Counter Adversary Operations
International Authorities Indict, Sanction Additional INDRIK SPIDER Members and Detail Ties to BITWISE SPIDER and Russian State Activity
CrowdStrike often collaborates with law enforcement agencies to identify, track and stop cyber threats. We recently worked with law enforcement stakeholders within the U.K.’s National Crime Agency as […]
How CrowdStrike Hunts, Identifies and Defeats Cloud-Focused Threats
Adversaries’ persistent efforts to evade advancements in threat awareness and defense have shaped a cyber threat landscape dominated by their stealthy, fast-moving tactics. As they expand into the clo[…]
Malicious Inauthentic Falcon Crash Reporter Installer Delivers LLVM-Based Mythic C2 Agent Named Ciro
On July 24, 2024, an unattributed threat actor distributed a password-protected installer masquerading as an inauthentic Falcon Crash Reporter Installer to a German entity in an unattributed spear-phi[…]
Malicious Inauthentic Falcon Crash Reporter Installer Distributed to German Entity via Spearphishing Website
Summary On July 24, 2024, CrowdStrike Intelligence identified an unattributed spearphishing attempt delivering an inauthentic CrowdStrike Crash Reporter installer via a website impersonating a German […]
Hacktivist Entity USDoD Claims to Have Leaked CrowdStrike’s Threat Actor List
The threat intel data noted in this report is available to tens of thousands of customers, partners and prospects – and hundreds of thousands of users. Adversaries exploit current events for attention[…]
Lumma Stealer Packed with CypherIt Distributed Using Falcon Sensor Update Phishing Lure
Summary On July 23, 2024, CrowdStrike Intelligence identified the phishing domain crowdstrike-office365[.]com, which impersonates CrowdStrike and delivers malicious ZIP and RAR files containing a Micr[…]
Threat Actor Distributes Python-Based Information Stealer Using a Fake Falcon Sensor Update Lure
Summary On July 23, 2024, CrowdStrike Intelligence identified a malicious ZIP file containing a Python-based information stealer now tracked as Connecio. A threat actor distributed this file days afte[…]
Threat Actor Uses Fake CrowdStrike Recovery Manual to Deliver Unidentified Stealer
On July 22, 2024, CrowdStrike Intelligence identified a Word document containing macros that download an unidentified stealer now tracked as Daolpu. The document impersonates a Microsoft recovery manu[…]
Likely eCrime Actor Uses Filenames Capitalizing on July 19, 2024, Falcon Sensor Content Issues in Operation Targeting LATAM-Based CrowdStrike Customers
Summary On July 19, 2024, an issue present in a single content update for the CrowdStrike Falcon® sensor impacting Windows operating systems was identified, and a fix was deployed.1 CrowdStrike Intell[…]
Falcon Sensor Content Issue from July 19, 2024, Likely Used to Target CrowdStrike Customers
Updated 2024-07-26 1830 UTC On July 19, 2024, an issue present in a single content update for the CrowdStrike Falcon® sensor impacting Windows operating systems was identified, and a fix was deployed.[…]
CrowdStrike’s One-Click Hunting Simplifies Threat Hunting for Security Teams
Adversaries are not breaking in; they are logging in. The CrowdStrike 2024 Global Threat Report highlights an alarming trend: In 75% of cyberattacks detected in 2023, adversaries gained initial access[…]
Secure Your Staff: How to Protect High-Profile Employees' Sensitive Data on the Web
Organizations are increasingly concerned about high-profile employees’ information being exposed on the deep and dark web. The CrowdStrike Counter Adversary Operations team is often asked to find fake[…]
Still Alive: Updates for Well-Known Latin America eCrime Malware Identified in 2023
Latin America (LATAM) is a growing market, and threat actors have used numerous eCrime malware variants to target users in this region. Over the past few years, many researchers have characterized the[…]
CrowdStrike 2024 Global Threat Report: Adversaries Gain Speed and Stealth
The CrowdStrike Global Threat Report, now in its tenth iteration, examines how adversaries’ behavior poses an ever-expanding risk to the security of organizations’ data and infrastructure. Armed with […]
How Malicious Insiders Use Known Vulnerabilities Against Their Organizations
December 07, 2023
Jaime Duque - Bobby Dean - Alex Merriam - Damon Duncan - Nicolas Zilio Counter Adversary OperationsBetween January 2021 and April 2023, CrowdStrike Counter Adversary Operations and the CrowdStrike Falcon® Complete managed detection and response (MDR) team identified multiple incidents in which an i[…]
5 Tips to Defend Against Access Brokers This Holiday Season
The holiday season brings a shift in how people and businesses operate: Some companies may partially shut down, leaving only a skeleton crew to manage their IT environments, while others head into the[…]
IMPERIAL KITTEN Deploys Novel Malware Families in Middle East-Focused Operations
CrowdStrike Counter Adversary Operations has been investigating a series of cyberattacks and strategic web compromise (SWC) operations targeting organizations in the transportation, logistics and tech[…]
Automation Advancements in Falcon Intelligence Recon: Disrupt the Adversary and Reduce Risk
Adversaries are continuing to expand their attacks by adding tactics like domain abuse, multifactor authentication (MFA) fatigue and unique crafted exploit kits acquired from underground forums. Typos[…]
Announcing CrowdStrike Falcon Counter Adversary Operations Elite
CrowdStrike is raising the bar for proactive detection and response with the introduction of CrowdStrike Falcon® Counter Adversary Operations Elite, the industry’s first and only white-glove service c[…]
eCriminals Share Ways to Impersonate School Staff to Steal Paychecks
CrowdStrike Counter Adversary Operations monitors for and attempts to disrupt eCrime threat actors across a broad spectrum of malicious activity, ranging from sophisticated ransomware campaigns to sim[…]
Amid Sharp Increase in Identity-Based Attacks, CrowdStrike Unveils New Threat Hunting Capability
Adversaries are doubling down on identity-based attacks. According to Nowhere to Hide: CrowdStrike 2023 Threat Hunting Report, we’ve seen an alarming 583% year-over-year increase in Kerberoasting atta[…]
Discovering and Blocking a Zero-Day Exploit with CrowdStrike Falcon Complete: The Case of CVE-2023-36874
CrowdStrike Counter Adversary Operations is committed to analyzing active exploitation campaigns and detecting and blocking zero-days to protect our customers. In July 2023, the CrowdStrike Falcon® Co[…]
CrowdStrike Debuts Counter Adversary Operations Team to Fight Faster and Smarter Adversaries as Identity-Focused Attacks Skyrocket
