Counter Adversary Operations
Secure Your Staff: How to Protect High-Profile Employees' Sensitive Data on the Web
Organizations are increasingly concerned about high-profile employees’ information being exposed on the deep and dark web. The CrowdStrike Counter Adversary Operations team is often asked to find fake[…]
Kovter Killer: How to Remediate the APT of Clickjacking
Latin America (LATAM) is a growing market, and threat actors have used numerous eCrime malware variants to target users in this region. Over the past few years, many researchers have characterized the[…]
CrowdStrike’s 2018 Global Threat Report Reveals the Trends, Insights and Threat Actors You Need to Know
The CrowdStrike Global Threat Report, now in its tenth iteration, examines how adversaries’ behavior poses an ever-expanding risk to the security of organizations’ data and infrastructure. Armed with […]
Seeing into the Shadows: Tackling ChromeOS Blind Spots with Dell and CrowdStrike
According to a 2023 Forbes article, 12.7% of U.S. workers work remotely and 28.2% have adopted a hybrid work schedule. As device and usage trends continue to shift, organizations must find ways to sec[…]
Spotlight on the Log-Structured Merge (LSM) Tree: One of the Keys Enabling CrowdStrike to Process Trillions of Events per Day
December 07, 2023
Jaime Duque - Bobby Dean - Alex Merriam - Damon Duncan - Nicolas Zilio Counter Adversary OperationsBetween January 2021 and April 2023, CrowdStrike Counter Adversary Operations and the CrowdStrike Falcon® Complete managed detection and response (MDR) team identified multiple incidents in which an i[…]
5 Common Hybrid IT Security Challenges and How to Overcome Them
The holiday season brings a shift in how people and businesses operate: Some companies may partially shut down, leaving only a skeleton crew to manage their IT environments, while others head into the[…]
The Imperative to Secure Identities: Key Takeaways from Recent High-Profile Breaches
CrowdStrike Counter Adversary Operations has been investigating a series of cyberattacks and strategic web compromise (SWC) operations targeting organizations in the transportation, logistics and tech[…]
Making Sense of the Dark Web with Falcon Intelligence Recon+
Adversaries are continuing to expand their attacks by adding tactics like domain abuse, multifactor authentication (MFA) fatigue and unique crafted exploit kits acquired from underground forums. Typos[…]
Announcing CrowdStrike Falcon Counter Adversary Operations Elite
CrowdStrike is raising the bar for proactive detection and response with the introduction of CrowdStrike Falcon® Counter Adversary Operations Elite, the industry’s first and only white-glove service c[…]
WebAssembly Is Abused by eCriminals to Hide Malware
CrowdStrike Counter Adversary Operations monitors for and attempts to disrupt eCrime threat actors across a broad spectrum of malicious activity, ranging from sophisticated ransomware campaigns to sim[…]
CrowdStrike’s Advanced Memory Scanning Stops Threat Actor Using BRc4 at Telecommunications Customer
Adversaries are doubling down on identity-based attacks. According to Nowhere to Hide: CrowdStrike 2023 Threat Hunting Report, we’ve seen an alarming 583% year-over-year increase in Kerberoasting atta[…]
Discovering and Blocking a Zero-Day Exploit with CrowdStrike Falcon Complete: The Case of CVE-2023-36874
CrowdStrike Counter Adversary Operations is committed to analyzing active exploitation campaigns and detecting and blocking zero-days to protect our customers. In July 2023, the CrowdStrike Falcon® Co[…]
Compromised NPM Package Used in Supply Chain Attack: CrowdStrike Falcon® Customers Protected
CrowdStrike is proud to announce the launch of CrowdStrike Counter Adversary Operations, a newly formed, first-of-its kind team that brings together CrowdStrike Falcon® Intelligence and the CrowdStrik[…]
CrowdStrike Named a Leader in Frost & Sullivan’s 2022 Frost Radar for Cyber Threat Intelligence
We’re excited to share that Forrester has named CrowdStrike a Leader in The Forrester Wave™: External Threat Intelligence Services Providers, Q3 2023. CrowdStrike received the highest ranking of all v[…]
Falcon Insight XDR and Falcon LogScale: What You Need to Know
The vastness of the deep and dark web can easily turn attempts to monitor for cyber threats into a firehose of useless information. Part of the problem is the nature of the data streams that need to b[…]
Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware
Editor’s Note: VMware updated its knowledge base article, “Deployment of 3rd Party Agents and Anti-virus software on the ESXi Hypervisor,” noting that the content is outdated and should be considered […]
CrowdStrike Falcon® Detects 100% of Attacks in New SE Labs EDR Test, Winning Highest Rating
Note: Content from this post first appeared in r/CrowdStrike 3/31 UPDATE After review and reverse engineering by the CrowdStrike Intelligence team, the signed MSI (aa124a4b4df12b34e74ee7f6c683b2ebec4c[…]
QakBot eCrime Campaign Leverages Microsoft OneNote Attachments
In November 20211 and February 2022,2 Microsoft announced that by default it would block Excel 4 and VBA macros in files that were downloaded from the internet. Following these changes, CrowdStrike In[…]
Make Cloud Defense a Team Sport by Turning DevOps into a Force Multiplier
With so many threat intelligence solutions on the market today, it raises the question: What is threat intelligence and why do you need it? I won’t go into detail about what threat intelligence is; yo[…]
CrowdStrike Research Investigates Exploit Behavior to Strengthen Customer Protection
