Security Operations

Sekuro Security Operations Centre Advisory on Mitigating Malicious Activity Targeting the Global IT Outage

Table of Contents

The Sekuro SOC team has published this advisory to assist all organisations in managing cyber threats seeking to exploit the global IT outage. This blog will be continually updated as our threat hunting activities uncover further adversarial activity.

What are threat actors doing?

Sekuro’s Cyber Security Operations Centre (SOC) is currently tracking the increasing use of the recent global IT outage as an avenue to gain malicious access into organisations. This includes, but is not limited to, the release of malicious remediation files, malicious domains, and malicious hash values. The method of compromise observed lies within adversaries offering recovery support to organisations that have been impacted by the widespread application bug and then leverage that medium to gain access into their internal IT infrastructure.

Key references and useful artefacts

CrowdStrike has released a guidance hub which contains key technical information and threat intelligence for this issue. This should be your primary source of truth.

https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/

What do you need to look out for?

What should Security and IT Ops teams be looking for?

What should all staff be looking for?

Note: Sekuro recommends broadcasting information to all staff internally to enhance Security Awareness.

Threat intelligence

IOCs (Indicators of Compromise) and IOAs (Indicators of Attack) are streaming in from various threat intelligence sources. We have collated some of them for ease of reference.

We will continue to update this advisory as our Threat Intelligence specialists identify additional indicators.

How to look for IOCs

These are common string IOCs that can be processed into your SIEM, Data Lakes, Log Management platforms or queried directly on your security / IT assets.

Common places to conduct hunts for these IOCs include but are not limited to:

  • SIEM
  • Data Lake
  • Log Management Platform
  • Firewalls
  • Web Gateways
  • Email Gateways
  • Windows Event Logs
  • Intrusion Detection / Prevention Systems
  • System Tracing telemetry
  • Network Tracing telemetry

Hunting queries

These hunting queries assume you are ingesting CrowdStrike FDR telemetry in your SIEM product of choice. The queries can be adapted to the data sources available in your environment from the common sources list above.

Potentially malicious domains impersonating CrowdStrike

Logscale Query Language (LQL)

				
					in("DomainName", values=["crowdfalcon-immed-update.com", "crowdstrike-bsod.com", "crowdstrike-helpdesk.com", "crowdstrike.buzz", "crowdstrike0day.com", "crowdstrikebluescreen.com", "crowdstrikeblueteam.com", "crowdstrikebsod.com", "crowdstrikeclaim.com", "crowdstrikedoomsday.com", "crowdstrikedown.com", "crowdstrikedown.site", "crowdstrikefix.com", "crowdstrikefix.zip", "crowdstrikeodayl.com", "crowdstrikeoutage.info", "crowdstrikereport.com", "crowdstriketoken.com", "crowdstrikeupdate.com", "crowdstuck.org", "fix-crowdstrike-apocalypse.com", "fix-crowdstrike-bsod.com", "microsoftcrowdstrike.com", "whatiscrowdstrike.com", "www.crowdstrike0day.com", "www.crowdstrikefix.com", "www.crowdstriketoken.com", "www.fix-crowdstrike-bsod.com", "www.microsoftcrowdstrike.com"]) 
| table([cid, aid, #event_simpleName, ComputerName]

				
			

Splunk Processing Language (SPL)

				
					index=<insert FDR index>
| search DomainName IN ("crowdfalcon-immed-update.com", "crowdstrike-bsod.com", "crowdstrike-helpdesk.com", "crowdstrike.buzz", "crowdstrike0day.com", "crowdstrikebluescreen.com", "crowdstrikeblueteam.com", "crowdstrikebsod.com", "crowdstrikeclaim.com", "crowdstrikedoomsday.com", "crowdstrikedown.com", "crowdstrikedown.site", "crowdstrikefix.com", "crowdstrikefix.zip", "crowdstrikeodayl.com", "crowdstrikeoutage.info", "crowdstrikereport.com", "crowdstriketoken.com", "crowdstrikeupdate.com", "crowdstuck.org", "fix-crowdstrike-apocalypse.com", "fix-crowdstrike-bsod.com", "microsoftcrowdstrike.com", "whatiscrowdstrike.com", "www.crowdstrike0day.com", "www.crowdstrikefix.com", "www.crowdstriketoken.com", "www.fix-crowdstrike-bsod.com", "www.microsoftcrowdstrike.com")
| table DomainName, cid, aid, event_simpleName, aid_computer_name

				
			

Kusto Query Language (KQL)

				
					CrowdstrikeReplicator
| where DomainName in ("crowdfalcon-immed-update.com ", "crowdstrike-bsod.com", "crowdstrike-helpdesk.com", "crowdstrike.buzz", "crowdstrike0day.com", "crowdstrikebluescreen.com", "crowdstrikeblueteam.com", "crowdstrikebsod.com", "crowdstrikeclaim.com", "crowdstrikedoomsday.com", "crowdstrikedown.com", "crowdstrikedown.site", "crowdstrikefix.com", "crowdstrikefix.zip", "crowdstrikeodayl.com", "crowdstrikeoutage.info", "crowdstrikereport.com", "crowdstriketoken.com", "crowdstrikeupdate.com", "crowdstuck.org", "fix-crowdstrike-apocalypse.com", "fix-crowdstrike-bsod.com", "microsoftcrowdstrike.com", "whatiscrowdstrike.com", "www.crowdstrike0day.com", "www.crowdstrikefix.com", "www.crowdstriketoken.com", "www.fix-crowdstrike-bsod.com", "www.microsoftcrowdstrike.com")
| project DomainName, cid, aid, event_simpleName, aid_computer_name

				
			

Hunting query for Remcos RAT deployment

Logscale Query Language

				
					case { in("SHA256HashData", values=["931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6", "c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2", "48a3398bbbf24ecd64c27cb2a31e69a6b60e9a69f33fe191bcf5fddbabd9e184", "d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea"]); in("RemoteAddressIP4", values=["213.5.130.58"]) } 
| table([cid, aid, #event_simpleName, ComputerName])

				
			

Splunk Processing Language (SPL)

				
					index=<insert FDR index>
| search SHA256HashData IN ("931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6", "c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2", "48a3398bbbf24ecd64c27cb2a31e69a6b60e9a69f33fe191bcf5fddbabd9e184", "d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea")
OR RemoteAddressIP4 IN ("213.5.130.58")
| table cid, aid, event_simpleName, aid_computer_name, SHA256HashData, RemoteAddressIP4

				
			

Kusto Query Language (KQL)

				
					CrowdstrikeReplicator
| where SHA256HashData in ("931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6", "c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2", "48a3398bbbf24ecd64c27cb2a31e69a6b60e9a69f33fe191bcf5fddbabd9e184", "d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea")
   or RemoteAddressIP4 in ("213.5.130.58")
| project cid, aid, event_simpleName, aid_computer_name, SHA256HashData, RemoteAddressIP4

				
			

Further information will be published as the situation develops.

More Articles

Sekuro's Latest Insights

Compliance & Standards

Contact Us

Discover the Smarter Way to Transform Your Organisational Security – Connect with Our Experts Today.

Complete the form and we will get in touch within 24 hours.