CrowdStrike is proud to announce the launch of CrowdStrike Counter Adversary Operations, a newly formed, first-of-its kind team that brings together CrowdStrike Falcon® Intelligence and the CrowdStrik[…]
CrowdStrike Named a Leader that “Delivers World-Class Threat Intelligence” in 2023 Forrester Wave
We’re excited to share that Forrester has named CrowdStrike a Leader in The Forrester Wave™: External Threat Intelligence Services Providers, Q3 2023. CrowdStrike received the highest ranking of all v[…]
Making Sense of the Dark Web with Falcon Intelligence Recon+
The vastness of the deep and dark web can easily turn attempts to monitor for cyber threats into a firehose of useless information. Part of the problem is the nature of the data streams that need to b[…]
Hypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens the Door to Adversary Attacks
Editor’s Note: VMware updated its knowledge base article, “Deployment of 3rd Party Agents and Anti-virus software on the ESXi Hypervisor,” noting that the content is outdated and should be considered […]
CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers
Note: Content from this post first appeared in r/CrowdStrike 3/31 UPDATE After review and reverse engineering by the CrowdStrike Intelligence team, the signed MSI (aa124a4b4df12b34e74ee7f6c683b2ebec4c[…]
QakBot eCrime Campaign Leverages Microsoft OneNote Attachments
In November 20211 and February 2022,2 Microsoft announced that by default it would block Excel 4 and VBA macros in files that were downloaded from the internet. Following these changes, CrowdStrike In[…]
How to Mature Your Threat Intelligence Program
With so many threat intelligence solutions on the market today, it raises the question: What is threat intelligence and why do you need it? I won’t go into detail about what threat intelligence is; yo[…]
Exploiting CVE-2021-3490 for Container Escapes
Today, containers are the preferred approach to deploy software or create build environments in CI/CD lifecycles. However, since the emergence of container solutions and environments like Docker and K[…]
SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security
In December 2022, CrowdStrike reported on a campaign by SCATTERED SPIDER, targeting organizations within the telecom and business process outsourcing (BPO) sectors with an end objective of gaining acc[…]
CrowdStrike Named a Leader in Frost & Sullivan’s 2022 Frost Radar for Cyber Threat Intelligence
CrowdStrike is excited to announce we have been recognized by Frost & Sullivan as a global leader in the Frost Radar™ Global Cyber Threat Intelligence Market, 2022 analysis. Earlier this year, CrowdSt[…]
Expose and Disrupt Adversaries Beyond the Perimeter with CrowdStrike Falcon Intelligence Recon
Cybercriminals continuously adapt to stay a step ahead of the organizations they target. Over more than a decade, CrowdStrike has carefully tracked the evolution of eCrime tactics and capabilities and[…]
’Tis the Season for eCrime
Financially motivated criminal activities, aka “eCrime,” happen in waves. They come and go as adversaries develop new tools and target vulnerable victims. Similar to how investors track stock market a[…]
Evicting Typosquatters: How CrowdStrike Protects Against Domain Impersonations
Threat actors constantly unleash phishing attacks that use emails or text messages containing domains or URLs, all designed to impersonate well-known companies and trick users into visiting fake websi[…]
CrowdStrike Falcon® Platform Identifies Supply Chain Attack via a Trojanized Comm100 Chat Installer
The CrowdStrike Falcon® platform, leveraging a combination of advanced machine learning and artificial intelligence, identified a new supply chain attack during the installation of a chat-based custom[…]
Adversary Quest 2022 Walkthrough, Part 3: Four PROTECTIVE PENGUIN Challenges
In July 2022, the CrowdStrike Intelligence Advanced Research Team hosted the second edition of our Adversary Quest. As in the previous year, this “capture the flag” event featured 12 information secur[…]
Adversary Quest 2022 Walkthrough, Part 2: Four TABLOID JACKAL Challenges
In July 2022, the CrowdStrike Intelligence Advanced Research Team hosted the second edition of our Adversary Quest. As in the previous year, this “capture the flag” event featured 12 information secur[…]
Adversary Quest 2022 Walkthrough, Part 1: Four CATAPULT SPIDER Challenges
In July 2022, the CrowdStrike Intelligence Advanced Research Team hosted the second edition of our Adversary Quest. As in the previous year, this “capture the flag” event featured 12 information secur[…]
Callback Malware Campaigns Impersonate CrowdStrike and Other Cybersecurity Companies
Today CrowdStrike sent the following Tech Alert to our customers: On July 8, 2022, CrowdStrike Intelligence identified a callback phishing campaign impersonating prominent cybersecurity companies, inc[…]
Tales from the Dark Web: How Tracking eCrime’s Underground Economy Improves Defenses
Cybercriminals are constantly evolving their operations, the methods they use to breach an organization's defenses and their tactics for monetizing their efforts. In the CrowdStrike 2022 Global Threat[…]
Capture the Flag: CrowdStrike Intelligence Adversary Quest 2022
The Adversary Quest is back! From July 11 through July 25, 2022, the CrowdStrike Intelligence Advanced Research Team invites you to go head-to-head with three unique adversaries during our second annu[…]
For the Common Good: How to Compromise a Printer in Three Simple Steps
In August 2021, ZDI announced Pwn2Own Austin 2021, a security contest focusing on phones, printers, NAS devices and smart speakers, among other things. The Pwn2Own contest encourages security research[…]
Naming Adversaries and Why It Matters to Your Security Team
What is it with these funny adversary names such as FANCY BEAR, WIZARD SPIDER and DEADEYE JACKAL? You read about them in the media and see them on CrowdStrike t-shirts and referenced by MITRE in the A[…]
Quadrant Knowledge Solutions Names CrowdStrike a Leader in the 2022 SPARK Matrix for Digital Threat Intelligence Management
“CrowdStrike is capable of catering to the diverse customer needs across industry verticals, with its comprehensive capabilities, compelling customer references, comprehensive roadmap and vision, clou[…]
Follow the Money: How eCriminals Monetize Ransomware
The transaction details and monetization patterns of modern eCrime reveal critical insights for organizations defending against ransomware attacks. Cybercrime has evolved over the past several years f[…]
Who is EMBER BEAR?