Today, containers are the preferred approach to deploy software or create build environments in CI/CD lifecycles. However, since the emergence of container solutions and environments like Docker and K[…]
SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security
In December 2022, CrowdStrike reported on a campaign by SCATTERED SPIDER, targeting organizations within the telecom and business process outsourcing (BPO) sectors with an end objective of gaining acc[…]
CrowdStrike Named a Leader in Frost & Sullivan CWPP Radar, Demonstrating Strong Innovation and Growth
CrowdStrike is excited to announce we have been recognized by Frost & Sullivan as a global leader in the Frost Radar™ Global Cyber Threat Intelligence Market, 2022 analysis. Earlier this year, CrowdSt[…]
Explore the Adversary Universe
Cybercriminals continuously adapt to stay a step ahead of the organizations they target. Over more than a decade, CrowdStrike has carefully tracked the evolution of eCrime tactics and capabilities and[…]
CrowdStrike Falcon® Proactively Protects Against Wiper Malware as CISA Warns U.S. Companies of Potential Attacks
Threat actors constantly unleash phishing attacks that use emails or text messages containing domains or URLs, all designed to impersonate well-known companies and trick users into visiting fake websi[…]
CrowdStrike Falcon® Platform Identifies Supply Chain Attack via a Trojanized Comm100 Chat Installer
The CrowdStrike Falcon® platform, leveraging a combination of advanced machine learning and artificial intelligence, identified a new supply chain attack during the installation of a chat-based custom[…]
Adversary Quest 2022 Walkthrough, Part 3: Four PROTECTIVE PENGUIN Challenges
In July 2022, the CrowdStrike Intelligence Advanced Research Team hosted the second edition of our Adversary Quest. As in the previous year, this “capture the flag” event featured 12 information secur[…]
Adversary Quest 2022 Walkthrough, Part 2: Four TABLOID JACKAL Challenges
In July 2022, the CrowdStrike Intelligence Advanced Research Team hosted the second edition of our Adversary Quest. As in the previous year, this “capture the flag” event featured 12 information secur[…]
Adversary Quest 2022 Walkthrough, Part 1: Four CATAPULT SPIDER Challenges
In July 2022, the CrowdStrike Intelligence Advanced Research Team hosted the second edition of our Adversary Quest. As in the previous year, this “capture the flag” event featured 12 information secur[…]
Callback Malware Campaigns Impersonate CrowdStrike and Other Cybersecurity Companies
Today CrowdStrike sent the following Tech Alert to our customers: On July 8, 2022, CrowdStrike Intelligence identified a callback phishing campaign impersonating prominent cybersecurity companies, inc[…]
Hunting for the Confluence Exploitation: When Falcon OverWatch Becomes the First Line of Defense
Cybercriminals are constantly evolving their operations, the methods they use to breach an organization's defenses and their tactics for monetizing their efforts. In the CrowdStrike 2022 Global Threat[…]
Capture the Flag: CrowdStrike Intelligence Adversary Quest 2022
The Adversary Quest is back! From July 11 through July 25, 2022, the CrowdStrike Intelligence Advanced Research Team invites you to go head-to-head with three unique adversaries during our second annu[…]
For the Common Good: How to Compromise a Printer in Three Simple Steps
In August 2021, ZDI announced Pwn2Own Austin 2021, a security contest focusing on phones, printers, NAS devices and smart speakers, among other things. The Pwn2Own contest encourages security research[…]
Multi-Layered Prevention for the Endpoint
What is it with these funny adversary names such as FANCY BEAR, WIZARD SPIDER and DEADEYE JACKAL? You read about them in the media and see them on CrowdStrike t-shirts and referenced by MITRE in the A[…]
CrowdStrike Delivers Cyber Resilience for the Airline Industry to Meet New TSA Requirements
“CrowdStrike is capable of catering to the diverse customer needs across industry verticals, with its comprehensive capabilities, compelling customer references, comprehensive roadmap and vision, clou[…]
Another Brick in the Wall: eCrime Groups Leverage SonicWall VPN Vulnerability
The transaction details and monetization patterns of modern eCrime reveal critical insights for organizations defending against ransomware attacks. Cybercrime has evolved over the past several years f[…]
Who is EMBER BEAR?
4/4/22 Editor’s note: The hearing described below has been rescheduled for 10 a.m. EST on Tuesday, April 5. On Wednesday, March 30, 2022, Adam Meyers, CrowdStrike Senior Vice President of Intelligence[…]
Preventing Exploitation of the ZIP File Format
In August 2021, ZDI announced Pwn2Own Austin 2021, a security contest focusing on phones, printers, NAS devices and smart speakers, among other things. The Pwn2Own contest encourages security research[…]
PROPHET SPIDER Exploits Citrix ShareFile Remote Code Execution Vulnerability CVE-2021-22941 to Deliver Webshell
At the start of 2022, CrowdStrike Intelligence and CrowdStrike Services investigated an incident in which PROPHET SPIDER exploited CVE-2021-22941 — a remote code execution (RCE) vulnerability impactin[…]
For the Common Good: How to Compromise a Printer in Three Simple Steps
Summary On Feb. 23, 2022, destructive attacks were conducted against Ukrainian entities. Industry reporting has claimed the Go-based ransomware dubbed PartyTicket (or HermeticRansom) was identified at[…]
Access Brokers: Who Are the Targets, and What Are They Worth?
