Summary
ngCERT is aware of the global IT outage affecting various services and platforms resulting in widespread system crashes and the "blue screen of death" (BSOD). This outage resulted from the release of a software update by CrowdStrike Falcon agent for Windows clients and servers. No impact was recorded for Mac and Linux users. The outage, estimated to have affected about 8.5 million users, disrupted many businesses and the daily routines of many individuals. Malicious actors are currently exploiting this vulnerability to launch various attacks against CrowdStrike customers. Consequently, users are strongly advised to implement the latest security updates from CrowdStrike and Microsoft to address this critical issue.
Description & Consequence
A faulty CrowdStrike Falcon Agent (sensor) update resulted in customers experiencing unresponsiveness and startup failures on Windows machines using the solution. The outage affected both on-premises and various cloud platforms such as Microsoft 365, Windows, Azure, Amazon Web Services as well as Windows hosts running Falcon sensor versions 7.15 and 7.16. The outage impacted sectors such as airlines, banking, trading, media companies and many more. It was confirmed that there was no security incident or cyberattack resulting in this disruption. However, as against the widespread of cyberattack, the outage was caused by a defect found in a Falcon content update for Windows hosts which only affected Windows devices. This incident underscores the need for constant vigilance, prompt action, and robust cybersecurity measures in our increasingly interconnected digital world. Threat actors are leveraging the flaw with mass-scale phishing domains to target unsuspecting end users, inflict damage and intrude on systems. Some identified domains employed to impersonate CrowdStrike by the threat actors are as follows:
- crowdstrike.phpartners[.]org
- crowdstrike0day[.]com
- CrowdStrike bluescreen[.]com
- crowdstrike-bsod[.]com
- CrowdStrike update[.]com
- crowdstrikebsod[.]com
- www.crowdstrike0day[.]com
- • www.fix-crowdstrike-bsod[.]com
- CrowdStrike outage[.]info
- www.microsoftcrowdstrike[.]com
- crowdstrikeodayl[.]com
- CrowdStrike[.]buzz
- www.crowdstriketoken[.]com
- www.crowdstrikefix[.]com
- fix-crowdstrike-apocalypse[.]com
- microsoftcrowdstrike[.]com
- crowdstrikedoomsday[.]com
- crowdstrikedown[.]com
- whatiscrowdstrike[.]com
- crowdstrike-helpdesk[.]com
- crowdstrikefix[.]com
- fix-crowdstrike-bsod[.]com
- crowdstrikedown[.]site
- crowdstuck[.]org
- crowdfalcon-immed-update[.]com
- crowdstriketoken[.]com
- crowdstrikeclaim[.]com
- crowdstrikeblueteam[.]com
- crowdstrikefix[.]zip
- crowdstrikereport[.]com
Successful exploitation of the vulnerabilities could lead to:
- Data breaches.
- Harm to organization’s reputation.
- Financial loss.
- Ransomware attacks.
- Denial of Service (DoS) attack.
Solution
The following steps are recommended to mitigate the issue:
1. Do not click any of the listed links to avoid the consequences above.
2. If you are affected by the outage, follow the mitigation process below:
- Start Windows into Safe Mode or the Windows Recovery Environment.
- Navigate to the C:\Windows\System32\drivers\CrowdStrike directory.
- Locate the file matching “C-00000291*.sys” and delete it.
- Restart the device.
- Recovery of systems requires a Bitlocker key in some cases. For users who are already affected, Hence users are advised to recover their systems as follows:
i. Microsoft Azure: https://www.crowdstrike.com/wp-content/uploads/2024/07/BitLocker-recovery-in-Microsoft-environments-using-SCCM-1.pdf.
ii. Microsoft Azure Virtual Machines (VM): https://techcommunity.microsoft.com/t5/azure-compute-blog/recovery-options-for-azure-virtual-machines-vm-affected-by/ba-p/4196798.
- Adhere to technical guidance provided by CrowdStrike support teams.
- For any technical support contact our Incident Handling Team at incident@cert.gov.ng.
Reference
Revision
