While Austin is already CrowdStrike’s largest office in the U.S., our Sunnyvale location will continue to be a critical innovation hub in the heart of Silicon Valley. No people, jobs or facilities will be impacted by this decision. CrowdStrike will continue to grow and build our team of best-in-business experts as a truly remote-first leader in the cybersecurity industry, investing in all of the states, countries and communities where our team resides.

How CrowdStrike and EY Solve the Problem

The CrowdStrike and EY strategic alliance combines CrowdStrike’s leading cybersecurity technologies and services with the transformational consulting and risk management capabilities provided by EY. The collaboration focuses on addressing cyber risk and threat management, cyber incident response and cyber threat intelligence. It offers broad security services to help clients understand and address cyber threats unique to their businesses, and provides alliance capabilities to effectively help manage those risks. 

Organizations of any size can be the target of a cyberattack, and given the current threat landscape, most organizations will eventually be attacked. Responding to an incident with speed, efficiency and experience is critical to avoid catastrophic losses that can total millions of dollars in direct and indirect costs associated with a breach. 

The Powerful Benefits of the CrowdStrike-EY Alliance

• Reduced risk of a significant cyber event and enhanced compliance with cyber risk mandates
• Increased confidence in understanding the cyber threat landscape and how to communicate risk details to key stakeholders 
• Increased awareness to help teams to align budgets and resources so they can manage risk accordingly 

Using the CrowdStrike Falcon® platform — an EY-preferred technology platform for security services — we collaborate on innovating and leading transformational consulting services to help organization achieve maximum value in cybersecurity operations to positively impact business objectives and drive the cybersecurity conversation from the security operations center to the boardroom.

This alliance provides three new joint solutions to address cyber risks: 

1. Ransomware Readiness and Resilience
2. Incident Response, Recovery and Remediation
3. Zero Trust

Ransomware Readiness and Resilience

Ransomware is quickly becoming the favored means for cybercriminals to extract a profit from unsuspecting victims. Financially motivated threat actors are using widespread ransomware attacks in multiple industries for data theft, public disclosures, and business disruption often costing millions of dollars. Organizations face a critical challenge in ensuring they are protected and secured against ransomware threats and tools that provide immediate, real-time visibility into their organization’s environment to identify and eliminate potential compromises. 

Adversaries are not only launching ransomware attacks against a wide range of industries, they are consistently evolving their tactics, techniques and procedures (TTPs) to foil your organization’s best cybersecurity strategies.

In response, CrowdStrike and EY have teamed up to create the Ransomware Readiness and Resilience solution — a multi-pronged strategy to effectively combat these threats.

EY’s Next Generation Security Operations and Response (NGSOAR) services and solutions, together with the CrowdStrike Falcon® platform, provide industry-leading protection and detection capabilities with cyber threat intelligence and 24/7 threat hunting to gain a significant advantage over ransomware threats. The solution offers joint customers immediate, real-time visibility into their organization’s environment, identifying and eliminating potential compromises and preventing silent failure. This powerful combination helps to contain active threats and ejects them from networks quickly, eliminating the threat of ransomware immediately and efficiently.  

Incident Response, Recovery and Remediation 

When a breach has occurred, the speed, efficiency and experience applied to the response can make a significant difference in the impact to an organization. To rapidly contain an attack, organizations must work to gain an immediate understanding of the nature of the incident, determine the extent of the attack to quickly triage the incident, and work to remediate the vulnerabilities and get back to normal business operations faster, and with minimal user disruption.

CrowdStrike and EY have joined forces to offer customers a comprehensive solution to Incident Response, Recovery and Remediation. Using CrowdStrike technology and services, customers can respond to an attack with immediate visibility to the full threat context using threat intelligence, and recover from the attack with speed and surgical precision using the real-time response capabilities of the CrowdStrike platform. In addition, EY helps customers further remediate the initial attack vectors and vulnerabilities in their IT environment in order to enhance their cybersecurity posture and reduce the risk of future attacks. The solution addresses all aspects of a client’s cybersecurity enhancement program and threat response, and helps to increase overall business resiliency while meeting compliance and governance requirements. 

Zero Trust 

Zero Trust is a security framework requiring all users, whether inside or outside the organization’s network, to be authenticated, authorized and continuously validated for security configuration and posture before being granted access or retaining access to applications and data. While Zero Trust is not a new concept, it has become an urgent need for many organizations, as the work-from-anywhere shift is expected to continue to force digital transformation even after the COVID-19 pandemic has subsided.

To address this growing need, EY’s alliance with CrowdStrike accelerates the adoption and implementation of Zero Trust by leveraging CrowdStrike Falcon® Zero Trust solutions, which enable secure access for all users, devices and applications, regardless of location. Using the expansive and contextual telemetry of the CrowdStrike Falcon® platform — which currently processes more than 5 trillion events per week in real time with the AI-powered Threat Graph engine — dynamic conditional access is granted based on continuous security posture assessments of device health and compliance checks. Customers benefit from high-fidelity attack correlation, fast policy enforcement and dynamic conditional access based on continuous, real-time security risk assessments — ensuring frictionless Zero Trust adoption and identity protection for organizations of any size.

