Overview
The recent bug in CrowdStrike's 'Falcon Sensor' antivirus software, which triggered errors in around 8.5 million Microsoft Windows systems worldwide, has been compared to the 2017 WannaCry ransomware attack. However, it is at least an order of magnitude more significant in terms of impact. In this article, we consider the spike in potentially infringing CrowdStrike-related domain registrations which immediately followed the emergence of the issue.
Introduction
The corruption of a CrowdStrike software update led to massive IT outages across the world, affecting a range of industries, including aviation, healthcare and banking - and causing a large drop in CrowdStrike's share price[1]. A fix was deployed relatively quickly, but - as is unsurprising, following similar patterns which have arisen in response to a huge variety of prior events - the issue was exploited by a range of bad actors capitalising on increased public interest in the CrowdStrike brand and users seeking information and assistance. One manifestation of this activity was a spike in the numbers of related domain registrations, as initially reported by security service provider Secureworks[2,3], with warnings also being given about the likelihood of a continuation of scam activity[4].
Domain registration analysis
In order to assess the scale of the infringing domain registrations issue, we consider the set of gTLD[5] domains with names containing the CrowdStrike brand name, through analysis of domain zone-file data. As of the date of analysis (22-Jul-2024), 692 such domains were identified, of which 475 were likely official (i.e. under the ownership of CrowdStrike). Of the remainder, domain creation dates were available (via automated look-up) for 133 of the domains, of which 69 (52%) were registered in the three-day period between 19 and 21 July (Figure 1).
Figure 1: Numbers of registered CrowdStrike-related domains, by date of creation (for the last year)
The statistics provide some indication that the peak in activity has now passed (with 42, 19 and 8 domains registered on each of the last three days, respectively). However, this may in part be due to the fact that new registrations can take up to a few days to appear in the zone files.
For the 69 domains registered since the emergence of the news story, there is a familiar mix of content types. 26 (37%) do not currently resolve to any live content (14 with no site response, and 12 displaying placeholder pages), which is typical of sites kept in a 'dormant' state before subsequently being 'weaponised'. A further 24 (35%) resolve to pages displaying pay-per-click ads, as a way of monetising the incoming web traffic, in addition to those displaying significant website content (19 instances). The keyword patterns are also informative, with eight of the domains containing 'fix', three containing 'help' and one containing 'support'.
The active sites are dominated by sites purporting to offer assistance with a fix - either self-implemented (which could present a potential attack route in cases where the information given is not genuine), or offering their own IT support services (Figure 2). Other content types within the dataset include one site encouraging affected users to take legal action, and others featuring general information or parody content.
Figure 2: Examples of sites hosted on CrowdStrike-related domains and offering assistance with fixes for the issue
Conclusion
The flurry of infringement activity following the CrowdStrike software bug IT outage provides the most recent illustration of how high-profile events and news stories frequently trigger subsequent spikes in attack numbers and brand abuse. In this case, the infringements pose security risks to customers which can additionally affect company reputation and highlight the need for customer education and awareness campaigns.
More generally, the study shows the importance of proactive brand protection programmes - particularly during periods of vulnerability following significant stories. These initiatives should incorporate monitoring approaches which are both proactive and reactive - i.e. able to respond to identified patterns and trends in observed infringement activity - in combination with enforcement actions able to rapidly take down threatening content as soon as it appears.
References
[2] https://www.bbc.co.uk/news/articles/cpe3zgznwjno
[3] https://www.linkedin.com/pulse/crowdstrike-outage-could-biggest-cyber-incident-g1zie/
[4] https://www.newser.com/story/353230/global-experts-warn-about-post-outage-scams.html
[5] Generic top-level domains (i.e. domain extensions)
This article was first published on 23 July 2024 at:
No comments:
Post a Comment