Analyzing Malicious CrowdStrike Domains: Who Is Affected and What Could Come Next

Editorial and additional commentary by Tricia Howard
Copy edited by Maria Vlasak

On Friday, July 19, 2024, the world buzzed with the manifestation of blue screens across a majority of devices after a recent CrowdStrike Falcon content update. The update triggered bug checks on Windows hosts that induced a global sea of blue screens of death (BSODs) — causing billions of system outages across various locations.

With 8.5 million devices affected globally, just about every industry was hit by this outage, including critical services such as aviation, government, and healthcare, which produced real-world impacts, some continuing even days after the incident.

As is often the case with newsworthy events, threat actors immediately attempted to exploit the situation by piggybacking on the widespread confusion and disruption caused by the update. The extent of the outage, tied with the extent of the news coverage surrounding it, led to a number of disconcerted users searching for answers wherever they could find them.

Each of these top domains had roughly equal market share. The majority of these domains have the [.]com top level domain, which holds a subtle air of legitimacy because of its ubiquity. Common keywords, such as “bsod” and “microsoft,” are present in several of the domains — these keywords are common ancillary search terms a knowledge-hungry victim would have turned to for information gathering.

Although we are accustomed to seeing high technology and financial services  bear the brunt of zero-day attacks, the nonprofit and education sector and the public sector, which compose more than 29%, stand out here. This industry is also greatly affected in terms of remediation — the number of managed devices for students on a single campus can be in the thousands, depending on the size of the institution.

The education sector also relies on people with a wide variety of technical skill levels, including people who are not tech savvy at all. Despite increasing IT budgets, the often small security team at an education institution has a seemingly Sisyphean task in trying to protect these environments. An attacker with social engineering experience would be aware of this deficit and may take advantage of it, which could also contribute to the high amount of traffic.

It is common for these phishing campaigns to be part of a resilient infrastructure if they are orchestrated by professional threat actors with the skills to rival an enterprise environment. These more sophisticated campaigns can have failover and obfuscation mechanisms and quickly change appearance: One of the observed domains in this campaign is tied to a known malicious source that took advantage of pandemic hardship.

In addition, many of these sites have built-in trust-building activities that users are accustomed to associating with security, such as SSL validation or IT support. As of the publication date of this blog post, more than 180 different domains have been identified, all registered between July 19 and July 21. That number will likely increase as the remediation process continues.

The impact of these sites is remarkable, which is evidenced by how much traffic points to them. These sites garner millions of views, some even ranking in the top 200,000 domains for associated keywords globally for the period, according to AkaRank.

We analyzed some of the most trafficked domains to see their modus operandi and we’ve grouped together some of the sites on the basis of the ways they feign legitimacy: fake IT services, fake solutions, and fake legal support. Note: Some more advanced examples of these malicious sites also include other deceptions, including “phone support” or redirecting to the actual CrowdStrike site, building further credibility with the unsuspecting user.

This type of scam site pretends to be IT professional humans available to aid in quick recovery — and they have an equal level of urgency in tone. The sense of emergency may entice the visitors to provide personal information, which is a common characteristic of a phishing setup. The goal here is to steal sensitive information directly from user input.

A quick read of the instructions makes it seem like a legitimate fix. The files are named “CrowdStrike,” they mention the current issue, and provide a reasonable number of steps. An unsuspecting victim who is looking to get back to work could easily introduce malware into their environment on their own.

This particular IOC (crowdstrikeclaim[.]com) stood out because it is likely part of a widespread phishing infrastructure. The Akamai Security Intelligence Response Team was part of this analysis and identified this domain as having an embedded Facebook ID known to be malicious — one that used to link to covid19-business-help.qualified-case[.]com. That site, in turn, has another embedded Facebook ID that links to approximately 40 other websites.

If you are affected by the outage and are looking for information, we recommend that you consult credible sources such as CrowdStrike or Microsoft. Although other outlets may seem to have more up-to-date information, it may not be accurate — or worse, the site may have a malignant purpose.

If you find yourself on a page that claims to offer assistance with the CrowdStrike outage, there are a few ways you can check legitimacy.

• Check the certificate and issuer of the domain when accessing over HTTPS

• Know that the domain is likely illegitimate if it requests sensitive information, such as credit card numbers, social security numbers, or banking information 

• Only follow recovery information directly from CrowdStrike

• Do not open email attachments that claim to be able fix the issue, even if they arrive from domains that resemble CrowdStrike

Security professionals who are dealing with the effects of this incident also have a few ways to help remediate and limit further exposure.

• Perform a lateral movement gap analysis or adversary emulation. Threat actors with financial aspirations will find more opportunities to drop ransomware into an environment. Although this wasn’t a CVE to be exploited, there are potential technical impacts from a threat actor who knows a critical piece of your security stack. We recommend a gap analysis or even an adversary emulation to get a current view of your threat landscape.

• Block known and related IOCs. There are a number of credible intel sources of known IOCs associated with this campaign, including this list we built. If this list is consistent with your own risk management analysis, block the domains outright, or even DNS sinkhole them, to stop communications with malicious domains. 

It is likely we will see more phishing attempts associated with this issue beyond the time when every device is remediated. A simple scroll through social media can provide  an attacker with a sense of which brands generate the most heightened emotions and which are ripe to impersonate for malevolent gain.

This is an attacker’s job, and it’s important to remember that. Malicious campaign operations function just as we do in legitimate corporations: The victims are their “customers,” and the varied tactics presented in this post show how “plugged in” to their customers they are. They know how to effectively diversify their portfolio to ensure they end up with money in the bank.

It is also notable that due to the public nature of this incident, attackers now have a better understanding of certain targets’ tech stacks. This could become relevant in the event that a future CVE is discovered within the Falcon product. Attackers are only getting more sophisticated, and each additional piece of the tech stack puzzle they have makes that puzzle easier to solve.