4/4/22 Editor’s note: The hearing described below has been rescheduled for 10 a.m. EST on Tuesday, April 5. On Wednesday, March 30, 2022, Adam Meyers, CrowdStrike Senior Vice President of Intelligence[…]
A Tale of Two Cookies: How to Pwn2Own the Cisco RV340 Router
In August 2021, ZDI announced Pwn2Own Austin 2021, a security contest focusing on phones, printers, NAS devices and smart speakers, among other things. The Pwn2Own contest encourages security research[…]
PROPHET SPIDER Exploits Citrix ShareFile Remote Code Execution Vulnerability CVE-2021-22941 to Deliver Webshell
At the start of 2022, CrowdStrike Intelligence and CrowdStrike Services investigated an incident in which PROPHET SPIDER exploited CVE-2021-22941 — a remote code execution (RCE) vulnerability impactin[…]
Decryptable PartyTicket Ransomware Reportedly Targeting Ukrainian Entities
Summary On Feb. 23, 2022, destructive attacks were conducted against Ukrainian entities. Industry reporting has claimed the Go-based ransomware dubbed PartyTicket (or HermeticRansom) was identified at[…]
Access Brokers: Who Are the Targets, and What Are They Worth?
Access brokers have become a key component of the eCrime threat landscape, selling access to threat actors and facilitating myriad criminal activities. Many have established relationships with big gam[…]
Lessons Learned From Successive Use of Offensive Cyber Operations Against Ukraine and What May Be Next
Disruptive and destructive cyber operations have been levied against elements of Ukrainian society by adversaries attributed to the Russian government — or groups highly likely to be controlled by the[…]
Technical Analysis of the WhisperGate Malicious Bootloader
On Jan. 15, 2022, a set of malware dubbed WhisperGate was reported to have been deployed against Ukrainian targets. The incident is widely reported to contain three individual components deployed by t[…]
Log4j2 Vulnerability "Log4Shell" (CVE-2021-44228)
Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache web servers. Between late November and early December 2021, a critical vulnerability (CVE-2021-44228) impacting[…]
Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes
In a July 2019 blog post about DoppelPaymer, Crowdstrike Intelligence reported that ProcessHacker was being hijacked to kill a list of targeted processes and gain access, delivering a “critical hit.” […]
A Foray into Fuzzing
One useful method in a security researcher’s toolbox for discovering new bugs in software is called “fuzz testing,” or just “fuzzing.” Fuzzing is an automatic software testing approach where the softw[…]
Ploutus ATM Malware Case Study: Automated Deobfuscation of a Strongly Obfuscated .NET Binary
One of the most tedious tasks in malware analysis is to get rid of the obfuscated code. Nowadays, almost every malware uses obfuscation to hinder the analysis and try to evade detection. In some cases[…]
Scheming with URLs: One-Click Attack Surface in Linux Desktop Environments
The Advanced Research Team at CrowdStrike Intelligence discovered multiple vulnerabilities affecting libvncclient. In some widely used desktop environments, such as GNOME, these vulnerabilities can be[…]
CARBON SPIDER Embraces Big Game Hunting, Part 2
In 2020, CARBON SPIDER began conducting big game hunting (BGH) ransomware campaigns with PINCHY SPIDER’s REvil before introducing Darkside. The adversary later opened up Darkside to affiliates through[…]
ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
This announcement is part of the Fal.Con 2021 CrowdStrike Cybersecurity Conference, Oct. 12-14. Register now for free to learn all about our exciting new products, partnerships and latest intel! The e[…]
Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
The eCrime ecosystem is an active and diverse economy of financially motivated threat actors engaging in a myriad of criminal activities to generate revenue. With the CrowdStrike eCrime Index (ECX), C[…]
Sidoh: WIZARD SPIDER’s Mysterious Exfiltration Tool
WIZARD SPIDER is an established, high-profile and sophisticated eCrime group, originally known for the creation and operation of the TrickBot banking Trojan. This Russia-based eCrime group originally […]
CARBON SPIDER Embraces Big Game Hunting, Part 1
Throughout 2020, CARBON SPIDER dramatically overhauled their operations. In April 2020, the adversary abruptly shifted from narrow campaigns focused entirely on companies operating point-of-sale (POS)[…]
PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity
August 04, 2021
Falcon OverWatch - CrowdStrike Intelligence - CrowdStrike IR Counter Adversary OperationsCrowdStrike Intelligence, Falcon OverWatch™ and CrowdStrike Incident Response teams have observed multiple campaigns by the eCrime actor PROPHET SPIDER where the adversary has exploited Oracle WebLogi[…]
CrowdStrike Announces CrowdStrike Falcon Intelligence Recon+ to Combat Cybercriminals
