CrowdStrike 2024 Threat Hunting Report
Contents
FAMOUS CHOLLIMA Insider Threats Target 100+ U.S.-Based Companies
In April 2024, CrowdStrike Services responded to the first of several incidents in which FAMOUS CHOLLIMA malicious insiders targeted more than 30 U.S.-based companies, including aerospace, defense, retail and technology organizations. The malicious insiders claimed to be U.S. residents and were hired in early 2023 for multiple remote IT positions.
Leveraging information from a single incident, CrowdStrike OverWatch quickly developed a scalable plan to hunt for this emerging insider threat and discovered more than 30 additional affected customers within two days. Threat hunters found that after obtaining employee-level access to victim networks, the insiders performed minimal tasks related to their job role. In some cases, the insiders also attempted to exfiltrate data using Git, SharePoint and OneDrive. Additionally, the insiders installed the following RMM tools: RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels and Google Chrome Remote Desktop.
The insiders then leveraged these RMM tools in …
In April 2024, CrowdStrike Services responded to the first of several incidents in which FAMOUS CHOLLIMA malicious insiders targeted more than 30 U.S.-based companies, including aerospace, defense, retail and technology organizations. The malicious insiders claimed to be U.S. residents and were hired in early 2023 for multiple remote IT positions.
Leveraging information from a single incident, CrowdStrike OverWatch quickly developed a scalable plan to hunt for this emerging insider threat and discovered more than 30 additional affected customers within two days. Threat hunters found that after obtaining employee-level access to victim networks, the insiders performed minimal tasks related to their job role. In some cases, the insiders also attempted to exfiltrate data using Git, SharePoint and OneDrive. Additionally, the insiders installed the following RMM tools: RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels and Google Chrome Remote Desktop.
The insiders then leveraged these RMM tools in …