EXECUTIVE OVERVIEW
A worldwide IT outage has impacted airlines, banks, broadcasters, and other sectors. The problem stems from a recent CrowdStrike update, leading to extensive system crashes and “Blue Screens of Death” (BSODs) on computers equipped with CrowdStrike security sensors [1].
TIMELINE
Approx. 05:20 (UTC), CrowdStrike issued a public advisory acknowledging widespread reports of BSODs occurring on Windows machines with CrowdStrike sensors installed.
06:27 (UTC), CrowdStrike identified the issue as being linked to a recent update affecting multiple CrowdStrike products. The update reportedly impacted a driver used by their sensors, causing affected operating systems to be unable to load the modified driver, which led to the BSODs.
09:45 (UTC), CrowdStrike published an advisory noting that they deployed a patch. They advised those who had yet to experience issues to update promptly to avoid further problems.
AFFECTED DEVICES
- Machines that were operational during the 04:09 UTC update
- Machines running Windows started after 05:27 UTC should not be affected
RECOMMENDED ACTIONS
- If systems are boot cycling, follow the workaround steps outlined in the Crowdstrikes blog
- Monitoring Crowdstrike’s blog for new updates is vital as this situation evolves.
PHISHING RISK
Phishing emails posing as CrowdStrike support are in circulation. CrowdStrike has stated that they will not send out unsolicited communications and that any such emails are malicious. Resilience security experts recommend the following high-level strategies:
Vigilance For Social Engineering
- Educate employees about phishing and social engineering tactics to prevent unauthorized access to their systems.
- Establish clear protocols for verifying the identity of individuals claiming to be from Crowdstrike or any of your third-party vendors.
Email Security Email is the most commonly used vector to deliver malicious payloads to an end user. To secure your organization’s email platform:
- Filter unsolicited emails (SPAM).
- Implement DMARC to reduce the risk of spoofed or modified emails from valid domains.
- Disable macros.
As of today, suspicious domains have been registered or observed, and they may be leveraged in upcoming campaigns. These domains do not belong to Crowdstrike, and Resilience recommends block listing them in advance. View these domains on our GitHub.