Cybercriminals Are Raking in Billions Cybercrime is big business. Security industry analysts project annual global cybercrime damages to reach $6 trillion USD in 2021 (according to Cybersecurity Ventu[…]
The Evolution of PINCHY SPIDER from GandCrab to REvil
For years, ransomware was a nuisance that impacted individuals who were unfortunate enough to encounter it via banking trojans, exploit kits or phishing attacks and resulted in a large number of small[…]
Adversary Quest 2021 Walkthrough, Part 3: Four PROTECTIVE PENGUIN Challenges
At the end of January 2021, the CrowdStrike Intelligence Advanced Research Team hosted our first-ever Adversary Quest. This “capture the flag” event featured 12 information security challenges in thre[…]
DarkSide Pipeline Attack Shakes Up the Ransomware-as-a-Service Landscape
The repercussions from the Colonial Pipeline DarkSide ransomware incident have garnered global attention and caused major shifts in the ransomware ecosystem. Many criminal forums have now banned ranso[…]
Increasing Relevance of Access Broker Market Shown in Improved ECX Model
The eCrime ecosystem is an active and diverse economy of financially motivated threat actors that engage in a myriad of criminal activities in order to generate revenue. With the eCrime Index (ECX), C[…]
Adversary Quest 2021 Walkthrough, Part 2: Four SPACE JACKAL Hacktivist Challenges
At the end of January 2021, the CrowdStrike Intelligence Advanced Research Team hosted our first-ever Adversary Quest. This “capture the flag” event featured 12 information security challenges in thre[…]
Adversary Quest 2021 Walkthrough, Part 1: Four CATAPULT SPIDER eCrime Challenges
At the end of January 2021, the CrowdStrike Intelligence Advanced Research Team hosted our first-ever Adversary Quest. This “capture the flag” event featured 12 information security challenges in thre[…]
Forrester Names CrowdStrike a Leader in the 2021 Wave for External Threat Intelligence
“The quality of technical intelligence and expertise of the dedicated analysts were noted by multiple customer references. One customer specifically felt like CrowdStrike was a ‘true partner of their […]
INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions
Introduction In December 2019, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) took action against the Russia-based cybercriminal group INDRIK SPIDER, also known as Evil Corp, a[…]
Hypervisor Jackpotting, Part 1: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
This is Part 1 of a three-part blog series. Read Part 2 and Part 3. Targeted large-scale ransomware campaigns, referred to as big game hunting (BGH), remained the primary eCrime threat to organization[…]
Explore the Adversary Universe
Since the beginning of CrowdStrike’s history, we have relentlessly pursued cyber adversaries across the internet, because we knew back when we started the company as we do now, it doesn’t matter wheth[…]
Pwn2Own: A Tale of a Bug Found and Lost Again
In October 2020, the Pwn2Own Tokyo 2020 announcement caught our attention. Even though originally we hadn’t planned to participate, we checked out the target list and decided to take a look at one of […]
Join the Challenge: CrowdStrike Intelligence Adversary Quest 2021
Are you interested in information security and do you enjoy working on technical challenges? Then put this CrowdStrike event on your calendar and join the fun. On January 18-29, 2021, the CrowdStrike®[…]
SUNSPOT: An Implant in the Build Process
In December 2020, the industry was rocked by the disclosure of a complex supply chain attack against SolarWinds, Inc., a leading provider of network performance monitoring tools used by organizations […]
Hacking Farm to Table: Threat Hunters Uncover Rise in Attacks Against Agriculture
Life on the farm isn’t what it used to be. With overall cyberattacks on the rise, even agriculture has found itself in the crosshairs of cyber threat actors. In fact, during the last ten months alone,[…]
New Podcast Series: The Importance of Cyber Threat Intelligence in Cybersecurity
A new CrowdStrike® podcast series hosted by Cybercrime Magazine focuses on the critical role cyber threat intelligence (CTI) plays in an effective cybersecurity strategy. The series features CrowdStri[…]
WIZARD SPIDER Update: Resilient, Reactive and Resolute
WIZARD SPIDER is an established, high-profile and sophisticated eCrime group, originally known for the creation and operation of the TrickBot banking malware. This Russia-based eCrime group originally[…]
Double Trouble: Ransomware with Data Leak Extortion, Part 2
As data leak extortion swiftly became the new norm for big game hunting (BGH) ransomware operators since late 2019, various criminal adversaries began innovating in this area. This includes collaborat[…]
Double Trouble: Ransomware with Data Leak Extortion, Part 1
The most prominent eCrime trend observed so far in 2020 is big game hunting (BGH) actors stealing and leaking victim data in order to force ransom payments and, in some cases, demand two ransoms. Data[…]
Who Is PIONEER KITTEN?
