Cloudstrike Falcon global outage of Windows PCs - Impact, Cause, Analysis, Fix

CrowdStrike Global Windows BSOD Outage Summary

This summary provides an overview of the CrowdStrike outage, its impact, cause, and the steps taken to resolve it. The incident affected millions of Windows devices globally and required coordinated efforts from CrowdStrike, Microsoft, and various cybersecurity agencies to address. It also highlighted the potential vulnerabilities that can arise from relying heavily on a single security solution across many organizations.

The Incident

• On July 19, 2024, a widespread outage affected Microsoft Windows hosts globally.
• The outage was caused by a faulty update to CrowdStrike's Falcon platform.
• It impacted Windows 10 and later systems, causing them to experience the Blue Screen of Death (BSOD).
• Approximately 8.5 million Windows devices were affected, less than 1% of all Windows machines.

Impact

• Major airlines, TV broadcasters, banks, and other essential services experienced disruptions.
• Affected systems became stuck in a boot loop, displaying the error message "It looks like Windows didn't load correctly."
• The outage did not affect Mac or Linux machines.

Cause

• The issue was linked to a defect in a single content update for Windows hosts in CrowdStrike's Falcon platform.
• A faulty software update was installed onto the core Windows operating system.

Response and Solution

1. CrowdStrike:
   • Identified and isolated the issue.
   • Deployed a fix and provided guidance through their customer portal.
   • Published a Root Cause Analysis (RCA) report.
2. Microsoft:
   • Released a recovery tool using a USB drive to boot and repair affected systems.
   • Worked with CrowdStrike to expedite service restoration.
3. CISA (Cybersecurity and Infrastructure Security Agency):
   • Monitored the situation and provided updates.
   • Warned about threat actors taking advantage of the incident for phishing and other malicious activities.
4. Manual Fix:
   • Users were advised to delete the file C-00000291*.sys in the directory C:\Windows\System32\drivers\CrowdStrike.

Recovery Process

• Recovery time estimates ranged from days to weeks.
• The process may require IT administrators to have physical access to affected devices.
• Tools like O&O BlueCon were offered to help boot affected PCs and implement fixes.

Aftermath

• CrowdStrike continued to provide updates and guidance.
• Cybersecurity agencies worldwide issued alerts and recommendations.
• The incident highlighted the risks associated with widespread dependence on a single security solution.

What is CrowdStrike, and what happened?

theverge.com

---

On Friday morning, some of the biggest airlines, TV broadcasters, banks, and other essential services came to a standstill as a massive outage rippled across the globe. The outage, which has brought the Blue Screen of Death upon legions of Windows machines across the globe, is linked to just one software company: CrowdStrike.

CrowdStrike plays an important role in helping companies find and prevent security breaches, billing itself as having the “fastest mean time” to detect threats. Since its launch in 2011, the Texas-based company has helped investigate major cyberattacks, such as the Sony Pictures hack in 2014, as well as the Russian cyberattacks on the Democratic National Committee in 2015 and 2016. As of Thursday evening, CrowdStrike’s valuation was upwards of $83 billion.

It also has around 29,000 customers, with more than 500 on the list of the Fortune 1000, according to CrowdStrike’s website. 

But that popularity put it in the position to wreak havoc when something went wrong, with systems using CrowdStrike and Windows-based hardware falling offline in droves this morning. CrowdStrike CEO George Kurtz said on Friday that the company is “actively working with customers impacted by a defect found in a single content update for Windows hosts” while emphasizing that the issue isn’t linked to a cyberattack. It also doesn’t affect Mac or Linux machines.

The July 19th outage is tied to CrowdStrike’s flagship Falcon platform, a cloud-based solution that combines multiple security solutions into a single hub, including antivirus capabilities, endpoint protection, threat detection, and real-time monitoring to prevent unauthorized access to a company’s system.

