Sean Moore – Ph.D. CTO and VP Research
Last week (19-July-2024), a significant IT outage occurred because CrowdStrike distributed a faulty update to its Falcon security software running on millions of computers using the Microsoft Windows operating system. This faulty update caused many of these computers to crash, which interrupted the operations of businesses across the globe. Cybercriminals acted quickly to exploit this incident by immediately launching phishing campaigns designed to trick users into, e.g., downloading malware, providing sensitive information such as login credentials and personal information, etc. Concurrently, however, Centripetal acted just as quickly to enhance its CleanINTERNET® service to proactively protect you from these phishing attacks. This Centripetal security update bulletin provides you with some insight into these protections and how they work.
The CrowdStrike phishing attacks are enabled by using fake domain names and associated websites that spoof legitimate CrowdStrike domain names and associated websites. For example, Centripetal observed that cybercriminals began registering domain names in the Internet DNS that spoofed the legitimate “crowdstrike[.]com” domain name, such as “crowdstrike-helpdesk[.]com”, “crowdstrike0day[.]com”, “crowdstrikefix[.]com”, “crowdstrikeoutage[.]info”, … In a typical phishing attack, the cybercriminals will send out emails that may trick users into clicking on URL links containing these deceptive domain names, thereby launching the phishing attacks. However, CleanINTERNET® will proactively shield users and their networks from these attacks by first detecting in real-time the spoofed CrowdStrike domain names in Internet communications packets and then halting the transmission of these packets to their destinations (e.g., a faked CrowdStrike website that harvests users’ credentials).
To detect these spoofed domain names in packets, CleanINTERNET® collects and generates cyber threat intelligence (CTI) feeds, or lists, composed of several hundred to a few thousand CrowdStrike spoofed domain names. CleanINTERNET® then filters each in-transit Internet packet through these CTI lists to shield against CrowdStrike-targeted phishing attacks. The CrowdStrike spoofed domain names and associated CTI feeds are created by multiple methods, including:
- Reports from CrowdStrike and other CTI providers on CrowdStrike spoofed domain names observed on the Internet;
- Centripetal’s patented technology for detecting spoofed domain names, which is applied to feeds of domain names that have been recently registered in the Internet DNS. This patented technology has been continually identifying new spoofed CrowdStrike domain names that are being registered by cybercriminals since the 19-July outage incident. Thus, Centripetal was likely the first to identify many of these new CrowdStrike spoofed domain names;
- Centripetal’s patented AI technology for predicting spoofed CrowdStrike domain names that cybercriminals may generate in the future. The AI has been trained to think like cybercriminals who want to launch CrowdStrike phishing attacks. It proactively generates spoofed CrowdStrike domain names before the cybercriminals think them up and register them in the DNS.
Additionally, Centripetal has real-time alerting mechanisms that immediately signal Centripetal’s Security Operations team whenever a CrowdStrike phishing attack is detected and shielded.
These CrowdStrike-specific protections have been deployed into CleanINTERNET® before, during, and after 19-July and are continually updated as new CrowdStrike CTI emerges. Centripetal will continue to enhance these CrowdStrike protections as well as protections for other new and existing targets of phishing attacks.
At Centripetal, we take a proactive approach to protecting our customers, offering a distinct advantage to all CleanINTERNET® users. By leveraging artificial intelligence to create and augment threat intelligence feeds, we provide multiple layers of protection and a greater level of cybersecurity assurance.
Thank you for your continued trust in Centripetal. We are committed to maintaining the highest standards.
If you are interested in AI-powered protection from fake web domains or are concerned about your own brand protection, please contact us at sales@centripetal.ai