PIONEER KITTEN at a Glance Origins Islamic Republic of Iran Target Nations Israel, Middle East North Africa (MENA), North America, United States Last Known Activity July 2020 (earliest: 2017) Target I[…]
Exploiting GlobalProtect for Privilege Escalation, Part Two: Linux and macOS
This is the second blog in a two-part series covering the exploitation of the Palo Alto Networks GlobalProtect VPN client running on Linux and macOS. The first blog covered this exploitation on Window[…]
Exploiting GlobalProtect for Privilege Escalation, Part One: Windows
The CrowdStrike® Intelligence Advanced Research Team discovered two distinct vulnerabilities in the Windows, Linux and macOS versions of the Palo Alto Networks GlobalProtect VPN client (CVE-2019-17435[…]
Targeted Dharma Ransomware Intrusions Exhibit Consistent Techniques
April 16, 2020
Eric Loui - Karl Scheuerman - Aaron Pickett - Brendon Feeley Counter Adversary OperationsSince at least 2018, criminal actors have been conducting big game hunting (BGH) campaigns, deploying ransomware on a targeted scale against large corporations or governments in pursuit of lucrative p[…]
Situational Awareness: Cyber Threats Heightened by COVID-19 and How to Protect Against Them
Please Note: Check this blog for frequent updates on adversary activity related to COVID-19. June 24, 2020: Observed Activity Update As the COVID-19 pandemic continues to take hold in various geograph[…]
Who is REFINED KITTEN?
Common Aliases REFINED KITTEN may also be identified by the following pseudonyms: APT33 Elfin Magnallium Holmium REFINED KITTEN’s Origins REFINED KITTEN is a nation-state-based threat actor whose acti[…]
WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN
CrowdStrike® Intelligence analyzed variants of Ryuk (a ransomware family distributed by WIZARD SPIDER) with new functionality for identifying and encrypting files on hosts in a local area network (LAN[…]
Ransomware Increases the Back-to-School Blues
As students all over the United States donned their backpacks and packed their lunches to go back to school this year, the all-to-familiar impact of ransomware created confusion and disarray for schoo[…]
Who is Salty Spider (Sality)?
Common Aliases SALTY SIDER is most commonly identified with the botnet it maintains (Sality) and it’s associated pseudonyms: KuKu SalLoad Kookoo SaliCode Kukacka SALTY SPIDER’s Origins SALTY SPIDER is[…]
CrowdStrike Mobile Threat Report Offers Trends and Recommendations for Securing Your Organization
The universal adoption of mobile devices in business environments has created new attack vectors that organizations struggle to address. A new report from CrowdStrike, the “Mobile Threat Landscape Rep[…]
BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0
CrowdStrike® Intelligence has identified a new ransomware variant identifying itself as BitPaymer. This new variant was behind a series of ransomware campaigns beginning in June 2019, including attack[…]
New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration
On March 17, 2019, CrowdStrike® Intelligence observed the use of a new BokBot (developed and operated by LUNAR SPIDER) proxy module in conjunction with TrickBot (developed and operated by WIZARD SPIDE[…]
PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware
CrowdStrike® Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated wit[…]
"Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
CrowdStrike® Intelligence observed a new campaign from a LUNAR SPIDER affiliate to distribute WIZARD SPIDER's TrickBot malware on Feb. 7, 2019. However, this latest campaign is somewhat unique due to […]
Who is FANCY BEAR (APT28)?
The nation-state adversary group known as FANCY BEAR (also known as APT28 or Sofacy) has been operating since at least 2008 and represents a constant threat to a wide variety of organizations around t[…]
Enhancing Secure Boot Chain on Fedora 29
This blog is from the CrowdStrike Intelligence Advanced Research Team Motivation What is worse than a failing system? A (silently) compromised, yet operational system! While there are many attack vect[…]
Widespread DNS Hijacking Activity Targets Multiple Sectors
CrowdStrike® Intelligence™ has been researching reports of widespread DNS hijacking activity since information on the attacks became publicly available earlier this month.1 The information allowed for[…]
Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware
WIZARD SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big gam[…]
Farewell to Kelihos and ZOMBIE SPIDER
The Kelihos peer-to-peer botnet was one of the largest and longest-operating cybercrime infrastructures in existence. Its origins can be traced back to the Storm Worm, a botnet that emerged in 2007 an[…]
Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN
HELIX KITTEN is likely an Iranian-based adversary group, active since at least late 2015, targeting organizations in the aerospace, energy, financial, government, hospitality and telecommunications bu[…]
Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware
INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of the most prolific eCrime banking trojans on the market and, since 2014[…]
Meet CrowdStrike’s Adversary of the Month for October: DUNGEON SPIDER
DUNGEON SPIDER is a criminal group operating the ransomware most commonly known as Locky, which has been active since February 2016 and was last observed in late 2017. Locky is a ransomware tool that […]
Cutwail Spam Campaign Uses Steganography to Distribute URLZone
CrowdStrike® CrowdStrike Falcon® Intelligence™ has observed a new Cutwail spam campaign from NARWHAL SPIDER on 24 October 2018. NARWHAL SPIDER is the adversary name designated by Falcon Intelligence f[…]
Two Birds, One STONE PANDA
Introduction In April 2017, a previously unknown group calling itself IntrusionTruth began releasing blog posts detailing individuals believed to be associated with major Chinese intrusion campaigns. […]
Meet CrowdStrike’s Adversary of the Month for August: GOBLIN PANDA
CrowdStrike® first observed GOBLIN PANDA activity in September 2013 when indicators of its activity were discovered on the network of a technology company operating in multiple sectors. Malware varian[…]
Arrests Put New Focus on CARBON SPIDER Adversary Group
In an indictment unsealed by the U.S. Department of Justice (DoJ) on Aug. 1, 2018, three Ukrainian nationals have been charged with conspiracy, wire fraud, computer hacking, access device fraud and ag[…]
Meet CrowdStrike’s Adversary of the Month for July: WICKED SPIDER