Access brokers have become a key component of the eCrime threat landscape, selling access to threat actors and facilitating myriad criminal activities. Many have established relationships with big gam[…]
LemonDuck Targets Docker for Cryptomining Operations
Disruptive and destructive cyber operations have been levied against elements of Ukrainian society by adversaries attributed to the Russian government — or groups highly likely to be controlled by the[…]
TellYouThePass Ransomware Analysis Reveals a Modern Reinterpretation Using Golang
TellYouThePass ransomware, discovered in 2019, recently re-emerged compiled using Golang Golang’s popularity among malware developers makes cross-platform development more accessible TellYouThePass ra[…]
Log4j2 Vulnerability "Log4Shell" (CVE-2021-44228)
Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache web servers. Between late November and early December 2021, a critical vulnerability (CVE-2021-44228) impacting[…]
CrowdStrike’s Artificial Intelligence Tooling Uses Similarity Search to Analyze Script-Based Malware Attack Techniques
In a July 2019 blog post about DoppelPaymer, Crowdstrike Intelligence reported that ProcessHacker was being hijacked to kill a list of targeted processes and gain access, delivering a “critical hit.” […]
Endpoint Protection and Threat Intelligence: The Way Forward [VIDEO]
One useful method in a security researcher’s toolbox for discovering new bugs in software is called “fuzz testing,” or just “fuzzing.” Fuzzing is an automatic software testing approach where the softw[…]
Ploutus ATM Malware Case Study: Automated Deobfuscation of a Strongly Obfuscated .NET Binary
One of the most tedious tasks in malware analysis is to get rid of the obfuscated code. Nowadays, almost every malware uses obfuscation to hinder the analysis and try to evade detection. In some cases[…]
Scheming with URLs: One-Click Attack Surface in Linux Desktop Environments
The Advanced Research Team at CrowdStrike Intelligence discovered multiple vulnerabilities affecting libvncclient. In some widely used desktop environments, such as GNOME, these vulnerabilities can be[…]
CARBON SPIDER Embraces Big Game Hunting, Part 2
In 2020, CARBON SPIDER began conducting big game hunting (BGH) ransomware campaigns with PINCHY SPIDER’s REvil before introducing Darkside. The adversary later opened up Darkside to affiliates through[…]
ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
This announcement is part of the Fal.Con 2021 CrowdStrike Cybersecurity Conference, Oct. 12-14. Register now for free to learn all about our exciting new products, partnerships and latest intel! The e[…]
How Artificial Intelligence is Becoming a Key Weapon in the Cybersecurity War
The eCrime ecosystem is an active and diverse economy of financially motivated threat actors engaging in a myriad of criminal activities to generate revenue. With the CrowdStrike eCrime Index (ECX), C[…]
Sidoh: WIZARD SPIDER’s Mysterious Exfiltration Tool
WIZARD SPIDER is an established, high-profile and sophisticated eCrime group, originally known for the creation and operation of the TrickBot banking Trojan. This Russia-based eCrime group originally […]
CARBON SPIDER Embraces Big Game Hunting, Part 1
Throughout 2020, CARBON SPIDER dramatically overhauled their operations. In April 2020, the adversary abruptly shifted from narrow campaigns focused entirely on companies operating point-of-sale (POS)[…]
PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity
August 04, 2021
Falcon OverWatch - CrowdStrike Intelligence - CrowdStrike IR Counter Adversary OperationsCrowdStrike Intelligence, Falcon OverWatch™ and CrowdStrike Incident Response teams have observed multiple campaigns by the eCrime actor PROPHET SPIDER where the adversary has exploited Oracle WebLogi[…]
CrowdStrike Announces CrowdStrike Falcon Intelligence Recon+ to Combat Cybercriminals
Cybercriminals Are Raking in Billions Cybercrime is big business. Security industry analysts project annual global cybercrime damages to reach $6 trillion USD in 2021 (according to Cybersecurity Ventu[…]
Adversary Quest 2021 Walkthrough, Part 3: Four PROTECTIVE PENGUIN Challenges
At the end of January 2021, the CrowdStrike Intelligence Advanced Research Team hosted our first-ever Adversary Quest. This “capture the flag” event featured 12 information security challenges in thre[…]
OverWatch Casts a Wide Net for Follina: Hunting Beyond the Proof of Concept
The repercussions from the Colonial Pipeline DarkSide ransomware incident have garnered global attention and caused major shifts in the ransomware ecosystem. Many criminal forums have now banned ranso[…]
CCleaner Stage 2: In-Depth Analysis of the Payload
The eCrime ecosystem is an active and diverse economy of financially motivated threat actors that engage in a myriad of criminal activities in order to generate revenue. With the eCrime Index (ECX), C[…]
Adversary Quest 2021 Walkthrough, Part 2: Four SPACE JACKAL Hacktivist Challenges
At the end of January 2021, the CrowdStrike Intelligence Advanced Research Team hosted our first-ever Adversary Quest. This “capture the flag” event featured 12 information security challenges in thre[…]
Adversary Quest 2021 Walkthrough, Part 1: Four CATAPULT SPIDER eCrime Challenges