The Power of the CrowdStrike-EY Alliance 

CrowdStrike and EY are committed to helping our joint global customers identify and solve their cybersecurity challenges beyond the U.S., including Australia, Italy, Belgium, Brazil and Canada. Together, CrowdStrike and EY seamlessly integrate CrowdStrike’s unified cloud-native framework with EY’s expertise in risk management, powering the next generation of enterprise security and IT operations to achieve business resiliency.

Learn more.

Additional Resources

• Read the press release announcing the CrowdStrike-EY alliance.
• Visit the CrowdStrike.com/EY landing page.
• Visit the EY.com/CrowdStrike landing page.

With the evolution of the workforce, there has been a shift in the cybersecurity mindset toward a Zero Trust framework. This framework is focused on an identity-centric and data-centric approach that focuses on data, people, devices, workloads and networks. 

Research shows that over 75% of enterprises report struggling to shift to a Zero Trust approach due to the complexities of user access needs. In this blog, we explain how organizations are successfully implementing Zero Trust without that complexity, cost and user friction for IT, security and the workforce end user, leading to reduced risk and cost.

For an organization to successfully adopt and implement Zero Trust architecture, one of the key requirements is constantly authenticating, authorizing and continuously validating the identity and security posture of each access request from every endpoint. To minimize unauthorized access to data, applications and compute resources over networks, “never trust, always verify” must extend to user endpoints. 

How Falcon Zero Trust Solves This Problem

Endpoint security is one of the foundational building blocks of Zero Trust. To fit into the Zero Trust framework, endpoint security controls must be dynamic and provide real-time visibility into the risk to users and data. In order to provide a holistic cybersecurity approach, these controls must not stop at user authentication, but must expand to include device security posture.

CrowdStrike Falcon® ZTA (Zero Trust Assessment) supports Falcon Zero Trust by providing continuous, real-time security and compliance checks for endpoints, making sure that authentication and authorization is granted only to devices with strong security postures. This enables the protection of sensitive data while granting access across users, on any network and any location — without the use of VPNs (virtual private networks). With the power of CrowdStrike Security Cloud and single lightweight intelligent Falcon agent, organizations can have a frictionless journey to Zero Trust with no additional complexity. With the power of the CrowdStrike Security Cloud and single lightweight intelligent CrowdStrike Falcon® agent, organizations can have a frictionless journey to Zero Trust with little or no additional complexity.

Zero Trust with CrowdStrike and Zscaler 

Together CrowdStrike and Zscaler have been simplifying the adoption of Zero Trust for IT teams. The joint innovation between Zscaler and CrowdStrike provides an end-to-end security solution, from endpoint to application. These integrations ensure administrators have a real-time view of a device’s security posture, and access to critical applications is based on granular access policies. By sharing data between the CrowdStrike Falcon® sensor at the endpoint and Zscaler Zero Trust Exchange, access can automatically adapt based on the context of the user, device health or updated access policies from Zscaler.

The CrowdStrike integration with Zscaler shares threat intelligence and enables automatic workflows to help organizations reduce the number of security incidents — and, in case an incident does occur, delivers quick time-to-detection and remediation. 

Moreover, the integration provides the ability to monitor device health and compliance via ZTA scores, and quickly remediate gaps with Zero Trust access policy control and inline blocking based on CrowdStrike-detected indicators of compromise (IOCs). Together, Zscaler and CrowdStrike enable access to applications and the internet with maximally adaptive access control, without hindering user productivity. 

This bidirectional sharing of threat intelligence, increased visibility and automatic workflow across platforms helps organizations increase the timeliness and effectiveness of threat defense, detection and remediation.

The benefits from the joint solution are not limited to IT security alone. As businesses look to enable work-from-anywhere strategies, this joint solution makes it easier to provide users with safe, seamless and secure access to essential business applications for day-to-day employee activity. All of this can now be achieved on a foundation of Zero Trust.

Join us for a day in the cloud to learn about how we go “beyond the perimeter” — during this event, CrowdStrike CTO Mike Sentonas and Zscaler CTO Amit Sinha will detail new joint innovations and showcase the Enterprise Security Transformation blueprint. The event also features two breakout sessions focusing on business and technical perspectives and how Zero Trust immediately adds value to a business. There’ll also be an inspirational keynote from Dr. Hakeem Oluseyi, astrophysicist and former Space Science Education lead for NASA — he’ll cover his personal life journey as documented in his highly anticipated memoir, A Quantum Life: My Unlikely Journey from the Street to the Stars. Learn more and register for Beyond the Perimeter today!

Additional Resources 

• To learn more about the Zero Trust joint innovation between CrowdStrike and Zscaler, read the press release.
• Attend the CrowdStrike and Zscaler Beyond the Perimeter event: Register here.
• Learn more about CrowdStrike and Zscaler’s threat intelligence integration here.
• Learn more about the CrowdStrike Falcon® platform by visiting the product webpage.
• Test CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent today.