WICKED SPIDER (PANDA) is a suspected China-based adversary that likely operates as an exploitation group for hire. The use of two cryptonyms for this group exemplifies how this adversary has demonstra[…]
Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA
The June 2018 adversary spotlight is on MUSTANG PANDA, a China-based adversary that has demonstrated an ability to rapidly assimilate new tools and tactics into its operations, as evidenced by its use[…]
Meet CrowdStrike’s Adversary of the Month for April: STARDUST CHOLLIMA
STARDUST CHOLLIMA is a targeted intrusion adversary with a likely nexus to the Democratic People’s Republic of Korea (DPRK). This adversary is typically involved in operations against financial instit[…]
Why North Korean Cyberwarfare is Likely to Intensify
Despite a parade of issues battling for headlines today, the impending negotiations between the United States and the Democratic People's Republic of North Korea (DPRK) have been widely covered, with […]
Software Supply Chain Attacks Gained Traction in 2017 and Are Likely to Continue
One of the important topics covered in the CrowdStrike® 2018 Global Threat Report is the increase in supply chain attacks in 2017. This topic was also highlighted in a recent webcast featuring CrowdSt[…]
Meet CrowdStrike's Adversary of the Month for February: MUMMY SPIDER
In continuance of our monthly blog post to introduce a new threat actor, February 2018 features a criminally motivated actor we call MUMMY SPIDER. This actor is associated with the malware commonly kn[…]
CrowdStrike's January Adversary of the Month: VOODOO BEAR
For the past several years, CrowdStrike® has published a yearly calendar that includes international holidays, working days of the most prevalent threat actors, and significant geopolitical events. Ev[…]
Malicious Spear-Phishing Campaign Targets Upcoming Winter Olympics in South Korea
A malicious campaign has been identified targeting suspected victims involved in or supporting the February 2018 Olympic Winter Games in Pyeongchang, South Korea. Open source reporting indicates this […]
An End to “Smash-and-Grab” and a Move to More Targeted Approaches
In late October and early November, 2017, CrowdStrike® Falcon Intelligence™ observed People’s Republic of China (PRC)-based actors conducting espionage-driven targeted attacks against at least four We[…]
Full Decryption of Systems Encrypted by Petya/NotPetya
As demonstrated in the previous blog post about decryption of Petya/NotPetya, almost the complete Master File Table (MFT) can be decrypted. In this post, we describe our approach to collect more keyst[…]
Software Supply Chain Attacks on the Rise, Undermining Customer Trust
On June 27, 2017, a destructive payload dubbed “NotPetya” by researchers, was deployed covertly using a legitimate software package employed by organizations operating in Ukraine. The attack was perpe[…]
Protecting the Software Supply Chain: Deep Insights into the CCleaner Backdoor
The term “supply chain attacks” means different things to different people. To the general business community, it refers to attacks targeting vulnerable third-parties in a larger organization’s supply[…]
Decrypting NotPetya/Petya: Tools for Recovering Your MFT After an Attack
Making the world a better place has always been a core goal of CrowdStrike. In this blog post, we are making our findings, and tools, for decrypting NotPetya/Petya available to the general public. Wit[…]
CrowdStrike Protects Against NotPetya Attack
Update: Due to naming convention consistency in the industry, CrowdStrike is now calling this variant of Petya - NotPetya. On June 27 at approximately 10:30 UTC, a new ransomware family began propagat[…]
Falcon Intelligence Report: Wanna Ransomware Spreads Rapidly; CrowdStrike Falcon® Prevents the Attack
Wanna Decryption Ransom Screen Wanna (also known as WannaCry, WCry, WanaCrypt and WanaCrypt0r) ransomware exploded onto the ransomware scene on May 12, 2017, with a mass campaign impacting organizatio[…]
Inside the Takedown of ZOMBIE SPIDER and the Kelihos Botnet
This figure shows a snapshot of systems infected with Kelihos communicating with the sinkhole created to disable it. The arrest of Russian cybercriminal Pyotr Levashov (aka Peter Severa, or threat act[…]
VirusTotal Lookups Are Back in CrowdInspect, CrowdStrike’s Popular Free Tool
CrowdStrike CrowdInspect version 1.5.0.0 has arrived. Many of you are familiar with CrowdInspect, a simple-to-use and understand Windows application that lists processes running on your computer, alon[…]
Blocking Malicious PowerShell Downloads
As a next-gen endpoint protection solution, uniquely unifying next-gen antivirus with endpoint detection and response, CrowdStrike Falcon®™ provides a unique view of malicious activity, making hunting[…]
Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units
Update - As of March 2017, the estimated losses of D-30 howitzer platform have been amended. According to an update provided by the International Institute for Strategic Studies (IISS) Research Associ[…]
Bear Hunting: Tracking Down COZY BEAR Backdoors
As a follow-up to the CrowdStrike blog entry "Bears in the Midst" on June 15, 2016, we will walk through the methods leveraged by CrowdStrike to recover a COZY BEAR WMI backdoor. The recovery of the b[…]
CrowdStrike’s New Methodology for Tracking eCrime
At our inception, CrowdStrike coined the phrase, “You don’t have a malware problem, you have an adversary problem.” Behind every attack -- whether it is the most advanced nation state conducting espio[…]
M&A – Buying While Cyber Blind?
Mergers and acquisitions: Many organizations utilize these activities to move their business forward by expanding into different market segments or gaining competitive advantage with a unique offering[…]
Cyber Skirmish: Russia v. Turkey
On the morning of 24 November 2015 an F-16 operated by the Turkish Air Force dropped into position behind a Russian Su-24 Fencer and dispatched an air-to-air Sidewinder missile that sliced into the Ru[…]
Using OS X FSEvents to Discover Deleted Malicious Artifacts
File System Events (FSEvents) in OS X 10.7+ introduced the capability to monitor changes to a directory. FSevents are logged by the file system events daemon (fseventsd) process; the daemon writes the[…]
Investigating PowerShell: Command and Script Logging
PowerShell is becoming ubiquitous in the Microsoft ecosystem, and, while it simplifies administration, it opens up a nearly unprecedented suite of capabilities for attackers. Nearly every malicious ac[…]
Nothing else is working. Why not memory forensics?