At the end of January 2021, the CrowdStrike Intelligence Advanced Research Team hosted our first-ever Adversary Quest. This “capture the flag” event featured 12 information security challenges in thre[…]
See the COMPLETE Picture: New Study Reveals the Benefits of Fully Managed Detection and Response
“The quality of technical intelligence and expertise of the dedicated analysts were noted by multiple customer references. One customer specifically felt like CrowdStrike was a ‘true partner of their […]
Hacktivist Entity USDoD Claims to Have Leaked CrowdStrike’s Threat Actor List
Introduction In December 2019, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) took action against the Russia-based cybercriminal group INDRIK SPIDER, also known as Evil Corp, a[…]
Stop Breaches With Complete Confidence? Customers Say Falcon Complete Can
In our recent blog, “See the COMPLETE Picture: New Study Reveals the Benefits of Fully Managed Detection and Response,” we reviewed Forrester’s analysis that explains how CrowdStrike Falcon® Complete™[…]
Hypervisor Jackpotting, Part 1: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
This is Part 1 of a three-part blog series. Read Part 2 and Part 3. Targeted large-scale ransomware campaigns, referred to as big game hunting (BGH), remained the primary eCrime threat to organization[…]
Exploiting GlobalProtect for Privilege Escalation, Part Two: Linux and macOS
Since the beginning of CrowdStrike’s history, we have relentlessly pursued cyber adversaries across the internet, because we knew back when we started the company as we do now, it doesn’t matter wheth[…]
Pwn2Own: A Tale of a Bug Found and Lost Again
In October 2020, the Pwn2Own Tokyo 2020 announcement caught our attention. Even though originally we hadn’t planned to participate, we checked out the target list and decided to take a look at one of […]
Black Hat 2021: Join Us Virtually or In Person
Are you interested in information security and do you enjoy working on technical challenges? Then put this CrowdStrike event on your calendar and join the fun. On January 18-29, 2021, the CrowdStrike®[…]
“Gitting” the Malware: How Threat Actors Use GitHub Repositories to Deploy Malware
Life on the farm isn’t what it used to be. With overall cyberattacks on the rise, even agriculture has found itself in the crosshairs of cyber threat actors. In fact, during the last ten months alone,[…]
New Podcast Series: The Importance of Cyber Threat Intelligence in Cybersecurity
A new CrowdStrike® podcast series hosted by Cybercrime Magazine focuses on the critical role cyber threat intelligence (CTI) plays in an effective cybersecurity strategy. The series features CrowdStri[…]
WIZARD SPIDER Update: Resilient, Reactive and Resolute
WIZARD SPIDER is an established, high-profile and sophisticated eCrime group, originally known for the creation and operation of the TrickBot banking malware. This Russia-based eCrime group originally[…]
Double Trouble: Ransomware with Data Leak Extortion, Part 1
As data leak extortion swiftly became the new norm for big game hunting (BGH) ransomware operators since late 2019, various criminal adversaries began innovating in this area. This includes collaborat[…]
BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0
The most prominent eCrime trend observed so far in 2020 is big game hunting (BGH) actors stealing and leaking victim data in order to force ransom payments and, in some cases, demand two ransoms. Data[…]
Who Is PIONEER KITTEN?
PIONEER KITTEN at a Glance Origins Islamic Republic of Iran Target Nations Israel, Middle East North Africa (MENA), North America, United States Last Known Activity July 2020 (earliest: 2017) Target I[…]
Exploiting GlobalProtect for Privilege Escalation, Part One: Windows
This is the second blog in a two-part series covering the exploitation of the Palo Alto Networks GlobalProtect VPN client running on Linux and macOS. The first blog covered this exploitation on Window[…]
Exploiting CVE-2021-3490 for Container Escapes
The CrowdStrike® Intelligence Advanced Research Team discovered two distinct vulnerabilities in the Windows, Linux and macOS versions of the Palo Alto Networks GlobalProtect VPN client (CVE-2019-17435[…]
Register Now to Join Us in Las Vegas for Fal.Con 2022
Please Note: Check this blog for frequent updates on adversary activity related to COVID-19. June 24, 2020: Observed Activity Update As the COVID-19 pandemic continues to take hold in various geograph[…]
Who is REFINED KITTEN?
Common Aliases REFINED KITTEN may also be identified by the following pseudonyms: APT33 Elfin Magnallium Holmium REFINED KITTEN’s Origins REFINED KITTEN is a nation-state-based threat actor whose acti[…]
WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN
CrowdStrike® Intelligence analyzed variants of Ryuk (a ransomware family distributed by WIZARD SPIDER) with new functionality for identifying and encrypting files on hosts in a local area network (LAN[…]
Ransomware Increases the Back-to-School Blues
As students all over the United States donned their backpacks and packed their lunches to go back to school this year, the all-to-familiar impact of ransomware created confusion and disarray for schoo[…]
Who is Salty Spider (Sality)?
