In a recent turn of events, CrowdStrike has issued a warning pertaining to an unfamiliar threat actor. According to the CrowdStrike alert, the threat actor aims to capitalize on the CrowdStrike Falcon Sensor update. In this article, we’ll dive deep in the details of the alert and how German customers were being targeted. Let’s begin!

CrowdStrike Alert: Spear-Phishing Campaign Uncovered

As per recent media reports pertaining to CrowdStrike alert, the aim of exploiting the CrowdStrike Falcon Sensor update was to distribute malicious installers. The initiative was part of a targeted campaign aimed at German customers.

Going into further details, it was discovered that the malicious installers were being distributed using a website which was mimicking an unnamed German entity. These installers were for an unauthentic variant of the CrowdStrike Crash Reporter installer.

It has also been revealed that the website, itself, was created on July 20th, 2024, just one day after an update from the company led to the crash of around 9 million Windows devices. Four days later, on July 24, 2024, spear-phishing attempts were initiated.

CrowdStrike Spear-Phishing Campaign Details

As far as the attack details of the CrowdStrike Falcon Sensor exploit are concerned, users were initially prompted to download the malicious installer. When someone clicked on the “Download” button, the website leveraged JavaScript (JS) that would mimic JQuery v3.7.1. From here onward it would proceed to downloading the malicious installer.

It’s worth mentioning here that the installer was branded to bear resemblance to CrowdStrike, was localized for German users, and could not be used without a password. Those who installed the malicious file were then prompted to enter a “Backend-Server.” Since the installer was password protected, the campaign had to have been highly targeted.

Based on the fact that the campaign was highly targeted, the end users must have known the input. Providing further details about the attack, an excerpt from the CrowdStrike alert reads:

“The threat actor appears to be highly aware of operations security (OPSEC) practices, as they have focused on anti-forensic techniques during this campaign. For example, the actor registered a subdomain under the it[.]com domain, preventing historical analysis of the domain-registration details. Additionally, encrypting the installer contents and preventing further activity from occurring without a password precludes further analysis and attribution.” 

Assets Used In The Spear-Phishing Campaign

Further details about the CrowdStrike alert pertaining to the exploit entail that numerous assets were used for the attacks. These assets include:

• Crowdstrike-office[.]com – a phishing domain that hosts malicious archive files used for executing an information stealer called Lumma.
• CrowdStrike Falcom.zip – a ZIP file containing a Python-based information stealer being tracked as Connecio. It’s used for collecting external IP addresses, data from web browsers, system information, and more.
• Outage fix email – an email phishing campaign that launches an installer used to unpack and execute a data viper.

Conclusion

The recent CrowdStrike alert emphasizes the sophisticated tactics of a new threat actor exploiting the Falcon Sensor update fiasco. By targeting German customers with spear-phishing campaigns, the attackers used a fake website and malicious installers to compromise systems.

CrowdStrike’s vigilance and detailed analysis highlight the ongoing battle against cyber threats. Amid such circumstances, implementing stringent security protocols is now necessary to safeguard against online threats.

The sources for the piece include articles in The Hacker News and CrowdStrike.

The post CrowdStrike Alert: Phishing Attacks Targets German Customers appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/crowdstrike-alert-phishing-attacks-targets-german-customers/