While much of the corporate world or anyone using Crowdstrike struggled to understand the outage that put millions of computers around the world out of commission, hackers and cyber crooks were hard at work delivering malware, phishing, and scamming confused people.
Unfortunately, this isn’t a new phenomenon, and it often happens during major global outages like the one we saw last Friday. Threat intelligence firm ThreatMon spotted cybercriminals delivering HijackLoader payloads to its customers in Latin America under the guise of a fix for the Crowdstrike debacle. Malware analysis service Any.Run also found malicious hotfixes that deliver HijackLoader payloads containing Remcos, a remote access tool (RAT) that lets attackers take over infected devices.
Additionally, Falcon Feeds caught a hacktivist group named Handala launching a phishing campaign targeting Crowdstrike users in Israel, tricking them into installing wiper malware on their systems. The group claims that dozens of victim organisations have lost several terabytes of data and has demanded that INCD publish a list of affected organisations before it does so itself.
Other than direct phishing and malware attacks, there’s been a rise in domains referring to Crowdstrike that can be used for malicious purposes, including hosting phishing pages, delivering malware disguised as hotfixes for the outage, or simply scamming unsuspecting users looking for technical support. Popular security company McAfee also reported seeing scams ranging from phishing attacks related to flight rescheduling to cyber crooks posing as banks to steal login information and even retailers requesting alternate payment methods.
Government agencies have also started issuing alerts to warn citizens and organisations alike. Both the UK’s NCSC and the US’s CISA have issued alerts warning individuals and organisations to avoid clicking on phishing emails or suspicious links.
In the News: EPFO’s IT system failure hampers pension and PF processing