Common Aliases SALTY SIDER is most commonly identified with the botnet it maintains (Sality) and it’s associated pseudonyms: KuKu SalLoad Kookoo SaliCode Kukacka SALTY SPIDER’s Origins SALTY SPIDER is[…]
CrowdStrike Mobile Threat Report Offers Trends and Recommendations for Securing Your Organization
The universal adoption of mobile devices in business environments has created new attack vectors that organizations struggle to address. A new report from CrowdStrike, the “Mobile Threat Landscape Rep[…]
Don’t Take The Vendor’s Word For It: The Importance of Third-Party Testing
CrowdStrike® Intelligence has identified a new ransomware variant identifying itself as BitPaymer. This new variant was behind a series of ransomware campaigns beginning in June 2019, including attack[…]
Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER
The tactic of singling out large organizations for high ransom payouts has signaled a shift in the eCrime ecosystem, with a focus on targeted, low-volume, high-return criminal activity. It’s a type of[…]
New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration
On March 17, 2019, CrowdStrike® Intelligence observed the use of a new BokBot (developed and operated by LUNAR SPIDER) proxy module in conjunction with TrickBot (developed and operated by WIZARD SPIDE[…]
PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware
CrowdStrike® Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated wit[…]
"Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
CrowdStrike® Intelligence observed a new campaign from a LUNAR SPIDER affiliate to distribute WIZARD SPIDER's TrickBot malware on Feb. 7, 2019. However, this latest campaign is somewhat unique due to […]
Who is FANCY BEAR (APT28)?
The nation-state adversary group known as FANCY BEAR (also known as APT28 or Sofacy) has been operating since at least 2008 and represents a constant threat to a wide variety of organizations around t[…]
CrowdStrike Enhances Cloud Asset Visualization to Accelerate Risk Prioritization
This blog is from the CrowdStrike Intelligence Advanced Research Team Motivation What is worse than a failing system? A (silently) compromised, yet operational system! While there are many attack vect[…]
Threat Actor “Magecart”: Coming to an eCommerce Store Near You
Threat actors that target eCommerce platforms to skim credit card information from online shoppers are commonly referred to under the umbrella threat actor name “Magecart.” This blog analyzes recently[…]
Widespread DNS Hijacking Activity Targets Multiple Sectors
CrowdStrike® Intelligence™ has been researching reports of widespread DNS hijacking activity since information on the attacks became publicly available earlier this month.1 The information allowed for[…]
Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware
WIZARD SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big gam[…]
Falcon Zero-Day Flash Detection
The Kelihos peer-to-peer botnet was one of the largest and longest-operating cybercrime infrastructures in existence. Its origins can be traced back to the Storm Worm, a botnet that emerged in 2007 an[…]
Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA
HELIX KITTEN is likely an Iranian-based adversary group, active since at least late 2015, targeting organizations in the aerospace, energy, financial, government, hospitality and telecommunications bu[…]
Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware
INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of the most prolific eCrime banking trojans on the market and, since 2014[…]
Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN
DUNGEON SPIDER is a criminal group operating the ransomware most commonly known as Locky, which has been active since February 2016 and was last observed in late 2017. Locky is a ransomware tool that […]
Customers, Conviction, Speed: A Conversation With George Kurtz, CEO and Co-Founder at CrowdStrike
CrowdStrike® CrowdStrike Falcon® Intelligence™ has observed a new Cutwail spam campaign from NARWHAL SPIDER on 24 October 2018. NARWHAL SPIDER is the adversary name designated by Falcon Intelligence f[…]
Meet CrowdStrike’s Adversary of the Month for April: STARDUST CHOLLIMA
CrowdStrike® first observed GOBLIN PANDA activity in September 2013 when indicators of its activity were discovered on the network of a technology company operating in multiple sectors. Malware varian[…]
Arrests Put New Focus on CARBON SPIDER Adversary Group
In an indictment unsealed by the U.S. Department of Justice (DoJ) on Aug. 1, 2018, three Ukrainian nationals have been charged with conspiracy, wire fraud, computer hacking, access device fraud and ag[…]
CrowdStrike's January Adversary of the Month: VOODOO BEAR
WICKED SPIDER (PANDA) is a suspected China-based adversary that likely operates as an exploitation group for hire. The use of two cryptonyms for this group exemplifies how this adversary has demonstra[…]
Meet CrowdStrike’s Adversary of the Month for July: WICKED SPIDER
The June 2018 adversary spotlight is on MUSTANG PANDA, a China-based adversary that has demonstrated an ability to rapidly assimilate new tools and tactics into its operations, as evidenced by its use[…]
CrowdStrike’s Cloud Security and Observability Capabilities to Be Showcased at KubeCon + CloudNativeCon North America 2022
STARDUST CHOLLIMA is a targeted intrusion adversary with a likely nexus to the Democratic People’s Republic of Korea (DPRK). This adversary is typically involved in operations against financial instit[…]
Why North Korean Cyberwarfare is Likely to Intensify
Despite a parade of issues battling for headlines today, the impending negotiations between the United States and the Democratic People's Republic of North Korea (DPRK) have been widely covered, with […]
Software Supply Chain Attacks Gained Traction in 2017 and Are Likely to Continue
