The global outage caused by a faulty update from CrowdStrike has led to significant disruptions for organizations worldwide. The workaround shared by CrowdStrike on Friday, July 19, appears to be effective in most cases, reducing the issues faced by organizations. CrowdStrike and Microsoft have provided tools to facilitate recovery. The National Cyber Security Centre (NCSC) continues to monitor the situation and shares updates via its website[1].
TL;DR: Quick Facts About the CrowdStrike Outage
- Cause: A defect in an update of the CrowdStrike agent for Windows systems.
- Impact: Only Windows systems affected; Linux and Mac systems were not impacted.
- Workaround: Manual intervention required to resolve the issue.
- Tools: Microsoft and CrowdStrike have released recovery tools.
- Warning: Cybercriminals are exploiting the situation for phishing attacks.
What Happened?
The outage was caused by a defect in an update of the CrowdStrike agent, specifically targeting Windows systems. The update, rolled out on July 19, 2024, caused systems to enter a “loop crash,” displaying a blue screen (BSOD) for users. This issue only occurred on systems that came online before 05:27 UTC. Systems that came online later were not affected[2].
CrowdStrike responded quickly and shared a workaround that appears to be effective in most cases. However, this workaround requires manual intervention, which is labor-intensive and must be performed on each system. The NCSC has confirmed that the workaround works but warns of phishing attacks and malicious domains attempting to exploit the situation[3].
Technical Details and Workaround
The issues are caused by a specific file: C-00000291*.sys with a timestamp of ‘0409 UTC’. Versions of this file with a timestamp of ‘0527 UTC’ or later are good versions. For systems that have executed the update, CrowdStrike advises the following steps:
- Boot Windows in Safe Mode.
- Navigate to
C:\Windows\System32\drivers\CrowdStrikein Explorer. - Locate the file
C-00000291*.sys, right-click, and delete the file or rename it toC-00000291*.renamed. - Restart the system.
In some cases, a variant of the workaround is needed, especially for systems with BIOS storage set to ‘RAID’ or where Bitlocker is activated[4].
Tools and Recovery
Microsoft has released a new Recovery Tool to assist IT administrators in the recovery process. Additionally, CrowdStrike has provided an automated method, provided the customer can connect to the CrowdStrike cloud[5].
Warning for Phishing and Malicious Domains
The NCSC warns that cybercriminals are exploiting the situation by launching phishing attacks. It is crucial to communicate with CrowdStrike only through official channels and to verify web certificates when downloading software[6].
Relevance for the Target Audience
For Red Teamers and Blue Teamers, this situation provides insight into the vulnerabilities of automated updates and the importance of robust testing procedures. SOC Analysts should remain vigilant for phishing attempts and malicious domains exploiting the situation. System Administrators can use the released tools and workarounds to restore affected systems.
Conclusion
The global outage caused by CrowdStrike highlights the importance of careful update processes and the need for rapid response mechanisms. While recovery is well underway, vigilance remains necessary due to the risks of phishing and other forms of exploitation.
References
- Update wereldwijde storing Crowdstrike. NCSC. Retrieved 2024-07-24.
- Wereldwijde computerstoring na CrowdStrike-update. Digital Trust Center. Retrieved 2024-07-24.
- Crowdstrike-baas: oorzaak wereldwijde storing is gefixt. Computable.nl. Retrieved 2024-07-24.
- Wereldwijde Crowdstrike storing – (tijdelijke) oplossingen & updates. Infradax. Retrieved 2024-07-24.
- Update | Oplossing wereldwijde computerstoring gevonden: systemen starten langzaam weer op. BNR. Retrieved 2024-07-24.
- Wereldwijde computerstoring kwam door een foutje: ‘Onze oprechte excuses’. RTL. Retrieved 2024-07-24.
