Low-level cybercriminals are pouncing on CrowdStrike-connected outage
Five days after a faulty update to CrowdStrike’s Falcon security software hobbled millions of Windows computers around the world, cybercriminals and hacktivist personas are taking advantage of the situation with newly registered domains, malware attached to files with CrowdStrike-themed names and at least one apparent instance of a data wiper.
CrowdStrike has documented multiple instances of likely criminal activity tied to the incident, including a Word document laced with the Daolpu information stealer and a zip file targeting Latin American-based CrowdStrike customers with the HijackLoader malware, which is typically used to deliver other malware packages, and a Python-based information stealer tracked as “Connecio.”
Additionally, a phishing email with a PDF purporting to explain how to remediate last week’s Falcon issue delivered a zip file laced with wiper malware, according to sandbox company ANY.RUN, which called it one of the most “sophisticated” outage-related attacks thus far.
“Handala Hack,” a pro-Palestinian hacktivist persona known for attacking Israeli targets, claimed responsibility for the wiper attack mentioned by ANY.RUN. In a June 21 Telegram post, they asserted — without providing evidence — that they had targeted “thousands of Zionist organizations!”
Tom Hegel, principal threat researcher with SentinelLabs, told CyberScoop that Handala is known for its “broad targeting scope,” has previously executed wiper attacks on both Windows and Linux systems, and engaged in hack-and-leak operations.
“While the group presents itself as a hacktivist entity, there remains speculation about possible Iranian backing as we’ve commonly observed active in the Middle East since last year,” Hegel said. “Complete scope of these CrowdStrike-themed intrusions is unclear, however the attacker has publicly claimed to have dozens of victims.”
CrowdStrike did not respond to a request for comment Tuesday on the threats exploiting the situation. In a July 19 update, CrowdStrike founder and CEO George Kurtz said the company was aware that “adversaries and bad actors will try to exploit events like this,” and encouraged customers to “ensure that you’re engaging with official CrowdStrike representatives.”
Jose Enrique Hernandez, threat research director at Splunk, said in a Tuesday post on X that he identified more than 2,000 CrowdStrike-related domains registered in the past seven days. An analysis of the top 25 suggests that “most of them are looking pretty funky,” Hernandez wrote.
James Spiteri, a director of product management with Elastic, wrote in a LinkedIn post Sunday that he had documented more than 141 certificates generated for what looks “like (mostly) bogus [CrowdStrike] domains. Hope this list helps folks keep a lookout for any phishing.” The list had grown to 193 by mid-afternoon Tuesday.
The malicious activity comes as CrowdStrike customers continue to recover from the outage, which disabled at least 8.5 million Windows devices, according to a Microsoft estimate. Delta Airlines, for instance, is under investigation by the Transportation Department after it had to cancel thousands of flights as a result of the outage.
A Cybersecurity and Infrastructure Security Agency spokesperson told CyberScoop on Tuesday that the agency was “working closely with our government and industry partners to continue to mitigate the impact of the global IT outage.”
The spokesperson did not respond to questions about malicious activity related to the outage targeting federal networks, criminal or otherwise, although the incident caused technical issues at multiple federal agencies, FedScoop reported Friday.
CISA had earlier said it was aware of malicious activity connected to the event, mirroring messaging put out by cybersecurity officials in the U.K., Australia and Canada.
