The Sekuro SOC team has published this advisory to assist all organisations in managing cyber threats seeking to exploit the global IT outage. This blog will be continually updated as our threat hunting activities uncover further adversarial activity.
What are threat actors doing?
Sekuro’s Cyber Security Operations Centre (SOC) is currently tracking the increasing use of the recent global IT outage as an avenue to gain malicious access into organisations. This includes, but is not limited to, the release of malicious remediation files, malicious domains, and malicious hash values. The method of compromise observed lies within adversaries offering recovery support to organisations that have been impacted by the widespread application bug and then leverage that medium to gain access into their internal IT infrastructure.
Key references and useful artefacts
CrowdStrike has released a guidance hub which contains key technical information and threat intelligence for this issue. This should be your primary source of truth.
https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/
What do you need to look out for?
What should Security and IT Ops teams be looking for?
Activity | |
---|---|
External | An increase in external vendors seeking to run remote access tooling. |
External | Anyone claiming to have a one-click fix. |
External | Any advice that deviates from the official CrowdStrike remediation advice should be treated suspiciously. |
Internal | Any suspicious system behaviour that does not match the specific documented impact of this event. |
Internal | Attempts from employees to remediate the issue themselves. |
Internal | Attempts from employees to run unauthorised tooling from untrusted sources to attempt to remediate the issue themselves. |
What should all staff be looking for?
Note: Sekuro recommends broadcasting information to all staff internally to enhance Security Awareness.
Activity | Details |
---|---|
Unsolicited calls from untrusted or unverified third parties purporting to: |
• Assist with remediation • Requesting remote access to company environments, workstations or personal devices • Offering technical assistance which requires remote access or administrative privileges • Sending links or files that are unsanctioned/not requested • Asking questions about the impact of outages or system availability. People who need to know, will already know or have a trusted mechanism of finding out. |
Unverified/unapproved communication channels |
• Ensure you are only talking to your trusted internal teams using approved company communication infrastructure • If comms infrastructure is offline, use approved redundant communication infrastructure (if available) • If all corporate comms infrastructure is offline, use direct contact of known information (mobile numbers) |
Anyone asking to uninstall CrowdStrike tooling |
• The fix does not require or recommend the uninstallation of Endpoint Protection tooling • Removing CrowdStrike Falcon leaves you exposed to threats |
Anyone asking to configure, uninstall or modify sensitive system files | These will typically be undertaken by your IT Administration team |
Any remediation outside of the official advice provided by CrowdStrike: | Should be treated as suspicious until it can be verified by trusted Subject Matter Experts |
Threat intelligence
IOCs (Indicators of Compromise) and IOAs (Indicators of Attack) are streaming in from various threat intelligence sources. We have collated some of them for ease of reference.
We will continue to update this advisory as our Threat Intelligence specialists identify additional indicators.
Source | File |
---|---|
CrowdStrike |
https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub
The Additional Resources section contains specific IOC’s that should be used. |
How to look for IOCs
These are common string IOCs that can be processed into your SIEM, Data Lakes, Log Management platforms or queried directly on your security / IT assets.
Common places to conduct hunts for these IOCs include but are not limited to:
- SIEM
- Data Lake
- Log Management Platform
- Firewalls
- Web Gateways
- Email Gateways
- Windows Event Logs
- Intrusion Detection / Prevention Systems
- System Tracing telemetry
- Network Tracing telemetry
Hunting queries
These hunting queries assume you are ingesting CrowdStrike FDR telemetry in your SIEM product of choice. The queries can be adapted to the data sources available in your environment from the common sources list above.
