www.reliaquest.com
Open in
urlscan Pro
141.193.213.20
Public Scan
Submitted URL: https://email.reliaquest.com/NDM4LUtZSy03ODYAAAGUo5MT2CxPYlJYXkkJ9iRn2ssI_5Bm19eKy0iR_r-OgkyghhgwWi_YiDI54QEwQjq2TnAgX9A=
Effective URL: https://www.reliaquest.com/blog/crowdstrike-outage-script-phishing-and-social-engineering-attacks/?utm_source=marketo&utm_m...
Submission Tags: urlscan
Submission: On July 30 via api from US — Scanned from US
Effective URL: https://www.reliaquest.com/blog/crowdstrike-outage-script-phishing-and-social-engineering-attacks/?utm_source=marketo&utm_m...
Submission Tags: urlscan
Submission: On July 30 via api from US — Scanned from US
Form analysis 2 forms found in the DOM
GET https://www.reliaquest.com/
<form id="searchwp-form-1" role="search" method="get" class="searchwp-form" action="https://www.reliaquest.com/">
<input type="hidden" name="swp_form[form_id]" value="1">
<div class="swp-flex--col swp-flex--wrap swp-flex--gap-md">
<div class="swp-flex--row swp-items-stretch swp-flex--gap-md">
<div class="searchwp-form-input-container swp-items-stretch">
<input type="search" class="swp-input--search swp-input" placeholder="" value="" name="s" title="" data-swplive="true" autocomplete="off" aria-owns="searchwp_live_search_results_66a9325f285ac" aria-autocomplete="both"
aria-label="When autocomplete results are available use up and down arrows to review and enter to go to the desired page. Touch device users, explore by touch or with swipe gestures.">
</div>
</div>
</div>
</form>GET https://www.reliaquest.com
<form action="https://www.reliaquest.com" method="get" class="form-mobile">
<div class="form-group">
<div class="input-group d-flex position-relative">
<span class="input-group-text position-absolute"><i class="icon-search"></i></span>
<button class="btn btn-outline-secondary position-absolute" type="reset" id="button-addon1"><i class="icon-close"></i></button>
<input class="form-control" type="text" name="s" placeholder="Search here.." value="" aria-label="default input example">
</div>
</div>
<button type="submit" class="btn btn-primary w-100">Search</button>
</form>Text Content
Skip to Content Javascript must be enabled for the correct page display Webinar | Team Burned Out on Phishing Analysis? Here's How to Help. Register Now * Solutions Go Back Make Security Possible Reduce Alert Noise and False Positives Boost your team's productivity by cutting down alert noise and false positives. Automate Security Operations Boost efficiency, reduce burnout, and better manage risk through automation. Dark Web Monitoring Online protection tuned to the need of your business. Maximize Existing Security Investments Improve efficiencies from existing investments in security tools. Beyond MDR Move your security operations beyond the limitations of MDR. Secure with Microsoft 365 E5 Boost the power of Microsoft 365 E5 security. Secure Multi-Cloud Environments Improve cloud security and overcome complexity across multi-cloud environments. Secure Mergers and Acquisitions Control cyber risk for business acquisitions and dispersed business units. Operational Technology Solve security operations challenges affecting critical operational technology (OT) infrastructure. Force-Multiply Your Security Operations Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals. Explore Our Solutions * Platform Go Back The GreyMatter Platform Detection Investigation Response Modernize Detection, Investigation, Response with a Security Operations Platform. Threat Hunting Locate and eliminate lurking threats with ReliaQuest GreyMatter Threat Intelligence Find cyber threats that have evaded your defenses. Model Index Security metrics to manage and improve security operations. Breach and Attack Simulation GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability. Digital Risk Protection Continuous monitoring of open, deep, and dark web sources to identify threats. Phishing Analyzer GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you. Integration Partners The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies. Unify and Optimize Your Security Operations ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints. Explore the GreyMatter Platform * Resources Go Back Resources Blog Company Blog Case Studies Brands of the world trust ReliaQuest to achieve their security goals. Data Sheets Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter. eBooks The latest security trends and perspectives to help inform your security operations. Industry Guides and Reports The latest security research and industry reports. Podcasts Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches. Solution Briefs A deep dive on how ReliaQuest GreyMatter addresses security challenges. White Papers The latest white papers focused on security operations strategy, technology & insight. Videos Current and future SOC trends presented by our security experts. Events & Webinars Explore all upcoming company events, in-person and on-demand webinars ReliaQuest Resource Center From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture. Resource Center * Research Go Back Threat