July 26, 2024 at 02:30AM
CrowdStrike has detected an attempt by an unknown threat actor to distribute harmful installers to German customers after the Falcon Sensor update failure. The phishing campaign involves an impersonation website, fraudulent JavaScript, and malicious software disguised as a CrowdStrike Crash Reporter. This situation occurs as CrowdStrike works to recover from a recent global IT outage.
From the meeting notes, I have extracted the following key takeaways:
1. CrowdStrike detected a highly targeted spear-phishing campaign attempting to capitalize on the Falcon Sensor update issue to distribute dubious installers targeting German customers. The phishing page contained a download link to a ZIP archive file with a malicious InnoSetup installer, featuring CrowdStrike branding, German localization, and a password requirement for installing the malware.
2. The threat actor demonstrated awareness of operations security (OPSEC) practices by utilizing anti-forensic techniques and creating a subdomain to prevent historical analysis of the domain-registration details.
3. CrowdStrike’s CEO and chief security officer apologized for the disruption caused by the global IT outage, expressing their commitment to re-earning trust and delivering effective protection against adversaries.
4. Bitsight’s analysis revealed significant traffic pattern changes on July 16th and a drop in egress traffic and unique IPs and organizations connected to CrowdStrike Falcon servers after the 19th, which raised questions about potential correlation with the outage.
If you require further elaboration or information on any specific aspect, please let me know.