One of the important topics covered in the CrowdStrike® 2018 Global Threat Report is the increase in supply chain attacks in 2017. This topic was also highlighted in a recent webcast featuring CrowdSt[…]
Meet CrowdStrike’s Adversary of the Month for August: GOBLIN PANDA
In continuance of our monthly blog post to introduce a new threat actor, February 2018 features a criminally motivated actor we call MUMMY SPIDER. This actor is associated with the malware commonly kn[…]
Meet CrowdStrike's Adversary of the Month for February: MUMMY SPIDER
For the past several years, CrowdStrike® has published a yearly calendar that includes international holidays, working days of the most prevalent threat actors, and significant geopolitical events. Ev[…]
Chip Flaws Spectre and Meltdown are Actually Three Vulnerabilities and Proving Hard to Mitigate
The latest computer flaws to make global headlines are ominously titled “Spectre” and “Meltdown” and they represent a unique breed of trouble, requiring unprecedented industry collaboration and manual[…]
Malicious Spear-Phishing Campaign Targets Upcoming Winter Olympics in South Korea
A malicious campaign has been identified targeting suspected victims involved in or supporting the February 2018 Olympic Winter Games in Pyeongchang, South Korea. Open source reporting indicates this […]
An End to “Smash-and-Grab” and a Move to More Targeted Approaches
In late October and early November, 2017, CrowdStrike® Falcon Intelligence™ observed People’s Republic of China (PRC)-based actors conducting espionage-driven targeted attacks against at least four We[…]
From the Archives: Drop the MIC — CVE-2019-1040
As demonstrated in the previous blog post about decryption of Petya/NotPetya, almost the complete Master File Table (MFT) can be decrypted. In this post, we describe our approach to collect more keyst[…]
Software Supply Chain Attacks on the Rise, Undermining Customer Trust
On June 27, 2017, a destructive payload dubbed “NotPetya” by researchers, was deployed covertly using a legitimate software package employed by organizations operating in Ukraine. The attack was perpe[…]
Protecting the Software Supply Chain: Deep Insights into the CCleaner Backdoor
The term “supply chain attacks” means different things to different people. To the general business community, it refers to attacks targeting vulnerable third-parties in a larger organization’s supply[…]
Dealing with Out-of-memory Conditions in Rust
Making the world a better place has always been a core goal of CrowdStrike. In this blog post, we are making our findings, and tools, for decrypting NotPetya/Petya available to the general public. Wit[…]
CrowdStrike Protects Against NotPetya Attack
Update: Due to naming convention consistency in the industry, CrowdStrike is now calling this variant of Petya - NotPetya. On June 27 at approximately 10:30 UTC, a new ransomware family began propagat[…]
Automation Advancements in Falcon Intelligence Recon: Disrupt the Adversary and Reduce Risk
Wanna Decryption Ransom Screen Wanna (also known as WannaCry, WCry, WanaCrypt and WanaCrypt0r) ransomware exploded onto the ransomware scene on May 12, 2017, with a mass campaign impacting organizatio[…]
Inside the MITRE ATT&CK Evaluation: How CrowdStrike’s Elite Managed Services Operate in the Real World
This figure shows a snapshot of systems infected with Kelihos communicating with the sinkhole created to disable it. The arrest of Russian cybercriminal Pyotr Levashov (aka Peter Severa, or threat act[…]
VirusTotal Lookups Are Back in CrowdInspect, CrowdStrike’s Popular Free Tool
CrowdStrike CrowdInspect version 1.5.0.0 has arrived. Many of you are familiar with CrowdInspect, a simple-to-use and understand Windows application that lists processes running on your computer, alon[…]
Blocking Malicious PowerShell Downloads
As a next-gen endpoint protection solution, uniquely unifying next-gen antivirus with endpoint detection and response, CrowdStrike Falcon®™ provides a unique view of malicious activity, making hunting[…]
CrowdStrike Customers Share Benefits of Cybersecurity Consolidation and Technology Integrations
Update - As of March 2017, the estimated losses of D-30 howitzer platform have been amended. According to an update provided by the International Institute for Strategic Studies (IISS) Research Associ[…]
Bear Hunting: Tracking Down COZY BEAR Backdoors
As a follow-up to the CrowdStrike blog entry "Bears in the Midst" on June 15, 2016, we will walk through the methods leveraged by CrowdStrike to recover a COZY BEAR WMI backdoor. The recovery of the b[…]
The Economics of Ransomware: How SCADA/ICS Changes the Equation
At our inception, CrowdStrike coined the phrase, “You don’t have a malware problem, you have an adversary problem.” Behind every attack -- whether it is the most advanced nation state conducting espio[…]
Meet CrowdStrike’s Adversary of the Month for October: DUNGEON SPIDER
Mergers and acquisitions: Many organizations utilize these activities to move their business forward by expanding into different market segments or gaining competitive advantage with a unique offering[…]
Cyber Kung-Fu: The Great Firewall Art of DNS Poisoning
On the morning of 24 November 2015 an F-16 operated by the Turkish Air Force dropped into position behind a Russian Su-24 Fencer and dispatched an air-to-air Sidewinder missile that sliced into the Ru[…]
Using OS X FSEvents to Discover Deleted Malicious Artifacts
File System Events (FSEvents) in OS X 10.7+ introduced the capability to monitor changes to a directory. FSevents are logged by the file system events daemon (fseventsd) process; the daemon writes the[…]
Investigating PowerShell: Command and Script Logging
PowerShell is becoming ubiquitous in the Microsoft ecosystem, and, while it simplifies administration, it opens up a nearly unprecedented suite of capabilities for attackers. Nearly every malicious ac[…]
Nothing else is working. Why not memory forensics?