The update in question appears to have installed faulty software onto the core Windows operating system, causing systems to get stuck in a boot loop. Systems are showing an error message that says, “It looks like Windows didn’t load correctly,” while giving users the option to try troubleshooting methods or restart the PC. Many companies, including this airline in India, have resorted to the good old-fashioned way of doing things by hand.

“Our software is extremely interconnected and interdependent,” Lukasz Olejnik, an independent cybersecurity researcher, consultant, and author of the book Philosophy of Cybersecurity, tells The Verge. “But in general, there are plenty of single points of failure, especially when software monoculture exists at an organization.”

Although CrowdStrike has deployed a fix, getting things up and running won’t be a simple task. Olejnik tells The Verge that this issue could take “days to weeks” to resolve because IT administrators may have to have physical access to a device to get them working again. How fast that happens depends on the size and resources of a company’s IT team. “Some systems in certain specific circumstances may be unrecoverable, but I assume that the majority will be recovered,” Olejnik adds.

Widespread IT Outage Due to CrowdStrike Update | CISA

cisa.gov

---

Note: CISA will update this Alert with more information as it becomes available.

Update 4:30 p.m., EDT, August 6, 2024:

• CrowdStrike has published its Root Cause Analysis (RCA) report

Update 12:30 p.m., EDT, July 26, 2024: 

• CrowdStrike’s Counter Adversary Operations blog

Update 12:00 p.m., EDT, July 24, 2024: 

• CrowdStrike continues to provide updates to its guidance, 

including:

• An instructional video
• , which threat actors could use to deliver malicious content. 

Update 9:45 a.m., EDT, July 21, 2024: 

• Microsoft released a recovery tool
• that provides links to various remediation solutions and outlines their actions in response to the outage, which include working with CrowdStrike to expedite restoring services to disrupted systems.
• In the blog post, Microsoft estimates the outage affected 8.5 million Windows devices. Microsoft notes that this number makes up less than one percent of all Windows machines.

Update 12:30 p.m., EDT, July 20, 2024: 

• CrowdStrike continues to provide updated guidance
• , threat actors have been distributing a malicious ZIP archive file. This activity appears to be targeting Latin America-based CrowdStrike customers. The blog provides indicators of compromise and recommendations.

• 
  

Update 7:30 p.m., EDT, July 19, 2024: 

• The CrowdStrike guidance
•  Update from the Australian Cyber Security Centre (ACSC)
•  Update from the Canadian Centre for Cyber Security (CCCS)
• Threat actors continue to use the widespread IT outage for phishing and other malicious activity. CISA urges organizations to ensure they have robust cybersecurity measures to protect their users, assets, and data against this activity.

CISA continues to monitor the situation and will update this Alert to provide continued support.

Initial Alert (11:30 a.m., EDT, July 19, 2024):

CISA is aware of the widespread outage affecting Microsoft Windows hosts due to an issue with a recent CrowdStrike update and is working closely with CrowdStrike and federal, state, local, tribal and territorial (SLTT) partners, as well as critical infrastructure and international partners to assess impacts and support remediation efforts. CrowdStrike has confirmed the outage:

• Impacts Windows 10 and later systems.
• Does not impact Mac and Linux hosts.
• Is due to the CrowdStrike Falcon content update and not to malicious cyber activity.

According to CrowdStrike , the issue has been identified, isolated and a fix has been deployed. CrowdStrike customer organizations should reference CrowdStrike guidance and their customer portal to resolve the issue.

Of note, CISA has observed threat actors taking advantage of this incident for phishing and other malicious activity. CISA urges organizations and individuals to remain vigilant and only follow instructions from legitimate sources. CISA recommends organizations to remind their employees to avoid clicking on phishing emails or suspicious links.

. According to CrowdStrike, “the full report elaborates on the information previously shared in our preliminary Post Incident Review (PIR), providing further depth on the findings, mitigations, technical details and root cause analysis of the incident.”

CrowdStrike also continues to provide updated information through its remediation and guidance hub lists various reports of malicious cyber activity leveraging last week’s outage. 

