31. 07. 2024 Mirko Ioris SEC4U, SOCnews

July 19 – The Day Cyber Security Almost Caused a Global IT Blackout

On Friday morning, July 19th, a major computer outage caused problems in Microsoft computers all over the world. There were delays and flight cancellations at several airports, and malfunctions in the computer systems of banks, shops, hospitals and the media. The IT blackout was caused by a faulty update released for Falcon Sensor, the EDR agent developed by the security firm CrowdStrike.

CrowdStrike is a well-known cybersecurity company, and its IT security products are among those most widely used by large companies and corporations in the public and private sector. Their Falcon Sensor software is deployed on multiple end-user devices and its job is to protect endpoints from malware by removing potential threats. An automatic software update for the Falcon Sensor was released on Friday night and turned out to be faulty, triggering a bug in the Windows OS and causing the crash of any machine on which it was installed.

The protection against malware has now become the malware.

Impacted Devices

Microsoft estimated that the CrowdStrike update affected 8.5 million Windows devices, less than one percent of all Windows computers. Mac and Linux hosts were not impacted. While only a small fraction of Internet devices were affected, the widespread economic and societal impact reflects the use of CrowdStrike by organizations running many critical services.

In more detail, devices running Falcon Sensor for Windows version 7.11 and above, and that were online at the time the faulty update was released, may be impacted and susceptible to a system crash.

How to Avoid a Similar Scenario

The issue lays in the update management, as it appears the new version wasn’t tested enough by CrowdStrike developers. To mitigate a similar scenario from happening again in the future, there are some best practices every company that deploys software should follow:

  • Thorough Testing: Ensuring all updates undergo rigorous testing in diverse environments to catch potential issues before deployment in production.
  • Gradual Rollout: Implementing phased rollouts to minimize widespread impact and allow for quick rollback if issues arise.
  • Backup and Recovery: Maintaining robust backup systems and disaster recovery plans to restore services in case of faulty updates.
  • Communication: Establishing clear communication channels to inform stakeholders promptly about issues and resolution timelines.
  • Incident Response: Strengthening incident response teams and protocols to handle crises effectively and reduce downtime.

The cybersecurity company is aware of the outage and has posted updates in an official statement. The issue was identified and is now fixed, but the damage it caused to business processes globally was dramatic. This event is one of the most significant IT issues of 2024 so far, and as a result CrowdStrike suffered an initial 15% drop in the stock market, which has now reached -40% compared to the beginning of July.

Phishing Risk

The crash of Windows computers was attributed only to the faulty update and there was no risk of a cyber attack. But in any event, threat actors started exploiting the initial panic to carry out malicious activities. Posing as CrowdStrike customer support or as independent researchers, they contacted affected customers by phone or email, offering bogus remediation insights or scripts for automated system recovery, with the aim of stealing sensitive data.

CrowdStrike identified newly registered domains created by third parties to conduct social engineering activities towards Crowdstrike customers. The list is here provided:

crowdstrike0day[.]com
crowdstrikebluescreen[.]com
crowdstrike-bsod[.]com
crowdstrikeupdate[.]com
crowdstrikebsod[.]com
www.crowdstrike0day[.]com
www.fix-crowdstrike-bsod[.]com
crowdstrikeoutage[.]info
www.microsoftcrowdstrike[.]com
crowdstrikeodayl[.]com
crowdstrike[.]buzz
www.crowdstriketoken[.]com
www.crowdstrikefix[.]com
fix-crowdstrike-apocalypse[.]com
microsoftcrowdstrike[.]com
crowdstrikedoomsday[.]com
crowdstrikedown[.]com
whatiscrowdstrike[.]com
crowdstrike-helpdesk[.]com
crowdstrikefix[.]com
fix-crowdstrike-bsod[.]com
crowdstrikedown[.]site
crowdstuck[.]org
crowdfalcon-immed-update[.]com
crowdstriketoken[.]com
crowdstrikeclaim[.]com
crowdstrikeblueteam[.]com
crowdstrikefix[.]zip
crowdstrikereport[.]com

We suggest you check whether the hosts of your internal network have communicated with one of these domains, as they may have been involved in a phishing campaign.

These Solutions are Engineered by Humans

Did you learn from this article? Perhaps you’re already familiar with some of the techniques above? If you find cybersecurity issues interesting, maybe you could start in a cybersecurity or similar position here at Würth Phoenix.

Mirko Ioris

Mirko Ioris

Technical Consultant - Cyber Security Team | Würth Phoenix

Author

Mirko Ioris

Technical Consultant - Cyber Security Team | Würth Phoenix

Leave a Reply

Your email address will not be published. Required fields are marked *

Archive