I ran across a couple of blog posts recently that were espousing the virtues of memory forensics. Having developed a framework very similar to Volatility from the ground up under a government contract[…]
Sakula Reloaded
Often during the investigation of sophisticated threat actors, the demarcation between the different attackers and campaigns are blurry. Researchers need to rely on tradecraft and analytic rigor to un[…]
How to Learn from Adversaries as they Test Attack Strategies
According to a recent Harvard Business Review report, 84 percent of enterprises have increased their Cloud usage in the past year. Fueling this major business migration to the Cloud are the well-docum[…]
Blurring of Commodity and Targeted Attack Malware
As malware and its authors continue to evolve, deciphering the purpose of specific malware-driven attacks has become more challenging. While some malware still has a feature-specific design such as DD[…]
Falcon Zero-Day Flash Detection
In the wake of the Hacking Team leaks in early July, a result of an intrusion into the company’s network, various zero-day vulnerabilities that affect multiple platforms and software configurations we[…]
Rhetoric Foreshadows Cyber Activity in the South China Sea
As the increasingly aggressive rhetoric surrounding the conflict in the South China Sea (SCS) continues to dominate both Western and Chinese media headlines, multiple outlets and normally rational Chi[…]
VENOM Vulnerability Details
Recently, I discovered a vulnerability in QEMU's virtual Floppy Disk Controller (FDC), exploitation of which may allow malicious code inside a virtual machine guest to perform arbitrary code execution[…]
3 Tips for Operationalizing Cyber Intelligence
In 2014 it became abundantly clear that threat intelligence provides a decisive advantage in protecting your enterprise. Using threat intelligence, savvy security practitioners can reduce the time to […]
RSA 2015 Hacking Exposed: CrowdResponse Update Released
George Kurtz, Dmitri Alperovitch and Elia Zaitsev have just finished up the Hacking Exposed: Beyond the Malware session at the RSA 2015 Conference. In the session, they demonstrated how to conduct an […]
Operational threat intelligence with Maltego Transform Hub
“I’m drowning in data, but starving for information.” Ever feel that way? Recently, I heard a CISO use this as a description of his company’s information security posture. Today, enterprises are litte[…]
Adversaries Set Their Sights on Oil and Gas Sector
With high profile breaches in the financial, healthcare and retail sectors making news almost daily, it’s no secret that those industries are in the adversary’s crosshairs. However, while it may get l[…]
Chopping packets: Decoding China Chopper Web shell traffic over SSL
Introduction The Chopper Web shell is a widely used backdoor by Chinese and other malicious actors to remotely access a compromised Web server. Deployment of the Chopper shell on the server is fairly […]
Surgeon with a Shotgun! - Memory Forensics
With the ever-increasing need for speed and accuracy for digital investigations and incident response, it is imperative that organizations are able to provide answers quickly. These organizations rely[…]
Parsing Sysmon Events for IR Indicators
Intro and Installation A dedicated endpoint monitoring tool is quickly becoming a necessity among organizations to increase visibility, logging, and alerting to combat targeted attacks and commodity m[…]
Cyber Kung-Fu: The Great Firewall Art of DNS Poisoning
Wing Chun (咏春拳), the first Chinese martial art learned by the legendary Bruce Lee, is often best known for its principles of simultaneous attack and defense. This experience later inspired him to crea[…]
Sheep Year Kernel Heap Fengshui: Spraying in the Big Kids’ Pool
The State of Kernel Exploitation The typical write-what-where kernel-mode exploit technique usually relies on either modifying some key kernel-mode data structure, which is easy to do locally on Windo[…]
Advanced Falconry: Seeking Out the Prey with Machine Learning
Interest in machine learning is on the rise. This was evidenced by the attendance of our recent CrowdCast on the topic — if you haven’t seen it yet, head over to our CrowdCast Channel and take a quick[…]
I am Ironman: DEEP PANDA Uses Sakula Malware to Target Organizations in Multiple Sectors
Over the last few months, the CrowdStrike Intelligence team has been tracking a campaign of highly targeted events focused on entities in the U.S. Defense Industrial Base (DIB), healthcare, government[…]
Peering Around the Corner
After the better part of a decade chasing adversaries around the Internet, there are a few things I know to be true about targeted intrusion actors operating in the interests of various nation states.[…]
CVE-2014-1761 - The Alley of Compromise
A significant fraction of targeted attacks involve spear phishing emails with malicious lure documents that, when opened, exploit a vulnerability in the document viewer application to invoke a backdoo[…]
Mitigating Bash ShellShock
Following the frenzy of patch releases in reaction to the CVE-2014-6271 Bash Vulnerability (ShellShock), several blogs and articles were published detailing the vulnerability, but there has been less […]
Occupy Central: The Umbrella Revolution and Chinese Intelligence
First observed in late 2013, the People’s Republic of China (PRC) has steadily increased the use of its intelligence services and cyber operations in Hong Kong as part of a response to the growing pro[…]
Registry Analysis with CrowdResponse
The third release of the free CrowdResponse incident response collection tool is now available! This time around we include plugins that facilitate the collection of Windows registry data. Our inspira[…]
Hat-tribution to PLA Unit 61486
Attribution is a key component of cyber-intelligence, by knowing the adversary you can effectively understand their intentions and objectives. Deep understanding of the adversary allows organizations […]
Gameover
