Crowdstrike Outage Advisory

CrowdStrike outage

Background / What’s happened?

On July 19, 2024, at 04:09 UTC, as part of ongoing operations, CrowdStrike released a sensor configuration update to Windows systems. Sensor configuration updates are an ongoing part of the protection mechanisms of the Falcon platform. This configuration update triggered a logic error, resulting in a system crash and blue screen (BSOD) on impacted systems.

The sensor configuration update that caused the system crash was remediated on Friday, July 19, 2024, 05:27 UTC.

This issue is not the result of or related to a cyberattack.

Affected systems:

Systems running Falcon sensors for Windows 7.11 and above that downloaded the updated configuration from 04:09 UTC to 05:27 UTC were susceptible to a system crash.

>Crowdstrike has confirmed the outage.
>Impacts Windows 10 and later systems.
>Systems running Linux or macOS do not use Channel File 291 and were not impacted.
>This is due to the CrowdStrike Falcon content update, not malicious cyber activity.

The issue has been identified and isolated, and a fix has been deployed. CrowdStrike customer organisations should refer to CrowdStrike guidance and their customer portal to resolve the issue.

Important Notes:

Cyber threat actors continue to leverage the outage to conduct malicious activity and have received reports that threat actors are conducting the following activities:

>Sending phishing emails posing as CrowdStrike support to customers
>Impersonating CrowdStrike staff in phone calls
>Posing as independent researchers, claiming to have evidence the technical issue is linked to a cyberattack and offering remediation insights
>Selling scripts purporting to automate recovery from the content update issue

Threat actors have been distributing a malicious ZIP archive file. This activity appears to be targeting Latin America-based CrowdStrike customers. The blog provides indicators of compromise and recommendations.

There are several typosquatting domains in Crowdstrike.

Below is a list of domains identified on July 19, 2024, that impersonate CrowdStrike’s brand. Some domains in this list are not currently serving malicious content or could be intended to amplify negative sentiment. However, these sites may support future social-engineering operations.

1. crowdstrike.phpartners[.]org
2. crowdstrike0day[.]com
3. crowdstrikebluescreen[.]com
4. crowdstrike-bsod[.]com
5. crowdstrikeupdate[.]com
6. crowdstrikebsod[.]com
7. www.crowdstrike0day[.]com
8. www.fix-crowdstrike-bsod[.]com
9. crowdstrikeoutage[.]info
10. www.microsoftcrowdstrike[.]com
11. crowdstrikeodayl[.]com
12. crowdstrike[.]buzz
13. www.crowdstriketoken[.]com
14. www.crowdstrikefix[.]com
15. fix-crowdstrike-apocalypse[.]com
16. microsoftcrowdstrike[.]com
17. crowdstrikedoomsday[.]com
18. crowdstrikedown[.]com
19. whatiscrowdstrike[.]com
20. crowdstrike-helpdesk[.]com
21. crowdstrikefix[.]com
22. fix-crowdstrike-bsod[.]com
23. crowdstrikedown[.]site
24. crowdstuck[.]org
25. crowdfalcon-immed-update[.]com
26. crowdstriketoken[.]com
27. crowdstrikeclaim[.]com
28. crowdstrikeblueteam[.]com
29. crowdstrikefix[.]zip
30. crowdstrikereport[.]com

Cybernetic GI urges organisations to ensure they have robust cybersecurity measures to protect their users, assets, and data against this activity.

Mitigation: How do I stay secure?

CrowdStrike is actively working with customers impacted by the outage and has issued a statement on their blog. Affected customers should review and enact the remediation advice available on the CrowdStrike blog, which will be updated as the situation evolves.

CrowdStrike released technical details that provide:

1. A technical summary of the outage and its impact.
2. Information on how the update to the CrowdStrike Falcon sensor configuration file, Channel File 291, caused the logic error that led to the outage.
3. A discussion of the root cause analysis CrowdStrike is undertaking to determine how the logic error occurred.
4. Microsoft released a recovery tool that uses a USB drive to boot and repair affected systems.
5. Microsoft also published a blog post that provides links to various remediation solutions and outlines their actions in response to the outage, which include working with
6. CrowdStrike to expedite restoring services to disrupted systems.
7.In the blog post, Microsoft estimates the outage affected 8.5 million Windows devices. Microsoft notes that this number makes up less than one percent of all Windows machines.

What Customers Should Do

Immediate Steps:

1. Reboot and Download Updates: Attempt to reboot the affected system to allow it to download the reverted channel file automatically.
2. Manual Fix in Safe Mode:
3. Boot into Safe Mode or the Windows Recovery Environment.
4. Log into the CrowdStrike portal and follow the fix instructions.

Note: Systems with BitLocker encryption may require the recovery key for this process.

This is not a cyberattack. A lot of systems will be back up and running as a crowd strike has been applied to rectify this issue.

Companies need to be on high alert as there is a lot of remediation methodology being emailed to customers on how to fix this outage.
Any updates or patches applied, IT managers and administrators need to ensure they are provided by the legitimate source, whether it be CrowdStrike or Microsoft.

Preventive Measures:

1. Disaster Recovery Plan: Ensure a robust disaster recovery plan is in place, including readily accessible BitLocker recovery keys and other critical information.
2. Update Management: Implement stringent patch management processes, including testing updates in a controlled environment before deployment.
3. Stay Informed: Monitor official communications from CrowdStrike for updates and follow their guidance promptly.

What Customers Should Avoid

Avoid panic and unverified sources.
1. Ignore Unverified Fixes: Be cautious of opportunistic phishing attempts and malicious websites offering fixes. Only follow instructions from CrowdStrike’s official channels or trusted partners.

1. Rushing Fixes Without Backup: Do not attempt fixes without ensuring you have appropriate backups and recovery options. This can prevent further complications and data loss.

By following these steps and maintaining vigilance, organisations can mitigate the impact of such incidents and strengthen their resilience against future disruptions.

Post a Comment