{ "type": "Domain", "indicator": "crowdstrike.blue", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/crowdstrike.blue", "alexa": "http://www.alexa.com/siteinfo/crowdstrike.blue", "indicator": "crowdstrike.blue", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3925297881, "indicator": "crowdstrike.blue", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "669e8accb2936756bfb3e020", "name": "Global Outage - Threat Actor Activity and Risk Mitigation Strategies", "description": "On July 19th, 2024, a faulty update from CrowdStrike caused kernel instability and Blue Screen of Death (BSOD) loops on millions of Windows devices worldwide, leading to major disruptions across industries. While affected parties work on remediation, threat actors are exploiting the situation through phishing, malicious domains, and fake 'hotfixes'. SentinelOne's Live Security Updates operate in isolated user-mode space, avoiding kernel impacts, and undergo rigorous testing before release, mitigating such risks.", "modified": "2024-07-22T16:41:01.279000", "created": "2024-07-22T16:37:32.971000", "tags": [ "crowdstrike", "bsod" ], "references": [ "https://www.sentinelone.com/blog/crowdstrike-global-outage-threat-actor-activity-and-risk-mitigation-strategies/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1487", "name": "Disk Structure Wipe", "display_name": "T1487 - Disk Structure Wipe" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2183, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 24, "hostname": 5 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 386538, "modified_text": "677 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6788c2a595b9414b3bd8621d", "name": "CrowdStrike Global Outage \u2013 Threat Actor Activity and Risk Mitigation Strategies", "description": "", "modified": "2025-01-16T08:26:13.686000", "created": "2025-01-16T08:26:13.686000", "tags": [ "crowdstrike", "bsod" ], "references": [ "https://www.sentinelone.com/blog/crowdstrike-global-outage-threat-actor-activity-and-risk-mitigation-strategies/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1487", "name": "Disk Structure Wipe", "display_name": "T1487 - Disk Structure Wipe" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": "66a088975199eb92770f74f8", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 24, "hostname": 5 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "500 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66aba1d4ed0cf81e939c043e", "name": "CrowdStrike_Phishing_08012024", "description": "", "modified": "2024-08-01T14:55:16.771000", "created": "2024-08-01T14:55:16.771000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 553, "hostname": 2077, "URL": 1 }, "indicator_count": 2631, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "667 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a4003d51211a2e605d9e12", "name": "ACTIVIDAD MALICIOSA | Relacionada con Estafa de CrowdStrike 26-07-2024", "description": "Las principales v\u00edctimas de la estafa de CrowdStrike fueron los usuarios especialmente clientes del banco BBVA. Estas v\u00edctimas recibieron correos electr\u00f3nicos fraudulentos o visitaron sitios web falsos que se hac\u00edan pasar por portales leg\u00edtimos, como la Intranet del BBVA. Los afectados incluyeron tanto individuos como organizaciones que, al interactuar con estas falsas actualizaciones, expusieron sus sistemas a riesgos como el acceso remoto no autorizado, la p\u00e9rdida de datos y el robo de informaci\u00f3n sensible. Adem\u00e1s, usuarios desprevenidos fueron enga\u00f1ados para invertir en falsos tokens de criptomonedas, resultando en p\u00e9rdidas financieras.", "modified": "2024-07-26T19:59:57.009000", "created": "2024-07-26T19:59:57.009000", "tags": [ "crowdstrike", "combo cleaner", "windows", "remcos rat", "bbva", "rat remcos", "crowdstrike que", "tambin", "crowdstroke", "adems", "twitter", "muerte", "phishing" ], "references": [ "https://www.virustotal.com/graph/embed/gf25927984162454b9ba7b810cd1855ac7fd51788b4914ec4a9d61504d996f93a?theme=light", "https://www.alertasyseguridad.net/repositorio-ioc/", "https://www.pcrisk.es/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remcos - S0332", "display_name": "Remcos - S0332", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 19 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "673 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a088975199eb92770f74f8", "name": "Global Outage - Threat Actor Activity and Risk Mitigation Strategies", "description": "", "modified": "2024-07-24T04:52:39.538000", "created": "2024-07-24T04:52:39.538000", "tags": [ "crowdstrike", "bsod" ], "references": [ "https://www.sentinelone.com/blog/crowdstrike-global-outage-threat-actor-activity-and-risk-mitigation-strategies/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1487", "name": "Disk Structure Wipe", "display_name": "T1487 - Disk Structure Wipe" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": "669e8accb2936756bfb3e020", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 24, "hostname": 5 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "676 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "669f3f3003bd2384d0f9ad12", "name": "Global Outage - Threat Actor Activity and Risk Mitigation Strategies", "description": "", "modified": "2024-07-23T05:27:12.394000", "created": "2024-07-23T05:27:12.394000", "tags": [ "crowdstrike", "bsod" ], "references": [ "https://www.sentinelone.com/blog/crowdstrike-global-outage-threat-actor-activity-and-risk-mitigation-strategies/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1487", "name": "Disk Structure Wipe", "display_name": "T1487 - Disk Structure Wipe" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": "669e8accb2936756bfb3e020", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 24, "hostname": 5 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 189, "modified_text": "677 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "669e9604e551893c66beaba6", "name": "Global Outage - Threat Actor Activity and Risk Mitigation Strategy (Cloned)", "description": "On July 19th, 2024, a faulty update from CrowdStrike caused kernel instability and Blue Screen of Death (BSOD) loops on millions of Windows devices worldwide, leading to major disruptions across industries. While affected parties work on remediation, threat actors are exploiting the situation through phishing, malicious domains, and fake 'hotfixes'. SentinelOne's Live Security Updates operate in isolated user-mode space, avoiding kernel impacts, and undergo rigorous testing before release, mitigating such risks.", "modified": "2024-07-22T17:25:24.227000", "created": "2024-07-22T17:25:24.227000", "tags": [ "crowdstrike", "bsod" ], "references": [ "https://www.sentinelone.com/blog/crowdstrike-global-outage-threat-actor-activity-and-risk-mitigation-strategies/", "https://otx.alienvault.com/pulse/669e8accb2936756bfb3e020 (I Cloned Alienvault)" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1487", "name": "Disk Structure Wipe", "display_name": "T1487 - Disk Structure Wipe" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 24, "hostname": 5 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "677 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "669e2c69d92e9ddf3364a8ac", "name": "Crowdstrike Phishing Domains - JustPaste.it", "description": "Crowdstrike Phishing Domains are being found actively in the wild \nSome of the domains targeted by hackers were registered 2-3 days back.", "modified": "2024-07-22T09:54:49.171000", "created": "2024-07-22T09:54:49.171000", "tags": [ "domains", "crowdstrike", "follow", "osint", "privacy", "blog", "phishing" ], "references": [ "https://justpaste.it/du8fx", "https://x.com/RakeshKrish12/status/1815323217906847980" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Bheeshmar", "id": "55168", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_55168/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 103, "hostname": 6 }, "indicator_count": 109, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "678 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/graph/embed/gf25927984162454b9ba7b810cd1855ac7fd51788b4914ec4a9d61504d996f93a?theme=light", "https://www.alertasyseguridad.net/repositorio-ioc/", "https://www.sentinelone.com/blog/crowdstrike-global-outage-threat-actor-activity-and-risk-mitigation-strategies/", "https://justpaste.it/du8fx", "https://x.com/RakeshKrish12/status/1815323217906847980", "https://otx.alienvault.com/pulse/669e8accb2936756bfb3e020 (I Cloned Alienvault)", "https://www.pcrisk.es/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Remcos - s0332" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "669e8accb2936756bfb3e020", "name": "Global Outage - Threat Actor Activity and Risk Mitigation Strategies", "description": "On July 19th, 2024, a faulty update from CrowdStrike caused kernel instability and Blue Screen of Death (BSOD) loops on millions of Windows devices worldwide, leading to major disruptions across industries. While affected parties work on remediation, threat actors are exploiting the situation through phishing, malicious domains, and fake 'hotfixes'. SentinelOne's Live Security Updates operate in isolated user-mode space, avoiding kernel impacts, and undergo rigorous testing before release, mitigating such risks.", "modified": "2024-07-22T16:41:01.279000", "created": "2024-07-22T16:37:32.971000", "tags": [ "crowdstrike", "bsod" ], "references": [ "https://www.sentinelone.com/blog/crowdstrike-global-outage-threat-actor-activity-and-risk-mitigation-strategies/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1487", "name": "Disk Structure Wipe", "display_name": "T1487 - Disk Structure Wipe" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2183, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 24, "hostname": 5 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 386538, "modified_text": "677 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6788c2a595b9414b3bd8621d", "name": "CrowdStrike Global Outage \u2013 Threat Actor Activity and Risk Mitigation Strategies", "description": "", "modified": "2025-01-16T08:26:13.686000", "created": "2025-01-16T08:26:13.686000", "tags": [ "crowdstrike", "bsod" ], "references": [ "https://www.sentinelone.com/blog/crowdstrike-global-outage-threat-actor-activity-and-risk-mitigation-strategies/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1487", "name": "Disk Structure Wipe", "display_name": "T1487 - Disk Structure Wipe" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": "66a088975199eb92770f74f8", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 24, "hostname": 5 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "500 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66aba1d4ed0cf81e939c043e", "name": "CrowdStrike_Phishing_08012024", "description": "", "modified": "2024-08-01T14:55:16.771000", "created": "2024-08-01T14:55:16.771000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 553, "hostname": 2077, "URL": 1 }, "indicator_count": 2631, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "667 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a4003d51211a2e605d9e12", "name": "ACTIVIDAD MALICIOSA | Relacionada con Estafa de CrowdStrike 26-07-2024", "description": "Las principales v\u00edctimas de la estafa de CrowdStrike fueron los usuarios especialmente clientes del banco BBVA. Estas v\u00edctimas recibieron correos electr\u00f3nicos fraudulentos o visitaron sitios web falsos que se hac\u00edan pasar por portales leg\u00edtimos, como la Intranet del BBVA. Los afectados incluyeron tanto individuos como organizaciones que, al interactuar con estas falsas actualizaciones, expusieron sus sistemas a riesgos como el acceso remoto no autorizado, la p\u00e9rdida de datos y el robo de informaci\u00f3n sensible. Adem\u00e1s, usuarios desprevenidos fueron enga\u00f1ados para invertir en falsos tokens de criptomonedas, resultando en p\u00e9rdidas financieras.", "modified": "2024-07-26T19:59:57.009000", "created": "2024-07-26T19:59:57.009000", "tags": [ "crowdstrike", "combo cleaner", "windows", "remcos rat", "bbva", "rat remcos", "crowdstrike que", "tambin", "crowdstroke", "adems", "twitter", "muerte", "phishing" ], "references": [ "https://www.virustotal.com/graph/embed/gf25927984162454b9ba7b810cd1855ac7fd51788b4914ec4a9d61504d996f93a?theme=light", "https://www.alertasyseguridad.net/repositorio-ioc/", "https://www.pcrisk.es/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remcos - S0332", "display_name": "Remcos - S0332", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 19 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "673 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a088975199eb92770f74f8", "name": "Global Outage - Threat Actor Activity and Risk Mitigation Strategies", "description": "", "modified": "2024-07-24T04:52:39.538000", "created": "2024-07-24T04:52:39.538000", "tags": [ "crowdstrike", "bsod" ], "references": [ "https://www.sentinelone.com/blog/crowdstrike-global-outage-threat-actor-activity-and-risk-mitigation-strategies/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1487", "name": "Disk Structure Wipe", "display_name": "T1487 - Disk Structure Wipe" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": "669e8accb2936756bfb3e020", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 24, "hostname": 5 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "676 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "669f3f3003bd2384d0f9ad12", "name": "Global Outage - Threat Actor Activity and Risk Mitigation Strategies", "description": "", "modified": "2024-07-23T05:27:12.394000", "created": "2024-07-23T05:27:12.394000", "tags": [ "crowdstrike", "bsod" ], "references": [ "https://www.sentinelone.com/blog/crowdstrike-global-outage-threat-actor-activity-and-risk-mitigation-strategies/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1487", "name": "Disk Structure Wipe", "display_name": "T1487 - Disk Structure Wipe" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": "669e8accb2936756bfb3e020", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 24, "hostname": 5 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 189, "modified_text": "677 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "669e9604e551893c66beaba6", "name": "Global Outage - Threat Actor Activity and Risk Mitigation Strategy (Cloned)", "description": "On July 19th, 2024, a faulty update from CrowdStrike caused kernel instability and Blue Screen of Death (BSOD) loops on millions of Windows devices worldwide, leading to major disruptions across industries. While affected parties work on remediation, threat actors are exploiting the situation through phishing, malicious domains, and fake 'hotfixes'. SentinelOne's Live Security Updates operate in isolated user-mode space, avoiding kernel impacts, and undergo rigorous testing before release, mitigating such risks.", "modified": "2024-07-22T17:25:24.227000", "created": "2024-07-22T17:25:24.227000", "tags": [ "crowdstrike", "bsod" ], "references": [ "https://www.sentinelone.com/blog/crowdstrike-global-outage-threat-actor-activity-and-risk-mitigation-strategies/", "https://otx.alienvault.com/pulse/669e8accb2936756bfb3e020 (I Cloned Alienvault)" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1487", "name": "Disk Structure Wipe", "display_name": "T1487 - Disk Structure Wipe" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 24, "hostname": 5 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "677 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "crowdstrike.blue", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "crowdstrike.blue", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780237823.3899589 }