I ran across a couple of blog posts recently that were espousing the virtues of memory forensics. Having developed a framework very similar to Volatility from the ground up under a government contract[…]
Sakula Reloaded
Often during the investigation of sophisticated threat actors, the demarcation between the different attackers and campaigns are blurry. Researchers need to rely on tradecraft and analytic rigor to un[…]
Improve Threat Hunting with Long-Term, Cost-Effective Data Retention
According to a recent Harvard Business Review report, 84 percent of enterprises have increased their Cloud usage in the past year. Fueling this major business migration to the Cloud are the well-docum[…]
Blurring of Commodity and Targeted Attack Malware
As malware and its authors continue to evolve, deciphering the purpose of specific malware-driven attacks has become more challenging. While some malware still has a feature-specific design such as DD[…]
CROWDSTRIKE FALCON XDR: Delivered at the Speed and Scale of the CrowdStrike Security Cloud
In the wake of the Hacking Team leaks in early July, a result of an intrusion into the company’s network, various zero-day vulnerabilities that affect multiple platforms and software configurations we[…]
Rhetoric Foreshadows Cyber Activity in the South China Sea
As the increasingly aggressive rhetoric surrounding the conflict in the South China Sea (SCS) continues to dominate both Western and Chinese media headlines, multiple outlets and normally rational Chi[…]
VENOM Vulnerability Details
Recently, I discovered a vulnerability in QEMU's virtual Floppy Disk Controller (FDC), exploitation of which may allow malicious code inside a virtual machine guest to perform arbitrary code execution[…]
3 Tips for Operationalizing Cyber Intelligence
In 2014 it became abundantly clear that threat intelligence provides a decisive advantage in protecting your enterprise. Using threat intelligence, savvy security practitioners can reduce the time to […]
CrowdResponse Release and new @Tasks modules
George Kurtz, Dmitri Alperovitch and Elia Zaitsev have just finished up the Hacking Exposed: Beyond the Malware session at the RSA 2015 Conference. In the session, they demonstrated how to conduct an […]
Operational threat intelligence with Maltego Transform Hub
“I’m drowning in data, but starving for information.” Ever feel that way? Recently, I heard a CISO use this as a description of his company’s information security posture. Today, enterprises are litte[…]
Adversaries Set Their Sights on Oil and Gas Sector
With high profile breaches in the financial, healthcare and retail sectors making news almost daily, it’s no secret that those industries are in the adversary’s crosshairs. However, while it may get l[…]
Surgeon with a Shotgun! - Memory Forensics
With the ever-increasing need for speed and accuracy for digital investigations and incident response, it is imperative that organizations are able to provide answers quickly. These organizations rely[…]
Parsing Sysmon Events for IR Indicators
Intro and Installation A dedicated endpoint monitoring tool is quickly becoming a necessity among organizations to increase visibility, logging, and alerting to combat targeted attacks and commodity m[…]
This Year’s CrowdStrike Services Report Offers Observations on 2020 Cyber Threat Trends and Insights for 2021
Wing Chun (咏春拳), the first Chinese martial art learned by the legendary Bruce Lee, is often best known for its principles of simultaneous attack and defense. This experience later inspired him to crea[…]
Sheep Year Kernel Heap Fengshui: Spraying in the Big Kids’ Pool
The State of Kernel Exploitation The typical write-what-where kernel-mode exploit technique usually relies on either modifying some key kernel-mode data structure, which is easy to do locally on Windo[…]
Advanced Falconry: Seeking Out the Prey with Machine Learning
Interest in machine learning is on the rise. This was evidenced by the attendance of our recent CrowdCast on the topic — if you haven’t seen it yet, head over to our CrowdCast Channel and take a quick[…]
IR Team Investigations Uncover eCrime Use of Nation-State Attack Methods
Over the last few months, the CrowdStrike Intelligence team has been tracking a campaign of highly targeted events focused on entities in the U.S. Defense Industrial Base (DIB), healthcare, government[…]
Peering Around the Corner
After the better part of a decade chasing adversaries around the Internet, there are a few things I know to be true about targeted intrusion actors operating in the interests of various nation states.[…]
CVE-2014-1761 - The Alley of Compromise
A significant fraction of targeted attacks involve spear phishing emails with malicious lure documents that, when opened, exploit a vulnerability in the document viewer application to invoke a backdoo[…]
CSO Online: Insights on Cyber Espionage From CrowdStrike VP Mike Sentonas
Following the frenzy of patch releases in reaction to the CVE-2014-6271 Bash Vulnerability (ShellShock), several blogs and articles were published detailing the vulnerability, but there has been less […]
Occupy Central: The Umbrella Revolution and Chinese Intelligence
First observed in late 2013, the People’s Republic of China (PRC) has steadily increased the use of its intelligence services and cyber operations in Hong Kong as part of a response to the growing pro[…]
Registry Analysis with CrowdResponse
The third release of the free CrowdResponse incident response collection tool is now available! This time around we include plugins that facilitate the collection of Windows registry data. Our inspira[…]
Hardening Neural Networks for Computer Security Against Adversarial Attack
Attribution is a key component of cyber-intelligence, by knowing the adversary you can effectively understand their intentions and objectives. Deep understanding of the adversary allows organizations […]
Full Decryption of Systems Encrypted by Petya/NotPetya
