Most are now aware of the CrowdStrike outage and its global impact on various organizations. Currently, threat actors are attempting to exploit this situation. Over the weekend, CrowdStrike released updated remediation steps for specific environments. Microsoft has also provided remediation solutions and their response to the outage in a blog post.
crowdstrike
This weekend, CrowdStrike released technical details regarding the outage. On July 19, 2024, CrowdStrike released a sensor configuration update for Windows systems as part of its routine operations. These updates are essential for the Falcon platform's protection mechanisms. However, this particular update caused a logic error that led to system crashes and blue screens (BSOD) on affected systems.
Customers using Falcon sensor for Windows version 7.11 and above, who were online between 04:09 UTC and 05:27 UTC on July 19, 2024, may have been affected by this issue. The faulty update involved a Channel File named 291, located in the directory C:\Windows\System32\drivers\CrowdStrike\, which controls how Falcon evaluates named pipe execution on Windows systems. The update, which counters newly observed malicious named pipes used in cyberattacks, inadvertently caused an operating system crash due to a logic error. Systems running Linux or macOS were not impacted.
CrowdStrike has since corrected the issue, ensuring no further changes to Channel File 291 beyond the necessary logic update. Please see CrowdStrike’s advisory for updates on remediation steps.
microsoft
Microsoft published a blog post estimating that the outage affected 8.5 million Windows devices. The company also noted that this number makes up less than one percent of all Windows machines. Microsoft also detailed how they are helping their customers through the CrowdStrike outage. Those details include:
As previously mentioned, threat actors are attempting to exploit the CrowdStrike outage and have created spoofed CrowdStrike domains, as well as spoofed hostnames. Please remain vigilant and be on the lookout for the following indicators of compromise:
Domains |
|
Crowdstrikebluescreen[.]com crowdstrike0day[.]com crowdstrike-bsod[.]com crowdstrikedoomsday[.]com crowdstrikefix[.]com crowdstrikedown[.]site crowdstriketoken[.]com crowdstrikeclaim[.]com crowdfalcon-immed-update[.]com crowdstrike-bsod[.]com crowdstrike-helpdesk[.]com crowdstrike[.]buzz crowdstrike0day[.]com crowdstrikebluescreen[.]com crowdfalcon-immed-update[.]com crowdstrike-bsod[.]com crowdstrike-helpdesk[.]com crowdstrike[.]fail crowdstrike0day[.]com crowdstrikebluescreen[.]com crowdstrikebsod[.]com crowdstrikebug[.]com crowdstrikeclaim[.]com crowdstrikedoomsday[.]com crowdstrikedown[.]com crowdstrikedown[.]site crowdstrikeoopsie[.]com crowdstrikeoutage[.]com
|
Crowdstrikeblueteam[.]com Crowdstrikebsod[.]com Crowdstrikeclaim[.]com Crowdstrikedoomsday[.]com Crowdstrikedown[.]com Crowdstrikedown[.]site Crowdstrikefix[.]com Crowdstrikeodayl[.]com Crowdstrikeoutage[.]info Crowdstrikereport[.]com Crowdstriketoken[.]com Crowdstrikeupdate[.]com Crowdstuck[.]org fix-crowdstrike-apocalypse[.]com fix-crowdstrike-bsod[.]com crowdstrikeoutage[.]info crowdstrikereport[.]com crowdstriketoken[.]com crowdstrikeupdate[.]com crowdstuck[.]org fix-crowdstrike-apocalypse[.]com fix-crowdstrike-bsod[.]com isitcrowdstrike[.]com microsoftcrowdstrike[.]com whatiscrowdstrike[.]com crowdstrikefail[.]com crowdstrikefix[.]com
|
Hostnames |
|
crowdstrike.phpartners[.]org xxx.crowdstrike0day[.]com xxx.crowdstrikefix[.]com |
xxx.crowdstriketoken[.]com xxx.fix-crowdstrike-bsod[.]com |
As always, Avertium is here to support our customers and ensure they are secure during this time. Updates regarding the outage can be found in CrowdStrike’s advisory. If you have any questions about the CrowdStrike outage, please contact your Account Executive or Service Delivery Manager.
overview
What is Happening?
Avertium is aware of a global IT outage affecting numerous sectors, including banks, airports, healthcare, and media. So far, we know that this outage has been traced to a software update from cybersecurity company CrowdStrike.
The disruption began in the early hours of Friday, July 19, when devices running Microsoft Windows started displaying Blue Screens of Death (BSODs). Reports of issues quickly spread from Australia to the UK, India, Germany, the Netherlands, and the US.
The outage has grounded flights, disrupted TV broadcasts, and impacted healthcare services. Key affected sectors include airlines, with United, Delta, and American Airlines issuing a global ground stop.
What Caused it?
CrowdStrike engineers found a defect in a Windows update, which has since been isolated. The issue is not a security incident or cyberattack. CrowdStrike CEO George Kurtz confirmed the defect and stated that a fix has been deployed. The issue does not impact Mac or Linux systems.
Why Did it Happen?
From Avertium’s perspective, this situation could be a case of an error in the software development process, where new code wasn't properly tested before being released into production.
This situation highlights the fact that no software solution is perfect on its own. Having experts oversee and coordinate with technology is essential. Security partnerships, like those Avertium offers, enhance security over time, regardless of the latest tools or trends.
How Does this Impact Avertium’s Customers and What is Avertium Doing?
Although, Avertium is NOT a CrowdStrike partner and DOES NOT work directly with their software, our Cyber Fusion Centers are fully operational and continue to protect our customers. Avertium’s priority is to ensure you have the support you need during this time. If you have any questions about the CrowdStrike outage, please contact your Account Executive or Service Delivery Manager.
What Can I Do to Help Keep My Organization Safe?
During this period of disruption, there is an increased likelihood that malicious actors may attempt to exploit the situation. They often take advantage of such moments when attention is divided to carry out their activities. Here are a few ways you can help keep your organization safe:
CrowdStrike Engineering has identified a content deployment related to the outage issue and reverted those changes. Please see the following workaround steps:
Please Note: BitLocker encrypted hosts, may require a recovery key.
CrowdStrike also has workaround steps for public cloud or a similar environment, including virtual:
Option 1:
Option 2:
Updates regarding the outage can be found in CrowdStrike’s advisory.
SUPPORTING DOCUMENTATION
Statement on Falcon Content Update for Windows Hosts - crowdstrike.com
Huge Microsoft Outage Linked to CrowdStrike Takes Down Computers Around the World | WIRED
What is Crowdstrike and how is it linked to the global outage? | CNN Business
Microsoft and CrowdStrike Outage Explained: Airport Chaos, 911 Lines Down and More - CNET