Research Threat Research Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research. Shadow Talk ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories. Featured Research Introducing: Finance & Insurance Sector Threat Landscape July 25, 2024 * Company Go Back Company About ReliaQuest We bring our best attitude, energy and effort to everything we do, every day, to make security possible. Leadership Security is a team sport. No Show Dogs Podcast Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries. Make It Possible Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals. Careers Join our world-class team. Press and Media Coverage ReliaQuest newsroom covering the latest press release and media coverage. Become a Channel Partner When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions. Contact Us How can we help you? A Mindset Like No Other in the Industry Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams. * Search Go Back Search Request a Demo Back to blog CROWDSTRIKE OUTAGE: SCRIPT, PHISHING, AND SOCIAL ENGINEERING ATTACKS ReliaQuest Threat Research Team 19 July 2024 * Emerging Threats * Threat Research TABLE OF CONTENTS 1. Latest Updates 2. Initial Coverage 3. Potential Attack: Fake Scripts 4. Potential Attack: Phishing 5. Potential Attack: Social Engineering 6. Threat Forecast 7. What ReliaQuest Is Doing 8. Official Mitigation from CrowdStrike Key Points * On July 19, 2024, a CrowdStrike update caused millions of Windows users globally to experience the blue screen of death (BSOD), leading to system shutdowns. CrowdStrike has identified and fixed the issue. * ReliaQuest warns of fake PowerShell and Batch scripts posing as fixes, likely to appear on platforms like GitHub. These scripts can install dangerous software like Cobalt Strike, enabling unauthorized access. * A surge in new domains claiming to offer fixes has been detected. These domains may be used for phishing or malware distribution. Users must verify the authenticity of any site or email before taking action. * The confusion from the outage creates opportunities for social engineering attacks. Cybercriminals may impersonate IT personnel or cybersecurity firms, tricking users into revealing sensitive information or downloading malware. * July 22 update: Attackers are distributing malware disguised as a CrowdStrike fix or via Microsoft Word docs that contain harmful macro code. * July 22 update: Microsoft has introduced an updated recovery tool that offers two repair options to help IT administrators speed up the repair process. Updated July 22 ATTACKERS DISTRIBUTE MALICIOUS RECOVERY FILES On July 22, ReliaQuest identified threat actors distributing malware masquerading as a fix for the Crowdstrike Blue Screen of Death (BSOD) error. In one instance, attackers are sending phishing emails with a ZIP file named “crowdstrike-hotfix.zip,” which deploys malware known as “Remcos RAT.” IOCS: * fef212ec979f2fe2f48641160aadeb86b83f7b35 * 66fbe2b33e545062a1399a4962b9af4fbbd4b356 * 5b2f56953b3c925693386cae5974251479f03928 * 4491901eff338ab52c85a77a3fbd3ce80fda738046ee3b7da7be468da5b331a3 * 19001dd441e50233d7f0addb4fcd405a70ac3d5e310ff20b331d6f1a29c634f0 * 213[.]5[.]130[.]58 Additionally, attackers have been observed distributing malicious Microsoft Word documents containing harmful macro code. When these macros are enabled and executed, they download information-stealing malware. IOCS: * 803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61 * 4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a * 172[.]104[.]160[.]126 MICROSOFT RELEASES RECOVERY TOOL Following the issue with the CrowdStrike Falcon agent affecting Windows clients and servers, Microsoft has introduced an updated recovery tool that offers two repair options to help IT administrators speed up the repair process. * Recover from WinPE: This option creates boot media to aid in repairing the device. * Recover from Safe Mode: This option generates boot media allowing impacted devices to boot into safe mode. Users can then log in with an account that has local admin privileges and follow the remediation steps. Microsoft includes detailed instructions found here. Initial Coverage, July 19 On July 19, 2024, a critical issue stemming from a CrowdStrike update resulted in millions of Windows users globally experiencing the blue screen of death (BSOD) error, causing their systems to shut down or restart. CrowdStrike has acknowledged the problem, attributing it to updates made to its Falcon Sensor. CrowdStrike has provided workaround steps for impacted users and stated that the issue has been identified and isolated and a fix deployed. They have assured users that Linux and Mac hosts remain unaffected and confirmed that this incident is not the result of a cyber attack. Users on cybercriminal forums were quick to begin discussing the issue. For instance, a user with the moniker “ART 46,” who purported to represent a new hacking group, claimed responsibility for the incident. This claim was widely dismissed by forum users and moderators, who demanded evidence for the allegation. Due to the lack of proof, the user was subsequently banned by the forum moderator and the claim dismissed (see Figure 1). At the time of writing, there is no indication of threat actor involvement in the incident, but there is clear evidence that cybercriminals are aware of the situation. As businesses around the world respond to events related to CrowdStrike outages, threat actors are exploiting the ensuing chaos to prey on organizations at their weakest. This Spotlight details areas that may be abused by threat actors, helping organizations to shore up their defenses and remain vigilant against potential threats. Figure 1: Forum moderator dismisses cybercriminal involvement in CrowdStrike outage POTENTIAL CYBERCRIMINAL ACTIVITY FAKE SCRIPTS Threat actors are poised to prey on users desperately seeking solutions to the CrowdStrike update issue by crafting malicious scripts masquerading as genuine fixes. ReliaQuest warns that, in the immediate future, these malicious PowerShell and Batch scripts will likely proliferate on popular code-sharing platforms like GitHub. Once executed, these scripts can infect systems and install additional dangerous software such as Cobalt Strike or remote monitoring and management (RMM) tools, paving the way for unauthorized access and control. The urgency to resolve the update problem makes users particularly vulnerable to these sophisticated traps. Stay vigilant and verify the authenticity of any script before execution to protect your systems from further harm. Recommendations to Combat This Threat * Only follow official vendor recommendations to remediate the update issue. * Verify the source of any scripts created to automate the remediation process. * Advise users not to download any software that advertises itself as a USB solution to restore impacted machines. Threat actors may promote fake fixes that, when downloaded, infect the initial system. PHISHING DOMAINS ReliaQuest has detected a surge in new impersonating domains following the CrowdStrike outage, many of which claim to offer fixes and helpful information. Users should exercise caution; cybercriminals are highly adept at creating impersonating domains to distribute malware or execute phishing attacks. Even seemingly legitimate domains can be weaponized to send phishing emails that lure victims into downloading malicious software or divulging sensitive information, such as credentials or payment card details. America’s Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) have already reported an uptick in phishing campaigns exploiting this outage. Threat actors are seizing this opportunity to deceive and compromise unsuspecting users. It is important to stay vigilant and verify the authenticity of any site or email before taking action. Below are several domains we observed being created today that have the potential to be used for phishing campaigns or scams. crowdstrike[.]fail crowdstrikeoopsie[.]com crowdstrike-bsod[.]com crowdstrikefix[.]zip crowdstrikebug[.]com crowdstrikedown[.]site crowdstrikebluescreen[.]com crowdstrikeoutage[.]info crowdstrikedoomsday[.]com crowdstriketoken[.]com crowdstrikeoutage[.]com crowdstrikeupdate[.]com isitcrowdstrike[.]com crowdstrikebsod[.]com fix-crowdstrike-bsod[.]com crowdstrike-helpdesk[.]com crowdstrike0day[.]com crowdstrikeclaim[.]com crowdstrikedown[.]com crowdstrikefail[.]com crowdstrikefix[.]com crowdstrikereport[.]com fix-crowdstrike-apocalypse[.]com microsoftcrowdstrike[.]com iscrowdstrikedown[.]com suportecrowdstrike[.]com whatiscrowdstrike[.]com Recommendations to Combat This Threat * Be cautious of links posted on social media unless they come from an official or trusted source. * Report suspicious emails and do not click on links received from unsolicited emails regarding the outage. * Visit the vendor’s legitimate website for recommendations and consult reliable IT or security providers for additional support. SOCIAL ENGINEERING This incident has plunged millions of users into chaos and confusion, creating a prime opportunity for cybercriminals to strike. Amid this turmoil, threat actors will exploit the situation for financial gain or to breach security defenses. History has shown that adversaries often leverage current events—be it tax season or significant cyber attacks—to deceive unsuspecting victims. With the widespread disruption caused by the update, it is highly likely that attackers will target affected companies with social engineering attacks. Using tools like Down Detector, cybercriminals can easily identify impacted organizations and launch sophisticated phishing or vishing (voice phishing) campaigns. These malicious actors may impersonate IT personnel from the affected company or even representatives from cybersecurity firms like CrowdStrike, promising to fix the issue or provide preventative measures. In such scenarios, users might unwittingly divulge sensitive information, visit malicious websites, or download unauthorized applications, potentially leading to compromised credentials or granting remote access to attackers. The sense of urgency and desire for resolution makes users especially