Falcon Sensor Content Issue from July 19, 2024, Likely Used to Target CrowdStrike Customers

On July 19, 2024, an issue present in a single content update for the CrowdStrike Falcon® sensor impacting Windows operating systems was identified, and a fix was deployed.1

CrowdStrike Intelligence has monitored for malicious activity leveraging the event as a lure theme and received reports that threat actors are conducting the following activity:

  • Sending phishing emails posing as CrowdStrike support to customers
  • Impersonating CrowdStrike staff in phone calls
  • Posing as independent researchers, claiming to have evidence the technical issue is linked to a cyberattack and offering remediation insights
  • Selling scripts purporting to automate recovery from the content update issue

Figure 1 provides a list of domains identified on July 19, 2024, that impersonate CrowdStrike’s brand. Some domains in this list are not currently serving malicious content or could be intended to amplify negative sentiment. However, these sites may support future social-engineering operations.

crowdstrike.phpartners[.]org
crowdstrike0day[.]com
crowdstrikebluescreen[.]com
crowdstrike-bsod[.]com
crowdstrikeupdate[.]com
crowdstrikebsod[.]com
www.crowdstrike0day[.]com
www.fix-crowdstrike-bsod[.]com
crowdstrikeoutage[.]info
www.microsoftcrowdstrike[.]com
crowdstrikeodayl[.]com
crowdstrike[.]buzz
www.crowdstriketoken[.]com
www.crowdstrikefix[.]com
fix-crowdstrike-apocalypse[.]com
microsoftcrowdstrike[.]com
crowdstrikedoomsday[.]com
crowdstrikedown[.]com
whatiscrowdstrike[.]com
crowdstrike-helpdesk[.]com
crowdstrikefix[.]com
fix-crowdstrike-bsod[.]com
crowdstrikedown[.]site
crowdstuck[.]org
crowdfalcon-immed-update[.]com
crowdstriketoken[.]com
crowdstrikeclaim[.]com
crowdstrikeblueteam[.]com
crowdstrikefix[.]zip
crowdstrikereport[.]com

Figure 1. Identified malicious domains

CrowdStrike Intelligence recommends that organizations ensure they are communicating with CrowdStrike representatives through official channels and they adhere to technical guidance the CrowdStrike support teams have provided.2

The following CrowdStrike Falcon® LogScale query hunts for domains provided in Figure 1.

// Potentially malicious domains impersonating CrowdStrike (CSA-240832)
// hunting rule for indicators (CSA-240832)
in("DomainName", values=["crowdfalcon-immed-update.com", "crowdstrike-bsod.com", "crowdstrike-helpdesk.com", "crowdstrike.buzz", "crowdstrike0day.com", "crowdstrikebluescreen.com", "crowdstrikeblueteam.com", "crowdstrikebsod.com", "crowdstrikeclaim.com", "crowdstrikedoomsday.com", "crowdstrikedown.com", "crowdstrikedown.site", "crowdstrikefix.com", "crowdstrikefix.zip", "crowdstrikeodayl.com", "crowdstrikeoutage.info", "crowdstrikereport.com", "crowdstriketoken.com", "crowdstrikeupdate.com", "crowdstuck.org", "fix-crowdstrike-apocalypse.com", "fix-crowdstrike-bsod.com", "microsoftcrowdstrike.com", "whatiscrowdstrike.com", "www.crowdstrike0day.com", "www.crowdstrikefix.com", "www.crowdstriketoken.com", "www.fix-crowdstrike-bsod.com", "www.microsoftcrowdstrike.com"]) | table([cid, aid, #event_simpleName, ComputerName])

Figure 2. Falcon LogScale Query

Additional Resources

  1. https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/
  2. Ibid.
Related Content