Resources

CrowdStrike’s Global IT Outage: Impact, Recovery & Security Implications

Written by: Avi Desai

Key Takeaways:

  • A faulty CrowdStrike update led to widespread system errors and boot loops on July 18, 2024.
  • CrowdStrike rolled back the problematic update and Microsoft released a recovery tool with two recovery options.
  • The incident underscores the importance of regularly testing and updating disaster recovery strategies.
  • Organizations must stay alert for cyber threats and bad actors posing as CrowdStrike support and be cautious of phishing attempts.

Global IT Outage Linked to Faulty CrowdStrike Update

On July 18, 2024, a global IT outage occurred due to a faulty update issued by CrowdStrike on July 9, 2024, a leading cybersecurity vendor. The update caused widespread “blue screen of death” errors and constant “boot loops” across millions of machines within the Microsoft environment, as there was a conflict between the CrowdStrike update and existing Windows configurations.

Remediation Efforts

The update contained “a single file that drives some additional logic on how [CrowdStrike] looks for bad actors,” as stated by CrowdStrike CEO George Kurtz. CrowdStrike confirmed the issue was not due to a cyberattack or a display of malicious intent, rolled back the problematic file, and released a new file along with detailed remediation instructions on their website.

Channel files within Windows system can be found in the following directory:

  • C:\Windows\System32\drivers\CrowdStrike\
    • File name starting with: C-00000291
    • File name ending with: .sys
  • This file was updated with the intent to target newly observed malicious named pipes in cyberattacks.
  • The file starting with C-00000291 and with a timestamp of 2024-07-19 UTC or later is the reverted version of the file.

In addition to the remediation posted on the CrowdStrike website, Microsoft released a free tool to help people recover from the faulty update. This tool offers two options:

  • Enable recovery by utilizing Windows PE recovery environment: Recovers systems without admin privileges via USB access to the computer drive and deleting the corrupt file automatically.
  • Recovery from Safe Mode with local admin rights required: Only for devices using TPM-only protectors, devices that are not encrypted, or situations where the BitLocker Recovery Key is unknown.

The Importance of Disaster Recovery & Redundancy Measures

The CrowdStrike incident highlights the urgent need for organizations to prioritize enhancing their disaster recovery plans to enable rapid system restoration and minimize downtime. This can be achieved through regular testing and updates of these plans. Additionally, implementing redundancy measures—such as backup systems and alternative workflows—can help prevent similar outages in the future and ensure that critical business functions continue to run even if primary systems fail.

Staying Vigilant Against Cybersecurity Threats

Recent cases indicate that organizations must remain vigilant for bad actors attempting to exploit the incident by posing as CrowdStrike Support and instructing customers to install malware on their workstations in an effort to “resolve” any issues. With such attacks, it is crucial to be on high alert for phishing emails and phone calls, as cyberattack techniques have been adapting to common security tools and discovering a work-around.

Engaging a comprehensive cybersecurity team, like DenSecure, can help proactively address cybersecurity threats with advanced protection and response capabilities to safeguard your organization. Reach out to a member of our team today and explore our service offerings!