Investigating Sinkhole Domains Linked to the CrowdStrike Update

Last week on my blog about CrowdStrike phishing threats, I listed newly registered malicious domains that admins should add to their mail server block lists. Today, I want to discuss another critical aspect: sinkhole domains. Two of these domains have recently been registered and are potentially connected to the same cyber event. 

What Are Sinkhole Domains? 

Sinkhole domains are a powerful tool used in cybersecurity. They are domains set up to intercept and redirect malicious traffic, preventing it from reaching its intended destination. This technique allows security researchers to monitor and analyze the behavior of malware and malicious activities.

Recent Registrations - CrowdStrike-Related Sinkhole Domains

Two notable sinkhole domains recently registered include:

'sinkholed845c7b471d9adc14942f95105d5ffcf.crowdstrikeupdate.com'
'sinkhole-d845c7b471d9adc14942f95105d5ffcf.crowdstrikeupdate.com'

These domains might seem innocuous at first glance, but they play a significant role in the ongoing cyber threat landscape.

How Are Sinkhole Domains Used?

By Security Researchers

• Incident Response
  During an incident, researchers can use sinkhole domains to divert malicious traffic, preventing further damage and gathering valuable intelligence
• Threat Analysis
  These domains help in analyzing the spread and behavior of malware, providing insights that can improve defensive measures

By Attackers

• Deception
  Malicious actors might use domains resembling legitimate ones to re-establish control over compromised systems
• Monitoring
  Attackers can track the movement and communication of compromised devices, refining their attacks based on this data

Why These Domains Matter Now

In the wake of the recent CrowdStrike Falcon update that inadvertently caused Windows machines to enter a boot loop, attackers are quick to exploit the chaos. Registering domains that seem related to updates or security measures can easily deceive users and systems looking for fixes or patches.

What Should You Do?

1. Add to Security Stack
   Ensure sinkhole domains are added to your firewalls, intrusion detection/prevention systems (IDS/IPS), and other network security devices
2. Monitor Traffic
   Set up monitoring to detect any attempts to connect to these domains. Investigate any such activity as it could indicate compromised systems
3. Stay Informed
   Keep abreast of the latest developments in this ongoing situation. Regular updates to blocklists and continuous monitoring are crucial.
4. Understand Sinkhole Operators
   Without knowing the operator of a sinkhole domain, you can't be sure if it's set up by a security professional capable of mitigation or by someone with malicious intent. If you see sinkholes in your logs/alerts, investigate further to understand their impact on your environment.

By understanding and utilizing the concept of sinkhole domains, we can enhance our defenses and stay one step ahead of attackers. Stay vigilant and proactive in your cybersecurity measures.