susceptible, making it crucial for everyone to remain vigilant and skeptical of unsolicited offers of help. Recommendations to Combat This Threat * Educate users to be extra cautious about potential phishing emails, suspicious phone calls, or unusual user behaviors. * Implement certificate-based authentication policies and use digital certificates to verify user authenticity during the login process. * Incorporate alternative authentication methods, such as biometrics and adaptive authentication, to enhance security. THREAT FORECAST In the coming days and weeks, financially motivated threat actors will exploit the confusion and concern caused by the CrowdStrike outage to launch targeted attacks on individuals and organizations. These adversaries may exploit the situation by crafting malicious scripts disguised as legitimate fixes, ready to infect systems with harmful software. They might also conduct phishing campaigns to trick users into downloading malware and compromising their credentials. Furthermore, they may execute social engineering attacks, posing as IT personnel to deceive and manipulate victims. We have just explored three options here, but there are many other ways in which attackers may take advantage of the situation. Organizations must recognize this heightened threat and strictly adhere to official remediation advice to safeguard against these opportunistic exploits. WHAT RELIAQUEST IS DOING To help organizations mitigate the risk, ReliaQuest is actively watching out for impersonating domains, as well as additional dark web communications discussing attacks or developing threats. We will continue to monitor the situation and release new updates as they become available. OFFICIAL REMEDIATION ADVICE Currently, no global remediation is available to mass deploy the recommended script. Each host will need manual remediation, increasing remediation times to weeks instead of days or hours. CrowdStrike customers will need to forcibly shut down and reboot their systems to download the reverted update file. If the system continues to crash, the following work around steps are recommended. * Boot Windows into Safe Mode or the Windows Recovery Environment * Navigate to the C:\Windows\System32\drivers\CrowdStrike directory * Locate the file matching “C-00000291*.sys” and delete it * Boot the host normally It is important to note that hosts using BitLocker encryption may require recovery keys. Additional information from CrowdStrike on remediation can be found here. TABLE OF CONTENTS 1. Latest Updates 2. Initial Coverage 3. Potential Attack: Fake Scripts 4. Potential Attack: Phishing 5. Potential Attack: Social Engineering 6. Threat Forecast 7. What ReliaQuest Is Doing 8. Official Mitigation from CrowdStrike ReliaQuest Threat Research Team The ReliaQuest Threat Research Team comprises SOC experts, security researchers, security practitioners, and intelligence analysts dedicated to bringing you the latest global analysis and essential updates within cyberthreat intelligence for your organization. Explore Blogs TABLE OF CONTENTS 1. Latest Updates 2. Initial Coverage 3. Potential Attack: Fake Scripts 4. Potential Attack: Phishing 5. Potential Attack: Social Engineering 6. Threat Forecast 7. What ReliaQuest Is Doing 8. Official Mitigation from CrowdStrike ReliaQuest Threat Research Team The ReliaQuest Threat Research Team comprises SOC experts, security researchers, security practitioners, and intelligence analysts dedicated to bringing you the latest global analysis and essential updates within cyberthreat intelligence for your organization. Explore Blogs Resources RELATED BLOGS Threat Intelligence | Threat Research INTRODUCING: FINANCE & INSURANCE SECTOR THREAT LANDSCAPE 4 Mins Learn More Threat Intelligence | Threat Research RANSOMWARE AND CYBER EXTORTION IN Q2 2024 17 Mins Learn More Threat Intelligence | Threat Research INTRODUCING “AI-POWERED CYBERCRIME” REPORT 4 Mins Learn More All Blogs SEE GREYMATTER IN ACTION Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization. Request a Demo Contact ReliaQuest Sales (800) 925-2159 Global Corporate Headquarters 1001 Water St Suite 1900 Tampa, FL 33602 * * * * * Solutions * Solution Overview * Reduce Noise and False Positives * Maximize Security Investments * Automate Security Operations * Beyond MDR * Secure with Microsoft E5 * Secure Multi-Cloud Environments * Secure Mergers and Acquisitions * Operational Technology Security Operations Platform * GreyMatter Overview * Detection, Investigation, and Response Automation * Model Index * Threat Hunting * Breach and Attack Simulation * Threat Intelligence * Digital Risk Protection * Phishing Analyzer * Integration Partners Company * About ReliaQuest * Digital Shadows Acquisition * Leadership * Company Blog * Events * Press and Media * Careers * Become a Partner * Contact ReliaQuest * Request a Demo * Vulnerability Disclosure Program * Privacy Policy * ReliaQuest Platform and Support Agreement * © 2024 ReliaQuest, LLC All Rights Reserved ✓ Thanks for sharing! AddToAny More… word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1