CISA encourages users and administrators to remain vigilant and maintain robust cybersecurity measures, including:

• Only follow guidance from legitimate sources.
• Block malicious domains.
• Follow CrowdStrike’s recommendations to protect against the outage-related phishing activity listed in their Counter Adversary Operations reports.

CrowdStrike also continues to provide updated information through its remediation and guidance hub to guide users through a self-remediation process.An update to their initial remediation that accelerates remediation of impacted systems; CrowdStrike encourages customers to “follow the Tech Alerts for latest updates as they happen.”A “Preliminary Incident Review,” which provides answers to why and how the outage occurred and how they will prevent such outages going forward.

CrowdStrike also published a list of domains impersonating the CrowdStrike brand

 that uses a USB drive to boot and repair affected systems. 

Microsoft also published a blog post on yesterday’s widespread IT outage, including remediation steps for specific environments.

CrowdStrike released technical details that provide:

• A technical summary of the outage and the impact.
• Information on how the update to the CrowdStrike Falcon sensor configuration file, Channel File 291, caused the logic error that led to the outage.
• A discussion of the root cause analysis CrowdStrike is undertaking to determine how the logic error occurred.

Cyber threat actors continue to leverage the outage to conduct malicious activity, including phishing attempts. CISA continues to work closely with CrowdStrike and other private sector and government partners to actively monitor any emerging malicious activity.

• According to a new CrowdStrike blog

is updated with additional guidance regarding impacts to specific environments, e.g., Azure, AWS. 

For additional information:

• Update from the United Kingdom's National Cyber Security Centre (NCSC-UK)
•  
  

O&O BlueCon offers a solution in response to the global outage of Windows PCs - O&O Software

blog.oo-software.com

Jim Harrison

---

In view of the recent event in which Windows PCs around the world can no longer start and come to a halt with a system crash (so-called “Blue Screen Of Death” or BSOD for short), we would like to offer all our customers a solution at short notice with which you can not only solve the problem, but also regain access to your data and of course your system.

O&O BlueCon to the Rescue

O&O BlueCon enables you to boot a Windows PC that can no longer be started and to carry out the appropriate measures in your own rescue environment. The background to this is an error at the security provider Crowdstrike, whose software is used worldwide, particularly in companies and public administrations. You can find more information in the following article at CNN.

Solution to the current problem

To prevent the BSOD, users should delete the file C-00000291*.sys in the directory C:\Windows\System32\drivers\CrowdStrike – the asterisk stands for any character string, as this file can have different names on different systems. With O&O BlueCon, you can simply go to this directory after starting with the integrated file explorer and delete the file. The machine should then be able to start again.

The All-In-1 Tool Kit for your IT needs

By the way: O&O BlueCon can also help you with all other daily problems with Windows, for example resetting forgotten passwords or rescuing data from defective systems. It is the Swiss Army knife of Windows tools. Developed and produced in Berlin!

Daily solutions with the O&O BlueCon tools:

Partitioning hard disks: O&O PartitionManager

Backing up and restoring data: O&O DiskImage

Restoring accidentally deleted data: O&O DiskRecovery

Driver problems and service issues: O&O DeviceManager

Secure deletion of data volumes: O&O SafeErase

Resetting passwords: O&O UserManager

Combat errors in the registry database: O&O RegEditor

Advanced error detection: O&O EventViewer and O&O CheckDisk

Locating and removing data: O&O FileExplorer

Downloading additional tools: Integrated Firefox browser

Supports Windows 11, Windows 10 and Windows Server 2022, 2019, 2016

Read more on our website or try and buy now:

Jim Harrison has a very broad sales and account management background, having previously been employed by various international companies in both senior sales and customer service roles. He joined O&O Software in March, 2006 in a sales and localization capacity, and having quickly recognized the potential for O&O Software worldwide, he was appointed Director of Sales International in 2008. Jim and his team focus on developing long-term, strategic partnerships in order to bring the O&O brand and product range to more and more international markets. Developing primarily the European, North American and Asian markets, his aim is quite clear: to have an O&O product installed on every computer, worldwide!