security Agency (CISA) urges organizations to remind their employees regarding the dangers of clicking on and interacting with phishing emails or suspicious links.

Latest Update from CrowdStrike

CrowdStrike released a Remediation and Guidance Hub for affected Windows users, with the latest update showing “97 percent of Windows sensors are online as of July 24.” A Preliminary Post Incident Review was also included in the hub, detailing the investigation and an analysis of the incident.  

Meanwhile, Windows released a Recovery Tool to assist Information Technology (IT) admins in the repair process.