As organizations shift to supporting more remote workers, protection policies for laptops and systems that are no longer behind traditional perimeter defenses need to be updated. Can administrators quickly and easily update policies to ensure continuous protection for these remote systems?

Video

Protection Without Complexity is More Important Than Ever

Administrators are inundated with change as work environments shift. They need to rapidly update endpoint protection policies to apply appropriate protections for remote systems. 

System tagging is an efficient way to classify hosts. Multiple hosts with similar protection requirements can then be put into groups, making it easy to apply the appropriate policy to numerous systems. When system status changes, for example from an office location to a remote location, system tags could be used to update policies to reflect an accurate status and appropriate protection requirements. 

Complex policy management and tuning wastes time and introduces potential security gaps. To ensure continuous protection of remote systems, administrators need the ability to easily identify hosts, wherever they reside, and manage protection policies. 

Solution

The CrowdStrike Falcon® next-generation endpoint protection platform offers flexible, complete protection without complex configuration and tuning.  Policy creation, assignment and management is easy and streamlined with a centralized user interface.  Administrators configure policy definitions in minutes using toggles and sliders for individual controls ranging from visibility only to full prevention. Hosts are easily tagged and policies are assigned to groups of hosts. When updates are needed, administrators can quickly change policies, dynamically assign hosts to different policies or even reclassify system tags. 

Closing

Get immediate time to value, extend your visibility and protect your organization regardless of physical location. Try CrowdStrike’s Falcon platform for free: https://go.crowdstrike.com/try-falcon-prevent.html

Content Provided by Anne Aarness

More resources

• CrowdStrike 15-Day Free Trial
• Request a demo
• Guide to AV Replacement
• CrowdStrike Products
• CrowdStrike Cloud Security

Cyberattacks including ransomware have increased as work environments have changed, and organizations have shifted to supporting more remote personnel. With threats increasing against these remote systems, the ability to block attacks and respond rapidly in the event of a compromise is even more challenging. Do security teams have the visibility and context they need to respond? Can system rollback remediations completely restore an endpoint to a known good state? 

Video

Next-gen prevention and complete system recovery are more important than ever

Organizations require a combination of measures to protect against today’s threat landscape. Effective prevention capabilities can block a range of threats including ransomware while advanced detection and visibility capabilities can uncover stealthy attacks and compromised systems. Complete remediation of those compromised endpoints, especially when they are remote, can be challenging. 

Automatic rollback remediation using shadow volume copies may seem like the fastest route to recovery but may not always be a viable or thorough option. Backups and volume shadow copies can be the first targets attackers disable and delete to prevent easy recovery. Malware can also be designed to tamper with or delete snapshots or even leave persistent artifacts behind.

Responders need an arsenal of response capabilities including full endpoint activity details and attack visibility to get systems back to a known good state.

Solution

The CrowdStrike Falcon® next-generation endpoint protection platform uses complementary prevention and detection methods to defend against known, unknown malware and ransomware, and fileless and malware-free attacks.

Deep endpoint and attack visibility including process timelines that display an entire attack in sequence, enable responders to rapidly investigate incidents and fully understand emerging threats. Armed with this knowledge, responders use CrowdStrike Real Time Response (available with Falcon Insight and Falcon Endpoint Protection Pro) to directly access distributed systems and run a wide variety of commands to completely remediate remote hosts, quickly getting them back to a known good state.

If volume shadow copies are available and the appropriate response, Real Time Response can easily restore these snapshots. When system rollback remediation simply isn’t enough, Real Time Response gives responders the surgical remediation capabilities they require including the ability to manage user accounts, kill processes, remove files or directories, manipulate the Windows registry or even run custom scripts and executables.

Closing

Get immediate time to value, extend your visibility and protect your organization regardless of physical location. Try CrowdStrike’s Falcon platform for free: https://go.crowdstrike.com/try-falcon-prevent.html

Content Provided by Anne Aarness

More resources

• CrowdStrike 15-Day Free Trial
• Request a demo
• Guide to AV Replacement
• CrowdStrike Products
• CrowdStrike Cloud Security

1.     Insiders Will Become a Leading Threat

With many employees fearing layoffs, the current working environment is more likely to generate worried or disgruntled workers who may seek to get back at an employer they feel is not treating them well. Rogers said this “insider piece” will be relevant to company leaders as they reassess current cyber risks. As a result, security policies may need to be reworked to ensure there is increased visibility, access controls and more checks in place across the organization. 

2.    COVID-19 Is Accelerating Cyber Threats Like Ransomware and Extortion Attacks

Cyberattacks have spiked during the pandemic, as cybercriminals ruthlessly exploit the current situation, and ransomware that locks down company systems continues to be a top choice for hackers. According to Henry, adversaries are adjusting their tactics to attack off-site corporate operations that go beyond data theft and disrupt operations. Traditional workplaces are designed to be resilient against cyberattacks, but the ability to respond rapidly to them is now more challenging.

