Threat actors are exploiting the massive business disruption from CrowdStrike’s glitchy update on Friday to target companies with data wipers and remote access tools.

As businesses are looking for assistance to fix affected Windows hosts, researchers and government agencies have spotted an increase in phishing emails trying to take advantage of the situation.

Official channel communication

In an update today, CrowdStrike says that it “is actively assisting customers” impacted by the recent content update that crashed millions of Windows hosts worldwide.

The company is advising customers to verify that they communicate with legitimate representatives through official channels, since “adversaries and bad actors will try to exploit events like this.”

The U.K. National Cyber Security Center (NCSC) also warned that it observed an increase in phishing messages aiming to take advantage of the outage.

Automated malware analysis platform AnyRun noticed “an increase in attempts at impersonating CrowdStrike that can potentially lead to phishing” [1, 2, 3].

Malware cloaked as fixes and updates

On Saturday, AnyRun reported that malicious actors had started to exploit the CrowdStrike incident to deliver HijackLoader, which dropped the Remcos remote access tool on the infected system.

To trick victims into installing the malware, the threat actor disguised the HijackLoader payload in a WinRAR archive promising to deliver a hotfix from CrowdStrike.

In another warning, AnyRun announced that attackers were also distributing a data wiper under the pretense of delivering an update from CrowdStrike.

“It decimates the system by overwriting files with zero bytes and then reports it over #Telegram” – AnyRun says.

In another example, the malware analysis platform notes that cybercriminals started to spread other type of malware posing as CrowdStrike updates or bug fixes.

One malicious executable was delivered through a link in a PDF file containing parts of the official update from CrowdStrike. The URL led to an archive named update.zip that included the malicious executable CrowdStrike.exe.

Millions of Windows hosts crashed

The defect in CrowdStrike’s software update had a massive impact on Windows systems at numerous organizations, making it too good an opportunity for cybercriminals to pass.

According to Microsoft, the faulty update “affected 8.5 million Windows devices, or less than one percent of all Windows machines.”

The damage happened in 78 minutes, between 04:09 UTC and 05:27 UTC.

Despite the low percentage of affected systems and CrowdStrike’s effort to correct the issue quickly, the impact was huge.

Computer crashes led to thousands of flights being canceled, disrupted activity at financial companies, brought down hospitals, media organizations, railways, and even impacted emergency services.

In a post-mortem blog post on Saturday, CrowdStrike explains that the cause of the outage was a channel file (sensor configuration) update to Windows hosts (version 7.11 and above) that triggered a logic error leading to a crash.

While the channel file responsible for the crashes has been identified and no longer causes problems, companies that still struggle to restore systems to normal operations can follow CrowdStrike’s instructions to recover individual hosts, BitLocker Keys, and cloud-based environments.