On Friday May 30, 2014, an unprecedented botnet disruption was initiated by the United States Department of Justice (DOJ) in coordination with numerous law enforcement and industry partners. This coor[…]
New CrowdResponse Modules
During his talk at this year’s RSA conference, George Kurtz introduced a new free community tool named CrowdResponse. CrowdResponse is a robust data-gathering platform that we intend to continue impro[…]
Cat Scratch Fever: CrowdStrike Tracks Newly Reported Iranian Actor as FLYING KITTEN
Today, our friends at FireEye released a report on an Iran-based adversary they are calling Saffron Rose. CrowdStrike Intelligence has also been tracking and reporting internally on this threat group […]
CrowdStrike Heartbleed Scanner - Update
This is a followup to our original blog post for the CrowdStrike Heartbleed Scanner. Due to popular demand and acting on feedback we have received, today we have updated our free Heartbleed Scanner vu[…]
Mo' Shells Mo' Problems - Network Detection
Disclaimer: CrowdStrike derived this information from investigations in non-classified environments. Since we value our client's privacy and interests, some data has been redacted or sanitized. In pre[…]
Mo' Shells Mo' Problems - Web Server Log Analysis
Disclaimer: CrowdStrike derived this information from investigations in unclassified environments. Since we value our clients’ privacy and interests, some data has been redacted or sanitized. Web shel[…]
Mo' Shells Mo' Problems - File List Stacking
Disclaimer: CrowdStrike derived this information from investigations in non-classified environments. Since we value our clients’ privacy and interests, some data has been redacted or sanitized. In our[…]
Mo' Shells Mo' Problems - Deep Panda Web Shells
Disclaimer: CrowdStrike derived this information from investigations in non-classified environments. Since we value our client's privacy and interests, some data has been redacted or sanitized. Crowds[…]
Native Java Bytecode Debugging without Source Code
At CrowdStrike, we’ve seen a moderate increase in Java-based malware recently, with Remote Access Tools (RATs) like Adwind becoming increasingly prevalent. Reverse engineering Java is typically very s[…]
Through the Window: Creative Code Invocation
Recently, while analyzing a targeted attack, CrowdStrike observed an interesting code invocation technique that we want to describe here. This particular technique can be used to invoke code that has […]
Protected Processes Part 3: Windows PKI Internals (Signing Levels, Scenarios, Signers, Root Keys, EKUs & Runtime Signers)
In this last part of our series on protected processes in Windows 8.1, we’re going to be taking a look at the cryptographic security that protects the system from the creation or promotion of arbitrar[…]
The Evolution of Protected Processes Part 2: Exploit/Jailbreak Mitigations, Unkillable Processes and Protected Services
In this continuing series on the improvements of the protected process mechanism in Windows, we’ll move on past the single use case of LSASS protection and pass-the-hash mitigation through the Protect[…]
Analysis of a CVE-2013-3906 Exploit
Many of CrowdStrike’s customers are often targeted by email phishing campaigns and strategic web compromises (also known as watering-hole attacks). These attacks use exploits to take advantage of vuln[…]
The Evolution of Protected Processes - Part 1: Pass-the-Hash Mitigations in Windows 8.1
It was more than six years ago that I first posted on the concept of protected processes, making my opinion of this poorly thought-out DRM scheme clear in the title alone: “Why Protected Processes Are[…]
VICEROY TIGER Delivers New Zero-Day Exploit
On November 5, 2013, Microsoft announced that a vulnerability in the Microsoft Graphics Component could allow Remote Code Execution (RCE). This announcement attracted immediate interest from the secur[…]
DNS - The Lifeblood of your Domain
As the situation on the ground in Syria continues to deteriorate, the Syrian Electronic Army (SEA) has made quite a few waves by conducting an attack against the Domain Name System (DNS) infrastructur[…]
Rare Glimpse into a Real-Life Command-and-Control Server
Recently, CrowdStrike has been tracking the activities of an adversary we’ve named Viceroy Tiger. During our research, we happened upon an interesting file written in Microsoft’s Visual Basic 6 (VB6).[…]
Who is Samurai Panda
This week we’re back to our old friends with a Chinese nexus. To recount the last few weeks of our adversary blog posts, we first introduced Anchor Panda, an adversary we attribute to China and associ[…]
Who is Clever Kitten
Over the last several weeks, CrowdStrike has been discussing some of the dozens of adversaries that the CrowdStrike Intelligence team tracks every day. We revealed a Chinese-based adversary we crypt a[…]
Whois Numbered Panda
Last week's Intelligence blog post featured Anchor Panda, one of the many adversary groups that CrowdStrike tracks. The adversary is the human component in an attack that one should focus on. It is no[…]
Who is Anchor Panda
Anchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the area[…]
Free Community Tool: CrowdInspect
CrowdInspect is a free community tool for Microsoft Windows systems from CrowdStrike aimed to help alert you to the presence of potential malware that communicates over the network that may exist on y[…]
HTTP iframe Injecting Linux Rootkit
On Tuesday, November 13, 2012, a previously unknown Linux rootkit was posted to the Full Disclosure mailing list by an anonymous victim. The rootkit was discovered on a web server that added an unknow[…]
Unpacking Dynamically Allocated Code
Background Today, most malware is obfuscated to make it more difficult for traditional antivirus engines to detect the malicious code and to make it more arduous for analysts to understand the malware[…]
CrowdStrike Intelligence - Adversary-based Approach
Treating the problem, not the symptoms Having spent the better part of the last 10 years dealing with various cyber adversaries, it is frustrating to see so many organizations focus on the symptoms of[…]