31. 07. 2024 Mirko Ioris SEC4U, SOCnews

July 19 – The Day Cyber Security Almost Caused a Global IT Blackout

On Friday morning, July 19th, a major computer outage caused problems in Microsoft computers all over the world. There were delays and flight cancellations at several airports, and malfunctions in the computer systems of banks, shops, hospitals and the media. The IT blackout was caused by a faulty update released for Falcon Sensor, the EDR agent developed by the security firm CrowdStrike.

CrowdStrike is a well-known cybersecurity company, and its IT security products are among those most widely used by large companies and corporations in the public and private sector. Their Falcon Sensor software is deployed on multiple end-user devices and its job is to protect endpoints from malware by removing potential threats. An automatic software update for the Falcon Sensor was released on Friday night and turned out to be faulty, triggering a bug in the Windows OS and causing the crash of any machine on which it was installed.

The protection against malware has now become the malware.

Impacted Devices

Microsoft estimated that the CrowdStrike update affected 8.5 million Windows devices, less than one percent of all Windows computers. Mac and Linux hosts were not impacted. While only a small fraction of Internet devices were affected, the widespread economic and societal impact reflects the use of CrowdStrike by organizations running many critical services.

In more detail, devices running Falcon Sensor for Windows version 7.11 and above, and that were online at the time the faulty update was released, may be impacted and susceptible to a system crash.

How to Avoid a Similar Scenario

The issue lays in the update management, as it appears the new version wasn’t tested enough by CrowdStrike developers. To mitigate a similar scenario from happening again in the future, there are some best practices every company that deploys software should follow:

  • Thorough Testing: Ensuring all updates undergo rigorous testing in diverse environments to catch potential issues before deployment in production.
  • Gradual Rollout: Implementing phased rollouts to minimize widespread impact and allow for quick rollback if issues arise.
  • Backup and Recovery: Maintaining robust backup systems and disaster recovery plans to restore services in case of faulty updates.
  • Communication: Establishing clear communication channels to inform stakeholders promptly about issues and resolution timelines.
  • Incident Response: Strengthening incident response teams and protocols to handle crises effectively and reduce downtime.

The cybersecurity company is aware of the outage and has posted updates in an official statement. The issue was identified and is now fixed, but the damage it caused to business processes globally was dramatic. This event is one of the most significant IT issues of 2024 so far, and as a result CrowdStrike suffered an initial 15% drop in the stock market, which has now reached -40% compared to the beginning of July.

Phishing Risk

The crash of Windows computers was attributed only to the faulty update and there was no risk of a cyber attack. But in any event, threat actors started exploiting the initial panic to carry out malicious activities. Posing as CrowdStrike customer support or as independent researchers, they contacted affected customers by phone or email, offering bogus remediation insights or scripts for automated system recovery, with the aim of stealing sensitive data.

CrowdStrike identified newly registered domains created by third parties to conduct social engineering activities towards Crowdstrike customers. The list is here provided:

crowdstrike0day[.]com
crowdstrikebluescreen[.]com
crowdstrike-bsod[.]com
crowdstrikeupdate[.]com
crowdstrikebsod[.]com
www.crowdstrike0day[.]com
www.fix-crowdstrike-bsod[.]com
crowdstrikeoutage[.]info
www.microsoftcrowdstrike[.]com
crowdstrikeodayl[.]com
crowdstrike[.]buzz
www.crowdstriketoken[.]com
www.crowdstrikefix[.]com
fix-crowdstrike-apocalypse[.]com
microsoftcrowdstrike[.]com
crowdstrikedoomsday[.]com
crowdstrikedown[.]com
whatiscrowdstrike[.]com
crowdstrike-helpdesk[.]com
crowdstrikefix[.]com
fix-crowdstrike-bsod[.]com
crowdstrikedown[.]site
crowdstuck[.]org
crowdfalcon-immed-update[.]com
crowdstriketoken[.]com
crowdstrikeclaim[.]com
crowdstrikeblueteam[.]com
crowdstrikefix[.]zip
crowdstrikereport[.]com

We suggest you check whether the hosts of your internal network have communicated with one of these domains, as they may have been involved in a phishing campaign.

These Solutions are Engineered by Humans

Did you learn from this article? Perhaps you’re already familiar with some of the techniques above? If you find cybersecurity issues interesting, maybe you could start in a cybersecurity or similar position here at Würth Phoenix.

Mirko Ioris

Mirko Ioris

Technical Consultant - Cyber Security Team | Würth Phoenix

Author

Mirko Ioris

Technical Consultant - Cyber Security Team | Würth Phoenix

Latest posts by Mirko Ioris

30. 06. 2024 SOCnews
SOC News | June 30 – TeamViewer Victim of a Security Breach
24. 05. 2024 SOCnews
SOC News | May 24 – Patch This Veeam Critical Vulnerability Now
16. 05. 2024 SOCnews
SOC News | May 16 – Data stolen from SYNLAB published on the Dark Web
30. 04. 2024 SOCnews
SOC News | Apr 30 – New Cyber Attacker Groups Detected
26. 04. 2024 SOCnews
SOC News | Apr 26 – ArcaneDoor: A New Espionage Campaign
See All

Related Content

Tags: , ,

05. 08. 2024 Artificial Intelligence, Offensive Security, Red Team

Exploiting the Matrix: Offensive Techniques for Attacking AI Models

There's no way around it: Artificial Intelligence is reshaping our world in profound ways, and it's here to stay. In recent years we’ve entered a golden age for specialized hardware and algorithms suited to enhance machine learning models. These technologies Read More
15. 03. 2024 Blue Team, SEC4U

SATAYO and SOC: in the New Midlands

This article explains how the Cyber Threat Intelligence platform SATAYO serves as a powerful resource to optimize processes and strengthen threat coverage within the Würth Phoenix Attacker Centric SOC. We will analyze the utilization of SATAYO's internal resources for creating Read More
04. 01. 2024 Blue Team, SEC4U

Hacker Group Activities and Cyber Security Concerns | Second Semester 2023

A Security Operation Center (SOC) is a service where the customer is an active participant. Establishing a good relationship with the customer is an important requirement for handling security incidents more efficiently. Our SOC analysts produce and deliver several reports, Read More
11. 12. 2023 Events

WPCTF 2023: Our Journey in Organizing a Capture The Flag Event

On November 25th, in collaboration with the universities of Verona, Padova, Trento, and Bolzano, we hosted the WPCTF event—a thrilling Capture The Flag (CTF) competition that engaged over 50 cybersecurity enthusiasts. In this blog post, we'll explore into our journey Read More
26. 10. 2023 Blue Team, SEC4U

From Chaos to Case: How SLAs Make Life Better!

One of the primary responsibilities of a Security Operation Center (SOC) is to effectively manage issues related to monitoring the security perimeter. This involves the meticulous analysis of alerts, the creation of subsequent cases, and if necessary, the escalation of Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive