8.5 million: According to Microsoft, this is the number of devices Windows blocked at launch on July 19, after a wrong update advanced antivirus software from cybersecurity company CrowdStrike. In a press release issued on July 20, the Redmond-based company said that this represents just 1% of the Windows PC fleet. No small damage, systems restore it is currently manual – or less commonly, automated via a bootable USB key – and individually.
Phishing campaign against BBVA customers
The slow and time-consuming recovery of affected devices presents an ideal opportunity for some cybercriminals to deploy their malware. NSCS, National Cyber ​​Security Agency British declares on the day of the damage that a “an increase in phishing attempts related to this outage has (already) been observed”. Same story for US CISA recommending these organizations “to remind their employees to avoid clicking on phishing emails or suspicious links”.
Researchers at AnyRun, a service company cloud Windows malware analysis and Linux, thereby opening a phishing campaign targeting customers of the Spanish bank BBVA. In their malicious email, the hackers offer a fake patch for the CrowdStrike update via a portal impersonating the bank (portalintranetgrupobbva(.)com). Once installed, the fake patch contained HijackLoader, malware used to deploy more sophisticated malware payloads, in this case the Remcos remote access tool.
This phishing campaign was also conducted to deploy attacks aimed at wiping out all of the organization’s data, the researchers noted. An attack which “destroys the system by overwriting files with zero bytes before reporting it Telegram”Ecrit AnyRun sur X (formerly Twitter). To gain credibility, cybercriminals trigger a pop-up asking the target user if they want to “install update”.
Calls from fake employees, fake cyber security researchers…
Australian The Signals Directorate (ASD), Australia’s computer intelligence agency, said on Saturday that a “a number of malicious websites and unofficial code are up and running, claiming to help entities recover from widespread outages caused by the CrowdStrike technical incident”. The ocean side was one of the first to be affected by the outage on the night of July 18-19. The incident then caused chaos at Sydney airport, disrupted the country’s main bank and affected television channels. ABC et Sky News Australia.
In addition to these phishing attacks, CrowdStrike warns of other tactics used by cybercriminals, including calls from fake CrowdStrike employees to manipulate victims. The company also warns against “fake cybersecurity researchers”, which will detect a link between the outage and a cyberattack and then suggest malicious remediation techniques. Ultimately, more than thirty domain names similar to those of CrowdStrike were identified that could be used in future social engineering attacks.