Threat Briefing: July 26, 2024

This week, we experienced global IT outages due to an issue with an update for CrowdStrike. The outage affected  8.5% of computers running Windows, causing massive flight delays and disrupting business operations for companies worldwide. Cyber threat actors have been quick to take advantage of the incident by deploying malware and running phishing campaigns. This is a great example of how quickly cyber threat actors can take advantage of global events to launch cyber attacks.

Researchers found over 2,000 domains related to CrowdStrike since the outage, likely intended for malicious cyber activity, demonstrating how quickly security and IT Teams need to respond to cybersecurity incidents.

• Cyber Threat Actors Exploiting Global IT Outage Caused by CrowdStrike Software Update – The incident has been exploited by cyber threat actors to deploy various types of malware. Phishing emails have been used to distribute infostealers such as Daolpu targeting CrowdStrike customers in Lain America, and the Connecio information stealer. A wiper malware variant has also been distributed by a pro-Palestinian hacktivist group. Since the incident occurred, over 2,000 CrowdStrike-related domains have been registered, and over 190 certificates generated for likely fake CrowdStrike domains. CyberScoop
• CrowdStrike Outage Will Lead to Large Financial Losses for Banking and Healthcare Sectors – Estimates from Parametrix Solutions indicate 125 out of the 500 most profitable traded companies suffered an outage due to CrowdStrike. It is estimated these companies will lose a total of $5.4 billion. Cyber insurance policies will cover a portion of losses and could lead to large losses for cyber insurance companies. Bank Info Security
• Over 3,000 GitHub Accounts Used to Distribute Malware – The malware campaign is tied to a threat actor tracked as StarGazer Goblin, active since August 2022. The GitHub accounts have been utilized to distribute a variety of infostealers, such as Lumma, RedLine, Atlandtida, and RisePro. Since July 2023, Stargazer Goblin has made an estimated $100,000 from its malicious activity. Security Week
• U.S. Treasury Department Sanctions Two Members of the Cyber Army of Russia Reborn (CARR) for Attack on Texas Water facilities – CARR is a Russian hacktivist group linked to the Russian government’s Main Intelligence Directorate Unit known as “Sandworm.” The two Russians caused water storage tanks to overflow in multiple Texas countries in January 2024. The Treasury Department sanctioned members of the Iranian government for conducting cyber attacks against water facilities in Pennsylvania in 2023. CyberScoop
• Cybercriminal Group Operates Artificial Intelligence Integrated Phishing Kit Targeting Financial Institution Customers – The group tracked as GXC Team, a Spanish-speaking cybercriminal group, has targeted over 30 financial institutions in Spain and government and financial institutions around the world. The phishing kits offered by the GXC Team can be purchased or leased for $150 to $900 a month. The group has been linked to almost 300 phishing domains and also sells stolen banking credentials. GXC team also has an SMS one-time password stealer malware that poses as an Android-based banking app that requests permission to be the default SMS app allowing it to collect and exfiltrate one-time passwords. The Hacker News