Potentially malicious domains impersonating CrowdStrike
Logscale Query Language (LQL)
in("DomainName", values=["crowdfalcon-immed-update.com", "crowdstrike-bsod.com", "crowdstrike-helpdesk.com", "crowdstrike.buzz", "crowdstrike0day.com", "crowdstrikebluescreen.com", "crowdstrikeblueteam.com", "crowdstrikebsod.com", "crowdstrikeclaim.com", "crowdstrikedoomsday.com", "crowdstrikedown.com", "crowdstrikedown.site", "crowdstrikefix.com", "crowdstrikefix.zip", "crowdstrikeodayl.com", "crowdstrikeoutage.info", "crowdstrikereport.com", "crowdstriketoken.com", "crowdstrikeupdate.com", "crowdstuck.org", "fix-crowdstrike-apocalypse.com", "fix-crowdstrike-bsod.com", "microsoftcrowdstrike.com", "whatiscrowdstrike.com", "www.crowdstrike0day.com", "www.crowdstrikefix.com", "www.crowdstriketoken.com", "www.fix-crowdstrike-bsod.com", "www.microsoftcrowdstrike.com"])
| table([cid, aid, #event_simpleName, ComputerName]
Splunk Processing Language (SPL)
index=
| search DomainName IN ("crowdfalcon-immed-update.com", "crowdstrike-bsod.com", "crowdstrike-helpdesk.com", "crowdstrike.buzz", "crowdstrike0day.com", "crowdstrikebluescreen.com", "crowdstrikeblueteam.com", "crowdstrikebsod.com", "crowdstrikeclaim.com", "crowdstrikedoomsday.com", "crowdstrikedown.com", "crowdstrikedown.site", "crowdstrikefix.com", "crowdstrikefix.zip", "crowdstrikeodayl.com", "crowdstrikeoutage.info", "crowdstrikereport.com", "crowdstriketoken.com", "crowdstrikeupdate.com", "crowdstuck.org", "fix-crowdstrike-apocalypse.com", "fix-crowdstrike-bsod.com", "microsoftcrowdstrike.com", "whatiscrowdstrike.com", "www.crowdstrike0day.com", "www.crowdstrikefix.com", "www.crowdstriketoken.com", "www.fix-crowdstrike-bsod.com", "www.microsoftcrowdstrike.com")
| table DomainName, cid, aid, event_simpleName, aid_computer_name
Kusto Query Language (KQL)
CrowdstrikeReplicator
| where DomainName in ("crowdfalcon-immed-update.com ", "crowdstrike-bsod.com", "crowdstrike-helpdesk.com", "crowdstrike.buzz", "crowdstrike0day.com", "crowdstrikebluescreen.com", "crowdstrikeblueteam.com", "crowdstrikebsod.com", "crowdstrikeclaim.com", "crowdstrikedoomsday.com", "crowdstrikedown.com", "crowdstrikedown.site", "crowdstrikefix.com", "crowdstrikefix.zip", "crowdstrikeodayl.com", "crowdstrikeoutage.info", "crowdstrikereport.com", "crowdstriketoken.com", "crowdstrikeupdate.com", "crowdstuck.org", "fix-crowdstrike-apocalypse.com", "fix-crowdstrike-bsod.com", "microsoftcrowdstrike.com", "whatiscrowdstrike.com", "www.crowdstrike0day.com", "www.crowdstrikefix.com", "www.crowdstriketoken.com", "www.fix-crowdstrike-bsod.com", "www.microsoftcrowdstrike.com")
| project DomainName, cid, aid, event_simpleName, aid_computer_name
Hunting query for Remcos RAT deployment
Logscale Query Language
case { in("SHA256HashData", values=["931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6", "c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2", "48a3398bbbf24ecd64c27cb2a31e69a6b60e9a69f33fe191bcf5fddbabd9e184", "d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea"]); in("RemoteAddressIP4", values=["213.5.130.58"]) }
| table([cid, aid, #event_simpleName, ComputerName])
Splunk Processing Language (SPL)
index=
| search SHA256HashData IN ("931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6", "c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2", "48a3398bbbf24ecd64c27cb2a31e69a6b60e9a69f33fe191bcf5fddbabd9e184", "d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea")
OR RemoteAddressIP4 IN ("213.5.130.58")
| table cid, aid, event_simpleName, aid_computer_name, SHA256HashData, RemoteAddressIP4
Kusto Query Language (KQL)
CrowdstrikeReplicator
| where SHA256HashData in ("931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6", "c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2", "48a3398bbbf24ecd64c27cb2a31e69a6b60e9a69f33fe191bcf5fddbabd9e184", "d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea")
or RemoteAddressIP4 in ("213.5.130.58")
| project cid, aid, event_simpleName, aid_computer_name, SHA256HashData, RemoteAddressIP4
Further information will be published as the situation develops.