Threat Actors Pose as CrowdStrike to Distribute Malware
Threat actors are capitalizing on the business disruption caused by the faulty CrowdStrike update pushed to customers late last week. Cybersecurity researchers and government agencies have identified new phishing campaigns crafted to impersonate CrowdStrike and lead potential victims into installing malware and malicious remote access tools. Threat actors are using typo-squatted domains to impersonate Crowdstrike, dozens of which have been created in the past few days including crowdstrike-helpdesk[.]com, crowdstrikefixer[.]com, crowdstrike[.]feedback, and more. One such campaign identified by researcher "gonjxa" targeted BBVA bank customers with a fake hotfix for connecting to BBVA during service outages. The purported hotfix contained HijackLoader and the Remcos RAT. Another campaign has been claimed by a pro-Iranian hacktivist group who declared they had impersonated CrowdStrike to distribute a data wiper via a linked ZIP archive. The group sent out emails under the domain "crowdstrike[.]com[.]vc" which contained a convincing PDF document with instructions on downloading the fake tool crafted to destroy data on the victim's device. To best defend against phishing campaigns, CTIX analysts recommend conducting security awareness training, using strong passwords and multi-factor authentication (MFA), as well as always exercising caution when interacting with emails. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Two Russians Affiliated with LockBit Plead Guilty in US Court
Two (2) Russian nationals, Ruslan Astamirov, twenty-one (21), and Mikhail Vasiliev, thirty-four (34), have pleaded guilty to participating in the LockBit ransomware group, engaging in a series of global cyber extortion schemes. Astamirov and Vasiliev admitted to deploying LockBit ransomware in attacks that targeted entities across various countries, including the United States, Japan, France, Scotland, Kenya, the U.K., and Switzerland, between 2020 and 2023. Astamirov's operations extracted $1.9 million in ransom from his victims, while Vasiliev caused at least $500,000 in damage and losses. Astamirov, arrested in June 2023, agreed to forfeit $350,000 in cryptocurrency as part of his plea agreement. Vasiliev, arrested in Canada in November 2022 and later extradited to the U.S., had previously been sentenced to four (4) years in Canadian prison. Both individuals could face significant prison sentences in the U.S., with Astamirov facing up to twenty-five (25) years and Vasiliev up to forty-five (45) years. LockBit, known for its ransomware-as-a-service (RaaS) operation, has been one of the most prolific cybercriminal enterprises, targeting over 2,500 victims in at least 120 countries and extorting approximately $500 million in ransom payments. Despite recent law enforcement efforts to dismantle the group's infrastructure, LockBit continues to pose a significant threat, as evidenced by recent attacks on a county government in Indiana and the largest hospital in Croatia, among others. The guilty pleas of Astamirov and Vasiliev mark a notable success in international efforts to combat cybercrime, involving cooperation among law enforcement agencies across several countries and leading to the takedown of LockBit's infrastructure. However, these developments also underscore the ongoing challenges in neutralizing such cyber threats and the adaptability of ransomware groups in continuing their malicious activities. CTIX analyst will continue monitoring the latest developments among global threat actor activities.
Vulnerabilities
Microsoft Releases Official Windows Repair Tool to Repair PCs Impacted by the Recent CrowdStrike Issue
Microsoft has released a custom WinPE recovery tool to address the widespread issues caused by a faulty CrowdStrike update that resulted in approximately 8.5 million Windows devices crashing with a Blue Screen of Death (BSOD) and entering reboot loops. This bug severely disrupted IT operations across various sectors, including airports, hospitals, and government agencies. The new USB-based recovery tool simplifies the previous multistep workaround processes, automating the removal of the problematic CrowdStrike kernel driver. To create the tool, users need a 64-bit Windows 10/11 PC, 8 GB of free storage, administrative privileges, a USB drive with at least 1 GB of space, and potentially a BitLocker Recovery Key. The process involves downloading a ZIP file, extracting it, and running a PowerShell script to create a bootable WinPE image on the USB drive. This tool, when used to boot impacted computers, automatically removes the faulty driver, restoring normal functionality. However, users must have their BitLocker Recovery Key ready for the process. Once completed, the device should reboot normally, resolving the issues caused by the faulty update.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.