On Friday May 30, 2014, an unprecedented botnet disruption was initiated by the United States Department of Justice (DOJ) in coordination with numerous law enforcement and industry partners. This coor[…]
*NEW* Community Tool: CrowdStrike Heartbleed Scanner
During his talk at this year’s RSA conference, George Kurtz introduced a new free community tool named CrowdResponse. CrowdResponse is a robust data-gathering platform that we intend to continue impro[…]
Cat Scratch Fever: CrowdStrike Tracks Newly Reported Iranian Actor as FLYING KITTEN
Today, our friends at FireEye released a report on an Iran-based adversary they are calling Saffron Rose. CrowdStrike Intelligence has also been tracking and reporting internally on this threat group […]
CrowdStrike and Google Cloud Expand Strategic Partnership to Deliver Unified Cloud Security
This is a followup to our original blog post for the CrowdStrike Heartbleed Scanner. Due to popular demand and acting on feedback we have received, today we have updated our free Heartbleed Scanner vu[…]
Mo' Shells Mo' Problems - File List Stacking
Disclaimer: CrowdStrike derived this information from investigations in non-classified environments. Since we value our client's privacy and interests, some data has been redacted or sanitized. In pre[…]
Mo' Shells Mo' Problems - Network Detection
Disclaimer: CrowdStrike derived this information from investigations in unclassified environments. Since we value our clients’ privacy and interests, some data has been redacted or sanitized. Web shel[…]
Mo' Shells Mo' Problems - Deep Panda Web Shells
Disclaimer: CrowdStrike derived this information from investigations in non-classified environments. Since we value our clients’ privacy and interests, some data has been redacted or sanitized. In our[…]
CrowdStrike Partners with MITRE CTID, Reveals Real-world Insider Threat Techniques
Disclaimer: CrowdStrike derived this information from investigations in non-classified environments. Since we value our client's privacy and interests, some data has been redacted or sanitized. Crowds[…]
Naming Adversaries and Why It Matters to Your Security Team
At CrowdStrike, we’ve seen a moderate increase in Java-based malware recently, with Remote Access Tools (RATs) like Adwind becoming increasingly prevalent. Reverse engineering Java is typically very s[…]
Protected Processes Part 3: Windows PKI Internals (Signing Levels, Scenarios, Signers, Root Keys, EKUs & Runtime Signers)
In this last part of our series on protected processes in Windows 8.1, we’re going to be taking a look at the cryptographic security that protects the system from the creation or promotion of arbitrar[…]
The Evolution of Protected Processes - Part 1: Pass-the-Hash Mitigations in Windows 8.1
In this continuing series on the improvements of the protected process mechanism in Windows, we’ll move on past the single use case of LSASS protection and pass-the-hash mitigation through the Protect[…]
Analysis of a CVE-2013-3906 Exploit
Many of CrowdStrike’s customers are often targeted by email phishing campaigns and strategic web compromises (also known as watering-hole attacks). These attacks use exploits to take advantage of vuln[…]
Everything You Think You Know About (Storing and Searching) Logs Is Wrong
It was more than six years ago that I first posted on the concept of protected processes, making my opinion of this poorly thought-out DRM scheme clear in the title alone: “Why Protected Processes Are[…]
VICEROY TIGER Delivers New Zero-Day Exploit
On November 5, 2013, Microsoft announced that a vulnerability in the Microsoft Graphics Component could allow Remote Code Execution (RCE). This announcement attracted immediate interest from the secur[…]
DLL Side-Loading: How to Combat Threat Actor Evasion Techniques
As the situation on the ground in Syria continues to deteriorate, the Syrian Electronic Army (SEA) has made quite a few waves by conducting an attack against the Domain Name System (DNS) infrastructur[…]
Rare Glimpse into a Real-Life Command-and-Control Server
Recently, CrowdStrike has been tracking the activities of an adversary we’ve named Viceroy Tiger. During our research, we happened upon an interesting file written in Microsoft’s Visual Basic 6 (VB6).[…]
Who is Samurai Panda
This week we’re back to our old friends with a Chinese nexus. To recount the last few weeks of our adversary blog posts, we first introduced Anchor Panda, an adversary we attribute to China and associ[…]
Who is Clever Kitten
Over the last several weeks, CrowdStrike has been discussing some of the dozens of adversaries that the CrowdStrike Intelligence team tracks every day. We revealed a Chinese-based adversary we crypt a[…]
Whois Numbered Panda
Last week's Intelligence blog post featured Anchor Panda, one of the many adversary groups that CrowdStrike tracks. The adversary is the human component in an attack that one should focus on. It is no[…]
Who is Anchor Panda
Anchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the area[…]
Free Community Tool: CrowdInspect
CrowdInspect is a free community tool for Microsoft Windows systems from CrowdStrike aimed to help alert you to the presence of potential malware that communicates over the network that may exist on y[…]
How We Use Apache Airflow at CrowdStrike, Part 1
On Tuesday, November 13, 2012, a previously unknown Linux rootkit was posted to the Full Disclosure mailing list by an anonymous victim. The rootkit was discovered on a web server that added an unknow[…]
Unpacking Dynamically Allocated Code
Background Today, most malware is obfuscated to make it more difficult for traditional antivirus engines to detect the malicious code and to make it more arduous for analysts to understand the malware[…]
CrowdStrike’s Solution to Help School Districts Meet Cybersecurity Challenges
Treating the problem, not the symptoms Having spent the better part of the last 10 years dealing with various cyber adversaries, it is frustrating to see so many organizations focus on the symptoms of[…]