UPDATE: CrowdStrike Outage

It’s not all bad news

The biggest news hitting your inboxes today will undoubtably be the CrowdStrike outage affecting Microsoft Windows users, globally. Playfully being referred to online as Blue Friday or Blue Screen of Death (BSOD).

What happened?

If you’ve been living under a rock and have no idea what we’re talking about, CrowdStrike released an update on Falcon Sensor which has resulted in widespread outage. Impacting many companies worldwide (full extent of the impact is yet to be disclosed). 

Reports from the BBC state the outage began 18:00 ET (23:00 BST) on Thursday (18th July), only impacting Windows users. Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor.

microsoft-outage-cause-explained-what-is-crowdstrike-and-why-users-are-getting-windows-blue-screen-of-death

What’s the impact?

The impact has been unprecedented, affecting critical national infrastructure and bringing entire companies to a halt. Many people online have been questioning the vast global market share of one singular technology company and highlighting the issues this outage has raised. 

But an overlooked impact is that of those on the frontline, the IT, security and infrastructure teams who must fix the problem.  

The workaround released by CrowdStrike involves manual intervention: 

  1. Boot Windows into Safe Mode or the Windows Recovery Environment
    2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
    3. Locate the file matching “C-00000291*.sys”, and delete it. 
    4. Boot the host normally. 

This is not to be carried out by CrowdStrike teams and resources, but the 10K+ members of IT staff working in the impacted companies. Which due to the manual nature of the fix, will inevitably result in this carrying over the weekend. Our empathy and solidarity go out to these teams, scenarios of this nature are always stressful, and pressure will be to get this fix implemented as quickly as possible. 

The frustration and the lessons

Understandably, many social media users, some of those affected by the outage and some not, have called out CrowdStrike over this outage, raising question such as: 

  • What happened to testing patches before deployment into critical systems? 
  • How can an organisation this large and this trusted get it so wrong? 
  • Will this lead to companies avoiding patches in the future and putting them more at risk on an attack?  

 

But the truth is there are still some positives we can take away from this… 

 

  1. This is not a cyber attack: All of the businesses impacted (apart from maybe CrowdStrike – sorry guys) have not suffered reputational damage or large fines due to data breaches. 
  2. A chance to improve DR plans: This gives companies a great opportunity to test and update their disaster recovery plans, inevitably making them more resilient to cyber threats. 
  3. Supply chain risk will now be fully understood: As a CISO or cyber security risk owner, your board will now understand the impact of supply chain collapse and will take your concerns and comments seriously (if they did not before). 
  4. This less likely to happen again soon (we hope): Major tech companies will be bringing their A-Game to software tests, so there is little need to dis-trust future patches.  

Concerns and recommendations

Although this is not a cyber-attack, the CrowdStrike outage lends itself into the hands of attackers. These types of incidents result in panic, misinformation and people having their guard down.  

What could a fast-thinking threat actor do right now? 

  • Send phishing emails, posing as CrowdStrike to affected companies claiming to have another update which contains a phishing link. 
  • Send phishing emails posing to be trusted senior member of the team making an urgent request or sharing an update which contains a phishing link. 
  • Use vishing (voice phishing) and social engineering techniques, pretending to be a member of tech support, offering assistance to fix a user’s device.  
Recommendations
  • Trust but validate: With the above in mind, affected companies should ensure they communicate the steps they are taking to resolve the issue and who (if anyone) employees can expect to hear instruction from.  
  • If you’ve not rebooted, don’t: e2e-assure’s advice is that if you’re running CrowdStrike right now and you haven’t rebooted, do not reboot. That’s the first step and then stop anything else that’s going to reboot the system – that’s exactly what you don’t want to happen because when the system reboots, it will load the broken driver and that will cause the machine to crash. 
  • Keep up to date with CrowdStrike’s latest updates through the customer support portal and validate the identity of any action or installation requests.  

 

As we approach the end of the first 24 hours of this IT outage, we are positive there will further updates to come. In the meantime, we send our best wishes to those impacted and the teams involved in the fixes and as we get more updates, we will continue to share our advice.  

In the meantime, if you are not an e2e-assure customer but require support, please reach out to our team through info@e2e-assure.com 

Impacted by the CrowdStrike outage?

Our team are ready to support where we can, if you need the advice of a trusted specialist, contact our team today.