Crowdstrike Outage: Critical Services Impacted

Microsoft users have encountered a significant outage, part of a global outage. On July 19, 2024, Crowdstrike users experienced a massive outage that affected many critical infrastructure services and systems spread across multiple geolocations, such as India, Australia, Germany, the United States of America, the UK, and multiple others. Instances of BSOD (Blue Screen of Death) screens waking up Windows OS users who are playing "Crowdstrike Falcon" The reason behind this is currently under investigation, as per the official statement from Crowdstrike (we will keep updating the blog). This outage has disrupted multiple major airlines, banks, media, and telecom companies.

What Happened?

As of July 19, 2024, the crowdstrike-related outage has caused significant disruptions for several major organizations, including Sky, the NHS, and multiple major airlines. Downdetector, a website that monitors outages, reported sudden spikes in problems with websites including Microsoft applications, banking websites, and airline apps. 

This CrowdStrike outage disrupted international airlines, causing flights to be halted and even canceled. In India, handwritten boarding passes had to be provided because the systems were down. Major Australian organizations, banks, and supermarkets were severely affected, forcing supermarkets to operate with cash-only transactions. GP practices within the NHS in the UK were also widely impacted. Amsterdam's Schiphol Airport, one of Europe's busiest hubs, was affected by the global outage. In the US, several major airlines, including American Airlines, Delta, and United, reportedly grounded all flights.  

Additionally, hotel reservations, airline services, and credit card processing systems were also impacted, causing widespread inconvenience. In the UK, NHS GP practices experienced disruptions in patient appointment systems. Businesses relying on CrowdStrike's Falcon platform faced delays in security threat detection and response, increasing vulnerability and operational inefficiencies. 

Here are a few notable instances:

• Australia’s National Cyber Security Coordinator said there was a “large-scale technical outage affecting a number of companies and services across Australia this afternoon." 

• "Sky News has not been able to broadcast live TV this morning, and we are currently telling viewers that we apologize for the interruption," the broadcaster's executive chairman, David Rhodes, said on X. See more in reference.

• Berlin Airport has delayed all its flights due to a technical fault.

• Turkish Airlines experienced disruptions with ticketing, check-in, and reservation processes at 12:26 IST. See more in reference.

•  “The Associated Press is currently experiencing an intermittent service disruption that may impact your view of available content,” an update received by India Today stated.

• "Our computers, our systems are down, all the things that make Sky News run down, and indeed for many other major companies around the country," he said. 

• "Our computers and our systems are down—all the things that make Sky News run down and indeed for many other major companies around the country," Tom Connell said. 

• According to  ABC News, “was experiencing a major network outage, along with several other media outlets”.

Reason Behind "Crowdstrike Outage"

[UPDATE] Crowdstrike has released the RCA document. The technical issue is with a software platform called “The Falcon Sensor.”

Microsoft also stated that the preliminary root cause of the outage on their end was a “configuration change” in part of its Azure backend workloads. They also mentioned, “Our services are still seeing continuous improvements while we continue to take mitigation actions.”

Also, Microsoft said it was aware of the issue on Windows 365 Cloud PCs, which it confirmed was due to the CrowdStrike Falcon Sensor software.

For the crowdstrike part of outage, as per update received some hosts are experiencing a blue screen error related to the Falcon Sensor.

• Windows hosts that have not encountered this issue do not require any action since the problematic channel file has been reverted.

• Windows hosts brought online after 0527 UTC will not be affected.

• Windows 7 and Windows Server 2008 R2 hosts are not impacted.

• This issue does not affect Mac or Linux hosts.

The reverted (good) version of the channel file is "C-00000291*.sys" with a timestamp of 0527 UTC or later. The problematic version has a timestamp of 0409 UTC.

The Mitigation to Crowdstrike Outage

As of now there is no Official patch for impacted system, however an official workaround is shared from crowdstrike:

10:36 PM PT: TA Posted - https://supportportal.crowdstrike.com/s/article/Tech-Alert-Windows-crashes-related-to-Falcon-Sensor-2024-07-19

11:27 PM PT: Crowdstrike Engineering has identified a content deployment related to this issue and reverted those changes. 

July 20, 2024: Update: Crowdstrike has released a blog here containing additional technical details and context to the issue.

Workaround Steps

As per the latest crowdstrike blog

"Reboot the host to give it an opportunity to download the reverted channel file. If the host crashes again, then:

1. Boot Windows into Safe Mode or the Windows Recovery Environment

2. NOTE: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.

3. Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory

4. Locate the file matching “C-00000291*.sys”, and delete it.

5. Boot the host normally.

Note: Bitlocker-encrypted hosts may require a recovery key."

Phishing Domains

The security impact of the listed phishing domains due to the outage can be significant. Some of the notable phishing domains created on July 19th are below. These domain could be used to exploit users experiencing technical issues by offering fake solutions or support services, leading to credential theft or malware installation. We highly recommend to NOT interact with any of them and only trust the official channels of communications.

• crowdstrikebluescreen[.]com

• crowdstrike0day[.]com

• crowdstrike-bsod[.]com

• crowdstrikedoomsday[.]com

• crowdstrikedoomsday[.]com

• crowdstrikefix[.]com

• crowdstrikedown[.]site

• crowdstriketoken[.]com

Update: Multiple threat actors have been identified circulating technical documents that claim to patch the crowdstrike BSOD issue, but in reality, they are nothing but malicious attempts at getting an initial foothold in the victim's environment. Here is one such sample:

https://app.any.run/tasks/be61420d-8456-458d-b230-ce2b19af4f68

Furthermore, DarkRelay Security Labs is observing a significant surge in crowdstrike based phishing campaigns. We recommend that our readers only trust the official channels of communication from:

https://www.crowdstrike.com/ 

References

• https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/

• https://www.crowdstrike.com/blog/falcon-update-for-windows-hosts-technical-details/

• https://www.bleepingcomputer.com/news/microsoft/major-microsoft-365-outage-caused-by-azure-configuration-change/amp/

• https://www.digit.in/news/general/cybersecurity-platform-crowdstrike-down-worldwide-many-users-logged-out-of-systems.html

• https://x.com

• https://downdetector.com/

Want to prevent such outages in your environment, Let's connect: info@darkrelay.com

Register for instructor-led online courses today!

https://www.darkrelay.com/courses

Check out our free programs!

https://www.darkrelay.com/training 

Contact us with your custom pen testing needs at: info@darkrelay.com  or WhatsApp.

Follow us: LinkedIn Twitter Facebook Instagram YouTube Pinterest.