3.    Practice, Practice, Practice

To prepare for a potential cyber incident, companies shouldn’t be thinking about returning to traditional work environments and instead should develop cyber crisis simulations that test a company’s response when much of its workforce is remote. Simulations will help identify gaps in process and security before an incident occurs. Henry noted that understanding what future threats might look like is a good first step, but industry leaders should be hunting for them too. Sharing lessons learned across the industry is now more important than ever.

4.    Regulators Are Unlikely to Cut Companies a Break, Especially on Privacy Violations

Regulatory issues will also challenge companies in new ways during and after COVID-19. Silvers said regulators showed some flexibility at the onset of the crisis, but now they are expecting companies to be caught up. The California Consumer Privacy Act and the New York SHIELD Act, for instance, are both in effect, suggesting that companies should expect robust enforcement on privacy and security issues this year.

5.    Employee Cyber Education Should Be a Priority

A company’s cyber risk increases substantially when its employees don’t understand cyberthreats and their consequences. Personal IT further complicates this by posing a significant gap in companies’ ability to address attacks quickly and effectively in a remote environment. Rogers said organizations need to fill that gap with accessible guidance to employees. Reliance on home routers is currently unavoidable, which means introducing employees to some basic “best practices” can significantly improve employee vigilance about company security.

COVID-19 has proven that remote work can be efficient but has also exposed vulnerabilities in how to prepare for and address cyber risks. Cyber breach responses will need to adapt and evolve as society adapts and evolves to pandemic life. Corporate leaders have a responsibility to their organizations and their employees to strengthen their cyber incident response protocols so that they can quickly adapt if, and when, an incident hits. 

Siobhan Gorman is a Partner in the Washington, DC, office of Brunswick Group, where she concentrates on crisis, cybersecurity, public affairs and media relations. Siobhan has worked on corporate crises across a range of industries, including financial services, healthcare, defense, entertainment, technology and automotive. She is also member of the Advisory Committee for Brown University’s Executive Master in Cybersecurity. Prior to joining Brunswick, Siobhan had a successful 17-year career as a reporter, most recently at the Wall Street Journal. 

Additional Resources

• For more information on how the CrowdStrike Falcon® platform defends against ransomware and other modern attacks, read the white paper “Ransomware, a Growing Enterprise Threat.”
• Learn more about the CrowdStrike Falcon®® platform.
• Visit the Falcon Complete webpage for information on no-touch managed endpoint protection.
• Visit our COVID-19 and Cybersecurity Resource Center to learn more about securing remote workers.
• Get a full-featured free trial of CrowdStrike Falcon® Prevent to see how true next-gen AV performs against today’s most sophisticated threats.

While some companies have been forced to make a last-minute pivot to remote internships, CrowdStrike is fortunate that a remote-first culture is part of our DNA — so extending that to internships didn’t require anything radically new. We simply extended our daily way of working to the intern class of 2020.

The Advantage of a Remote-first Culture 

At CrowdStrike, we are grateful to be counted among those companies that can continue to safely host a 2020 summer intern class. Our remote-first culture, which is built on the premise of asynchronous work capabilities for all employees, allowed us to quickly and seamlessly shift these 85 global positions from in-office to at-home. Our interns will rely on the same best-in-class tools, technologies and processes that our full-time workforce uses to stay connected and engaged, no matter where they happen to be. Our managers, many of whom lead teams of people based all over the world, will use the same techniques and systems to oversee the work of our interns and ensure their development. 

While the way the interns engage with and learn from our teams might be shifting, we’ll still be able to offer a variety of valuable learning opportunities and experiences for this year’s intern cohort.

Thinking About the Future

For our organization, pivoting to a remote-based internship program is the best choice for today. But what about tomorrow? With recovery timelines still very much in flux, our organization and many others are reconsidering how we will structure our program next year — and what a contingency plan looks like if such an event unfolds again. This situation has also made us reconsider the financial implications of traditional, campus-based positions of our interns in terms of housing, travel and living costs. It makes us question if the current structure may inadvertently limit our application pool and also consider how we could best address this point in the future. The goal is to design and run an inclusive, accessible program that offers the same learning opportunities and business outcomes, while finding ways to keep the group connected and ensure a sense of belonging — especially as opportunities for physical contact continue to be limited.

Our Experiment: Measuring the Success of a Remote Program for Students and Employers 

As we look to the future of our internship program, we want to take the lessons learned this summer and expand on them to continue to improve our internship offering. We plan to take this necessary change in plans as an opportunity to learn, measuring how this summer’s intern class and managers fare in terms of satisfaction, engagement and outcomes as compared to traditional in-office positions. We will also track the cost of the remote program and consider if this new model provides efficiencies and savings that will allow us to invest even more in our interns and the program. Finally, we will determine how remote positions could help our organization widen the applicant pool, given that participants would not need to secure housing or incur travel costs to work in an office.

Time will tell how this approach compares to years past and how it will impact the structure of our internship program in the years to come. In the meantime: What do you think about remote-first internship programs? Are they a one-time necessity, or a valuable new way to attract top talent? 

Additional Resources

• Access resources to help you ensure the security of your organization and remote workers by visiting the CrowdStrike COVID-19 resource webpage.
• Learn about the powerful CrowdStrike Falcon®® platform and how cloud-native cybersecurity protects your organization, no matter where your employees are located.

