Threat Actors Exploit CrowdStrike Incident for Phishing, Scams, and Malware Delivery

Individuals and organisations have been warned about threat actors exploiting the CrowdStrike incident for phishing, scams, and malware delivery. The issue began when a routine CrowdStrike sensor update triggered a Blue Screen of Death (BSOD) on Windows systems, causing widespread disruptions. CrowdStrike and Microsoft have provided tools to help affected organisations.

Threat actors, particularly financially motivated groups, have leveraged the incident, creating phishing and scam campaigns. ThreatMon detected archive files named ‘crowdstrike-hotfix’ delivering HijackLoader payloads in Latin America. Malware analysis service Any.Run found that HijackLoader delivers Remcos, a remote access Trojan (RAT). FalconFeeds reported Palestinian hacktivists attempting to trick Israeli organisations into installing wiper malware.

Dozens of domains referencing CrowdStrike have been registered, potentially hosting phishing pages, malware, or scams. Security researchers noted various scams, including phishing attacks and fraudulent bank requests. The UK's NCSC and US's CISA issued alerts about increased phishing activities, urging vigilance.

The incident affected aviation, financial, healthcare, and education sectors, with over 1,500 flights cancelled. Microsoft reported 8.5 million impacted devices, though this represents less than one percent of Windows systems globally. The incident had minimal impact in countries like China and Russia, where American products are less commonly used.

North Korean state actor infiltrates American cyber security firm, attempting to install Malware

American cyber security company KnowBe4 recently discovered that a newly hired Principal Software Engineer was actually a North Korean state actor attempting to install information-stealing malware on its devices. The company detected and prevented the malicious activity, preventing a data breach. This incident underscores the ongoing threat from North Korean IT workers who disguise their identities to secure jobs in American firms, a danger the FBI has warned about since 2023.

North Korea employs a well-organised army of IT professionals who conceal their identities to infiltrate foreign companies. The revenue from these jobs funds the country’s weapons programs and cyber operations. Before hiring the threat actor, KnowBe4 conducted thorough background checks, reference verifications, and video interviews. However, the individual used a stolen U.S. identity and AI-generated images to bypass these checks.

Suspicion arose on July 15, 2024, when KnowBe4's EDR product reported malware activity from the new hire's Mac workstation. The rogue employee aimed to extract credentials and information from previous sessions. Confronted by IT staff, the state actor ceased communication. KnowBe4 advises firms to use sandbox environments for new hires and treat address inconsistencies as red flags.

Microsoft warns of BitLocker recovery mode issue after July 2024 Windows Security Update

Microsoft has issued a warning that some Windows devices might boot into BitLocker recovery mode after installing the July 2024 Windows security updates. BitLocker is a security feature that encrypts storage drives to prevent data theft from lost, stolen, or improperly decommissioned devices.

Following the installation of the July 9, 2024 update (KB5040442), users may see a BitLocker recovery screen upon booting. This issue is more likely if the Device Encryption option is enabled. Impacted users will need to enter their BitLocker recovery key to unlock the drive and boot normally.

Affected platforms include Windows 11 versions 23H2, 22H2, and 21H2, Windows 10 versions 22H2 and 21H2, and several Windows Server releases. The BitLocker recovery key can be retrieved via the BitLocker recovery screen portal using a Microsoft account.

Microsoft is investigating and will provide updates. Similar issues have occurred previously, such as in August 2022 and April 2024.

Critical Docker Engine vulnerability CVE-2024-41110 discovered: Urgent patches released

A critical security vulnerability in Docker Engine, identified as CVE-2024-41110, has been discovered, potentially allowing attackers to bypass authentication and gain unauthorised access to systems. This vulnerability, with a CVSS score of 10, affects multiple Docker Engine versions due to a regression in Docker’s authorisation plugin (AuthZ) system.

Attackers can exploit this by sending a specially crafted API request with a Content-Length set to 0, causing the Docker daemon to improperly process the request and the AuthZ plugin to incorrectly approve it. This could lead to unauthorized actions and privilege escalation.

Affected versions include Docker Engine versions up to v27.1.0 and Docker Desktop up to v4.32.0. The likelihood of exploitation is low, but the potential impact is significant, particularly in production environments.

Docker has released patches, and users are strongly advised to update to the latest versions. Temporary mitigation includes disabling AuthZ plugins and restricting access to the Docker API. Adopting the principle of least privilege and regularly updating security settings are also recommended. Docker Business subscribers can use Settings Management to enforce secure configurations. This incident highlights the need for regular security updates and vigilance in container environments.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.