Security advisory : CrowdStrike Update Cripples Windows Systems

RGSA 07-29-24-01 

Date: July 29, 2024

INTRODUCTION​

On July 19, CrowdStrike released a flawed update to its Falcon sensor for Windows devices, triggering widespread system crashes. Due to a bug in the content validator and insufficient testing, the update bypassed CrowdStrike’s internal quality checks.

The update reached over 8.5 million Windows devices, resulting in an out-of-bounds memory read that caused the Falcon sensor to crash the operating system, leading to the infamous Blue Screen of Death (BSOD). The impact was severe, with enterprises across various sectors, including airports, hospitals, government agencies, media outlets, and financial institutions, experiencing critical and costly IT disruptions.

Both Windows workstations and servers were affected, leading to massive outages that incapacitated entire organizations and rendered hundreds of thousands of computers inoperable.

ROOT CAUSE

The issue stemmed from a recent update to the CrowdStrike Falcon sensor, which caused Windows systems to either get stuck in a boot loop or crash with the Blue Screen of Death. CrowdStrike acknowledged the problem and issued a technical alert, stating that its engineers had “identified a content deployment related to this issue and reverted those changes.

Despite the swift response, it took days for some organizations to restore normal operations, resulting in prolonged outages and delays. While most organizations have since recovered, the repercussions of the incident continue to unfold, with increased cybercriminal activity, loss of trust, and potential litigation.

According to a report by Guy Carpenter, the estimated insured losses from the faulty Falcon update range between $300 million and $1 billion, while CyberCube has suggested the figure could be as high as $1.5 billion.

A person typing on a laptop

THE IMPACT ON PERSONAL COMPUTERS

CrowdStrike warned users that cybercriminals were exploiting the Falcon outage. Phishing attempts, posing as CrowdStrike representatives, surged as attackers sought to distribute malware. A significant example involved a fake recovery manual that installed a new information-stealing malware called Daolpu. Once active, this malware harvested account credentials, browser history, and authentication cookies stored in browsers like Chrome, Edge, and Firefox.