Imagine it’s 2 a.m. ET on July 4. A New York-based financial services company is being targeted by a cybersecurity attack. For most tech teams, that would be the end of the holiday weekend. But at CrowdStrike, it’s just another morning — business as usual, thanks to our distributed workforce and remote-first culture. It’s not 2 a.m. in London or Bangalore — and July 4 has no special significance in Bucharest or Sydney. For a remote workforce, time is truly just a construct. No matter where or when something happens, someone is ready to respond.

Although, to be clear, it’s not just “someone” who is monitoring this late-night event for a customer. It is a team of highly qualified, best-in-class technologists, engineers and intel analysts who work as a single, cohesive team, despite being spread far and wide around the world. Perhaps more importantly, our organization’s distributed workforce isn’t just remote-friendly, it’s remote-first — meaning that they rely on processes, systems and tools purpose-built to enable asynchronous work. Traditional forms of ownership, management and implementation are replaced by documentation, collaboration and dissemination. This is why I truly believe that remote engineering is the future of the technology industry. 

Put another way, it’s not just someone on the team that will do the job, but that anyone on the team has the power and knowledge, skills and expertise, and access and capabilities to do it. That’s why our clients can rest assured — even at 2 a.m. on a holiday weekend — that their critical assets are secure.

Documentation: A Critical Differentiator for Burgeoning Tech Companies

One of the most crucial enablers of a technology-driven, remote-first engineering culture is our documentation system, starting with the assumption that multiple team members will be involved in each task. For that reason, everything is written down and documented in tickets. Implementing both the processes and systems to ensure that information is disseminated throughout the entire team, as opposed to having information sit with pockets of people in the same location, is a critical enabler to success.

On its face, this is just good practice. But over time, constant attention to documentation can reveal something more curious: Because everything is written down or recorded, people seem to be more mindful about how they work. No one “throws things over the wall” or gets a project “close enough.” As a remote-first organization, understanding that each task will be handed off and documented accordingly means that close enough won’t cut it. And as a result, work is done, by and large, with a level of rigor and quality that might not be seen if the organization wasn’t remote-first. 

This translates into a huge advantage for customers. A distributed team means that customers can experience an informed and fully caffeinated network ready to deliver a best-in-class product or consult on time-sensitive intel. And like any good team, this group has a contingency plan for every scenario, enabling substitutions and swaps based on availability, expertise and past experience. Most importantly, processes and systems are designed to enable a unique and aggressive software development lifecycle and top-notch support no matter when, where or what is needed.

The Advantage for Business Development and Client Success 

Working as a remote-first organization can also uncover huge advantages for growing your business. First and foremost, the talent pool is truly global and faces no constraints. Being able to attract and retain some of the best and brightest minds in the world — because there are no restrictions attached to traditional office hours or workspaces — means that hiring the most talented people in their respective fields is easier than ever. And because employees are spread across several continents, there is no such thing as downtime, ensuring client success. 

Recruiting team members from around the world also helps to improve the diversity of the organization. In many cases, the work is as much art as it is science. There are multiple ways to approach every challenge, and each person brings a different perspective. With a more diverse team and varied perspectives, stronger results ensue. That’s good for both your business — and your customers.

Enabling a Remote-First Culture and Structure

So, with the crystal-clear benefits of a remote-first workforce, why are so many modern companies resistant? Why do these myths about traditional management and the need for “engineering pits” persist? Why do companies continue to think they’re too big or that their work is too important to allow for remote work?

For answers, I point out that CrowdStrike isn’t the only innovative, remote-friendly, growth-driven company to embrace a remote workforce model. Many well-known, global organizations present clear and compelling evidence that a distributed team isn’t just possible for a large company with a critical mission, it’s preferred. 

Given the nature of the technology business and cybersecurity, there is a crucial need to constantly be a step ahead of cyber threats. There is an underlying sense of urgency to be stronger, faster and smarter than the adversaries that are trying to breach our customers’ systems. Our work isn’t just high stakes — it’s the highest stakes as we work to protect customers around the world and ensure their business can operate free of interruption. And we do this while working at an unbelievable pace and incredible scale, using cutting-edge technology. In other words, if our organization can do it, any organization can — assuming they want to.  

At CrowdStrike, we have a compelling mission: to stop breaches. We “fight the bad guys” to protect our customers from potentially devastating breaches that could cripple their business and, by extension, adversely impact the everyday lives of people. That job never stops, so part of that role compels us to stay mindful about being good to our people — by instilling a sense of trust and autonomy in employees and supporting a healthy work-life balance. We recognize that a remote-first culture allows them to live and work where they want and spend their time as they see fit — especially on a holiday weekend.

Additional Resources

• Read a blog on COVID-19 cybersecurity from CrowdStrike CEO George Kurtz.
• Learn more about the cybersecurity challenges during COVID-19 and recommendations for securing your remote workforce in blogs by CrowdStrike CTO Mike Sentonas and Chief Product and Engineering Officer Amol Kulkarni.
• Access resources to help you ensure the security of your organization and remote workers by visiting the CrowdStrike COVID-19 resource webpage.
• Watch an on-demand webcast featuring CrowdStrike Intelligence and endpoint security experts: “Cybersecurity in the Time of COVID-19.”
• Download the CrowdStrike 2020 Global Threat Report.

