Threat actors are exploiting the recent disruption from CrowdStrike’s software update to target companies with a fake update that injects malware, including data wipers and remote access tools. Phishing emails are being used to distribute these malicious programs under the guise of official CrowdStrike updates, taking advantage of businesses seeking assistance to fix affected Windows hosts. Review this Cybersecurity Threat Advisory for recommendations on how to reduce your risk.
What is the threat?
Cybercriminals are leveraging the confusion and urgency created by recent events to spread malware. Phishing campaigns have been launched that impersonate CrowdStrike, offering fake fixes that install malware such as Remcos RAT and HijackLoader. One campaign specifically targeted BBVA bank customers with a phishing site posing as a BBVA Intranet portal, distributing a fake CrowdStrike Hotfix. Another campaign, claimed by the pro-Iranian hacktivist group Handala, used emails from the domain ‘crowdstrike.com.vc’ to deliver a data wiper disguised as an update. This data wiper overwrites system files with zero bytes, effectively destroying data, and reports the action over Telegram. These threats exploit the urgency for businesses to restore their systems, increasing the likelihood of successful infections.
Why is this noteworthy?
This situation is noteworthy because it exploits an issue related to a trusted cybersecurity provider, increasing the chance of successful phishing attacks. The widespread impact on numerous organizations creates a fertile environment for cybercriminals to deceive victims. Additionally, the exploitation of a prominent incident highlights the need for organizations to have robust verification processes for updates and communications from service providers.
What is the exposure or risk?
Organizations affected by the initial CrowdStrike update are at risk of further disruption from these malicious campaigns. The data wiper can lead to extensive data loss, causing operational downtime and potential data breaches. Remote access tools like Remcos RAT allow attackers to gain unauthorized control over infected systems, posing risks of espionage, further malware installation, and data theft.
What are the recommendations?
Barracuda recommends taking the following measures to mitigate the impact of this attack:
- Inform employees about the current threat and enforce strict policies regarding software updates and email attachments
- Confirm the authenticity of communications through official channels before taking any action
- Have a robust incident response plan ready to quickly address potential infections or data loss
- Regularly back up critical data and ensure backups are securely stored and can be rapidly restored
- Deploy advanced security tools that can detect and block phishing attempts and malware
- Keep informed of updates from Barracuda and other security advisories to remain aware of the latest threats and mitigation strategies
Reference
For more in-depth information about the recommendations, please visit the following link:
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.
