Source: Center for Internet Security
On July 19, 2024, at approximately 1:00 a.m. ET, a widespread IT outage began due to a defect in a single CrowdStrike content update. This outage affected numerous Windows hosts globally, including critical U.S. State, Local, Tribal, and Territorial (SLTT) government systems. CrowdStrike has since isolated the issue and deployed a fix.
While SLTT entities strive to maintain critical operations and restore access to affected systems running CrowdStrike Falcon sensors, cyber threat actors (CTAs) are exploiting the situation. They are using phishing lures, typosquatted domains, and malicious ZIP files disguised as CrowdStrike support materials. The Center for Internet Security's Cyber Threat Intelligence (CIS CTI) team continues to monitor these threats, sharing indicators of compromise (IOCs) through the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Malicious Domain Blocking and Reporting (MDBR) service.
Initial Observations and Impact
The MS-ISAC noted substantial disruptions to SLTT member systems, with some organizations continuing to experience issues as they implement CrowdStrike’s fix. Critical sectors such as airlines, railways, healthcare, and financial institutions reported significant disruptions. Some 911 centers had to rely on backup systems, indicating the wide-reaching impact on SLTT subsectors.
This incident underscores the potential scale of disruption when critical systems depend on a single vendor, providing CTAs with opportunities to exploit these dependencies in future attacks.
CTAs' Exploitation of the Incident
The CIS CTI team identified CTAs creating domains that mimic CrowdStrike's infrastructure, likely intended for social engineering. These domains often pose as legitimate CrowdStrike support to exploit the urgency and confusion caused by the outage. On July 20, 2024, CrowdStrike Intelligence reported that CTAs were distributing a malicious ZIP archive containing HijackLoader, disguised as a legitimate hotfix file. The IOCs associated with this report are likely used for malicious purposes.
Historically, CTAs have exploited chaotic situations and urgency to socially engineer users into visiting malicious websites and responding to phishing emails that appear legitimate.
Impacted Sectors
The CrowdStrike content update caused disruptions across several SLTT subsectors and other critical areas, impacting:
Government Administration:
Department of Motor Vehicles in multiple locations
Social Security Administration
Department of Justice (DOJ) reported some computer impacts
Mass Transit Systems:
Major metro rail systems experienced disruptions but have since recovered
Hospitals/Healthcare:
At least 11 health systems reported impacts, including canceled surgeries and diverted ambulances
Air Travel:
As of July 19, 2024, 12:56 p.m. ET (Flightaware data):
Total delays: 31,307
Delays within, into, or out of the U.S.: 6,169
Total cancellations: 3,566
Cancellations within, into, or out of the U.S.: 2,219
Financial Services:
Payment systems and pharmacies were unable to dispense medication
Conclusion
The CIS CTI team will continue to monitor and disseminate threat intelligence related to this incident. Businesses and organizations must remain vigilant, ensuring robust data privacy and security practices to mitigate risks and safeguard operations.
To learn more Contact us