The CrowdStrike® data science team is closely tracking COVID-19-related malspam, and in this blog, we present some of the malspam types we’ve observed in order to illustrate the social engineering tricks being used and the types of malware delivered. This is by no means a complete list of attacks that we’ve noticed, only a few that you might find interesting. 

Example 1: The Doctor, the Cure and the HawkEye

Not all phishing emails are professional-looking or error-free, as the first example illustrates; however, the simplicity of the message and the sophisticated payload delivery mechanism can be very effective.

Simple message claiming to have information about treatment for coronavirus; notice the typo in the country name

The document attached is a RTF file that contains an OLE document with a malicious macro embedded. This macro will download and execute the next-stage payload, which is an AutoIT-compiled executable. Although it can be decompiled, the resulting source file is heavily obfuscated.

The second stage executes RegSvcs.exe and injects a version of HawkEye, a powerful trojan with features such as keystroke logging and password stealing. This executable is obfuscated with Confuser:

Example 2: Government Impersonation and Greater Sophistication

In the next example, the Spanish text urges the reader to download a document that supposedly contains the neighborhood areas where COVID-19 has been detected. The sender is masqueraded as the Ministry of Health from Colombia. This phishing e-mail has a non-malicious PDF document attached, which simply contains the logo of the organization used as a lure and a link to an archive with the password in the message. This multi-step phishing strategy incentivises the user to manually download and execute the payload and diminishes the chances of the message being blocked by spam filters by avoiding using weaponized documents as an attachment.

The phishing e-mail message content

The content of the attached PDF

The archive contains a .NET obfuscated executable, which is a dropper for the payload.

Meaningless code is used to obfuscate the application flow

The payload is a commodity remote access tool (RAT) named Warzone. This malware. has the ability to bypass UAC controls using two different methods, one for Windows 10 (sdclt.exe UAC bypass) and one for earlier versions of Windows (IFileOperation COM object UAC bypass). It also has remote execution capabilities, a keylogger, a camera recorder, and can be used to steal the credentials from Google Chrome, Firefox, Thunderbird and Microsoft Outlook.

Strings from the actual payload showing the credential-stealing ability

Example 2, Take 2: Same RAT, Different Spoofed Institution

Another COVID-19 spam campaign that CrowdStrike observed delivering  the Warzone RAT used the Centers for Disease Control and Prevention (CDC), a U.S. government agency as bait.

Phishing message targeting U.S. citizens and delivering the Warzone RAT

This malspam used  a weaponized RTF document that exploits the CVE-2017-11882 vulnerability, to  download and execute Warzone.

Example 3: The Mysterious Case of the Screensaver 

This third malspam example uses a different technique to increase the victim’s confidence that this email is legitimate. The message was written to target a specific individual. Addressing the message to a specific group of people might make the victim believe the message was written in a hurry but was intended to be sent to them, since it has a personal approach.

The email was sent to the public mailbox of the victim’s infrastructure. The attachment comes as an ISO image file, which is different from the expected format of a PDF, TXT or Microsoft Office document.

Targeted message

First, we notice some typos:

The header of the message

The message body

The signature block

The file name referenced in the opening of the message matches the name of the attachment, “CDCHAN-00815,” giving the victim some level of confidence regarding the legitimacy of the file.

One thing to note is that there are no instructions related to the attachment, only the suggestion to download it. Nothing malicious happens by downloading and opening the file, because it opens within an archive application that does not result in an immediate execution of the file.

The ISO attachment file contains a self-extracting RAR executable with a .scr file extension.. The name of the file and the date match the email’s message.

Content of the ISO attachment fileExtracting the contents of the RAR file, we find an executable file named Aosnqcl.exe (hash: and a hidden file named Aosn.

Content of the screensaver file

The executable reads the hidden file, which appears to contain values in a format similar to Base64. After some research, we discovered that the hidden file is indeed a plain-text representation of a Portable Executable (PE) file, and its content has been obfuscated via Base64 (RADIX) and written in reverse.

Content of the hidden file Aosn

Deobfuscated content of the hidden file Aosn

That’s the dropper, and here are the files that it drops:

It then takes the following actions:

► Appends the following syntax to Yako.bat:

► Drops another batch file named Natso.bat into C:\Users\Public\, which removes the original windir environment variable and comments the rest of the line out. This batch script is used to perform UAC bypass on Windows 10.

UAC bypass on Windows 10

► Drops a SSPICLI.dll file into C:\Users\Public folder, having Yako.bat's path hardcoded, exporting the function named GetUserNameExW. It even has a malformed security certificate created on February 9, 2020 (spoiler alert: DLL hijacking).

► Drops the legitimate perfmon.exe into C:\Users\Public\.
Drops a new batch file named Runex.bat into C:\Users\Public, containing the following snippet:

The dropped files are:

► Creates a fake C:\Windows \System32 folder, where it copies perfmon.exe and SSPICLI.dll. Most people won’t notice fast enough that there are two Windows folders in C:\ — one being “Windows” and the other being “Windows ” (with a space).

On Windows 10, perfmon.exe is trying to execute normally, loading the malicious SSPICLI.dll rather than the legitimate sspicli.dll from the C:\Windows\System32 directory. It creates a copy of Aosncql.exe and the hidden file named Aosn under the C:\Users\Public\Aosn directory, and it renames the file, from Aosncql.exe to Aosnnem.exe.

After successfully performing the DLL hijacking, a new instance of ieinstal.exe will spawn and detach from its parent process, and in the mean time managing to install Remcos RAT into the victim’s computer.

► Drops Aosn.hta script into C:\Users\Public\ to achieve persistence:

Example 4 : A Professional Approach Does the Trick

This next type of attack targets a specific person. The key point here is the fact that the mail has an attachment, but the sender doesn’t refer to it in the message by including instructions or next steps for working with the file. This tactic relies on the curiosity of the victim for its success.

If the attachment file is opened with Microsoft Excel and the embedded macro is executed, it will serve as a downloader for the actual malware by contacting http[:]//profectusleadership[.]com/social.php.

The opened file

The downloaded file is an installer deceiving the user into displaying the installation window followed by a privilege-related error, when in fact the files are dropped under a randomly named folder within %Appdata%\Roaming\.

What the victim doesn’t see is that in the background, there is another process, named signed_gate6.exe, executing an obfuscated PowerShell script dropped into %Appdata%\Local\Temp, and then removing it immediately after execution.

The process in the background

That PowerShell script is responsible for dropping the files into %Appdata%\Roaming\<randomly_named_folder>\. The dropped files are:

Here, directX.DLL is an empty file because the PowerShell script tries to download that file from a different location.

PowerShell script content

Also, the following file is made persistent across reboots:

The dropped file fonthost.exe is actually the client for NetSupport Manager.,NetSupport Manager is a commercial remote administrator tool that has been repurposed for malicious use.  The client is accompanied by a configuration file (client32.ini) which directs the client to establish a connection between the victim’s machine and bacninhcomputer[.]com, after trying to get the current geolocation of the victim’s machine via contacting geo.netsupportsoftware[.]com/location/loca.asp.

Various operations can be performed on the individual’s machine by the attacker taking advantage of NetSupport Manager’s capabilities, such as screen recording, network discovery and logging keystrokes and mouse presses. 

This tool is typically used by administrators to gain remote access to computers, but in this case, successful phishing leads to the attacker gaining complete access to the target system.=

Example 5: An Old Acquaintance Reappears

While the message text is messy, the subject announces alarmingly “COVID-19 UPDATE !!” The reader sees keywords such as “safety measures,” “preventive measures” and “coronavirus,” and that the alleged sender is a regional director from the Panamerican Health Organization (of course, it’s not the real person).

Spam content

There is no intermediary step in the payload delivery process. Attached to the email is an archive with a malicious executable inside. In order to evade detection the payload is packed with a  Delphi packer that employs anti-debugging and virtual machine evasion techniques to further hinder analysis. Further analysis revealed that the payload delivered is the infamous LokiBot, an older commodity stealer.

String malicious artifacts

Conclusion: Stay Safe

The fear and uncertainty surrounding a real-world pandemic can be leveraged as a powerful vector for malware propagation. Currently, this vector is being actively exploited by criminals looking for quick profits. The well-established elements of social engineering (spoofed sender, fake message, etc.) are amplified by people’s emotions, ensuring increased efficacy of malicious spam campaigns. CrowdStrike is continuing to detect  COVID-19-related payloads currently in use, and we strongly advise everyone to avoid opening any unsolicited email they might get. Visit our COVID-19 Resource Hub to get up-to-the-minute intel and support to defend your organization against the latest cyber threats. 

Additional Resources

• Read a blog on COVID-19 cybersecurity from CrowdStrike CEO George Kurtz.
• Learn more about the cybersecurity challenges during COVID-19 and recommendations for securing your remote workforce in blogs by CrowdStrike CTO Mike Sentonas and Chief Product and Engineering Officer Amol Kulkarni.
• Access resources to help you ensure the security of your organization and remote workers by visiting the CrowdStrike COVID-19 resource webpage.
• Watch an on-demand webcast featuring CrowdStrike Intelligence and endpoint security experts: “Cybersecurity in the Time of COVID-19.”
• Download the CrowdStrike 2020 Global Threat Report.

Remote or Distance Learning Is Not New

In 2001, I enrolled in an online university for the first time. My online courses were incredibly engaging, and I got to know my fellow students on a deeper level than when I took courses at a physical university campus, because the course structure encouraged learning about the other students, reading their work submissions and asking questions. I learned not only from the pre-set curriculum but also from the experiences of other professionals who were students. The online presentation of materials and the course timing were flexible and convenient, and the classes were taught by active professionals in the field. What a fantastic opportunity it was to take a business law class from an acting judge in Indiana while sitting in my home office in Texas.

At CrowdStrike, we believe in the effectiveness of remote learning. For years, we have been offering self-paced e-learning through our online portal, CrowdStrike^® University, using conferencing technology and cloud-based labs, and with instructor-led live online training options. The learning platforms we provide have been battle-tested and are outfitted to deliver exceptional hands-on cybersecurity training for organizations of any size.

What to Look For in an Online Learning Program

It’s a good idea to keep these best practices in mind when choosing an online training program for your employees.

Training Delivery Options and Schedules

First, consider the program’s flexibility around training delivery methods.

• Look for live online instructor-led training sessions and on-site training options in conjunction with regional classroom events.
• Check the frequency of courses available on the events calendar. Do classes recur at regular intervals — daily, weekly, monthly, quarterly?
• Can the program accommodate the time zones your learners are in? If you have a dispersed group of remote employees, they will need convenient options that are conducive to learning.
  • Make note of which hours are available for learners on the East Coast versus the West Coast in North America.
  • Do you need classes with hours that are convenient for Europe and Asia-Pacific? Check with the training provider to see if several class times are offered or if classes are flexible enough to accommodate you, if requested.

Engaging Course Design

Next, consider whether the courses in the program are designed with interactivity in mind. Involvement in activities enhances learning, and adult learners thrive in a well-designed virtual learning event.

• Does the e-learning include interactive elements? E-learning courses should have interactive elements included in the design — otherwise, learners won’t remain engaged. Look for elements like easy navigation, quizzes, videos and interactive simulations that should be interwoven in such a way that the elements are varied and appropriately spaced in the lessons.
• Does the classroom training offer the opportunity for class discussion or networking? Programs that include deliberate group activities or the opportunity for social interaction foster the co-creation of learning throughout the training class.
• Does the program include hands-on exercises? Are they easy to complete? Instructor-led courses should offer hands-on exercises to reinforce learning. Confirm if any special hardware requirements are needed for remote learners to take advantage of those hands-on exercises. Look for programs that offer cloud-based labs that are accessible with a simple invitation to log in using a web connection.

Expert instructors

An individual may hold certifications or have advanced technical competencies, but that same individual may not have experience teaching adult learners or may not be skilled in presenting material in a way that is easily understandable to learners with varying backgrounds. It is critical that instructors have both technical competency and the ability to deliver excellent training.

When looking into an instructor-led course of any kind, ask these questions:

• Who will be teaching the course and what cybersecurity industry experience and technical skills do they have? Have they worked for another cybersecurity vendor or held a cybersecurity-related job role in a company or government agency?
• What certifications do they hold? In the world of cybersecurity, look for non-vendor-specific credentials like CISSP, CISA/M, GIAC or others. CrowdStrike instructors are CrowdStrike-certified professionals who hold a CCFA, CCFR and/or CCFH.
• What experience or qualifications does the instructor have related to teaching adults? Have they worked at a higher education institution, or do they hold a technical trainer certification?

Meeting learners’ needs

Learners primarily tend to use one of three basic learning styles: visual, auditory or kinesthetic. All courses — whether e-learning, virtual instructor-led or face to face — should vary the tool kit used to reach learners and tap into all the senses — for example, using lecture (auditory), written materials with graphics and product demonstrations (visual), and hands-on or role-play exercises (kinesthetic). Make sure the training program you are considering is designed in such a way that all of these learning styles are covered.

About CrowdStrike Training

The CrowdStrike training and certification program offers a robust catalog of classes with convenient options for your employees to help them keep their knowledge current and learn new skills — ultimately empowering them to better protect your organization and stop breaches.

Through CrowdStrike University, we provide opportunities for cybersecurity professionals to take advantage of training at their own pace or across multiple days and time zones around the globe. We provide the opportunity to practice what is learned in class in our cloud-based CrowdStrike Falcon®^® lab environment. Learners have the opportunity to engage with fellow students and live CrowdStrike experts.

CrowdStrike University offers a variety of options:

• On-demand e-learning: Take digital courses on demand at the time and pace that is most convenient.
• Virtual Instructor-led public classes: This training is available from a location of your choice because it is delivered via the internet — from the office, home or anywhere else. CrowdStrike maximizes the learning experience by ensuring engaging instructors, interactive quizzes and comprehensive hands-on labs.
• Virtual Instructor-led dedicated classes: Rather than joining a public class, you can arrange dedicated classes for your employees. These classes allow learners to interact with colleagues and CrowdStrike’s expert instructors in a class that focuses on the needs of your organization.

With course offerings ranging from novice to expert and including on-demand and instructor-led options, CrowdStrike training and certification are easily accessible wherever you are.

Additional Resources:

• Find out what courses are available by visiting the CrowdStrike University webpage.
• Learn how CrowdStrike training can help close the cybersecurity skills gap by reading this blog: “How to Fill the Cybersecurity Skills Gap With Homegrown Talent.”
• Discover your online training options with CrowdStrike University by downloading the CrowdStrike Training Catalog.
• Visit the webpage to learn more about the CrowdStrike Falcon® Certification program.