Early on July 19, 2024, CrowdStrike released a faulty Falcon content update that is believed to have caused widespread system instability on Windows systems. It is reported that Mac and Linux systems were not affected. CrowdStrike confirmed this was a technical issue and not a cybersecurity issue. Nonetheless, this has had widespread effect across the world, disrupting major news organizations, healthcare providers, and airlines, among others.
CrowdStrike has provided remediation guidance for systems affected by this issue in their support portal (login required). For those without a login, the remediation steps are as follows:
- CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes.
- If hosts are still crashing and unable to stay online to receive the Channel File Changes, the following steps can be used to workaround this issue:
Workaround Steps:
- Reboot the host to give it an opportunity to download the reverted channel file. If the host crashes again, then:
- Boot Windows into Safe Mode or the Windows Recovery Environment
- Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
- Locate the file matching “C-00000291*.sys”, and delete it.
- Boot the host normally.
Note: Bitlocker-encrypted hosts may require a recovery key.
While not directly related to a security flaw, this is still a catastrophic incident. As the fixes require manual remediation, for organizations with global operations, this is a monumental task. A key takeaway from this incident is to ensure you have a disaster recovery plan and have tested it. Since the remediation steps require booting into Safe Mode, do you have easily accessible Bitlocker keys? Are they (and other critical information you may need) stored in an accessible area should you have catastrophic system failures?
Additionally, be aware of opportunistic attackers that may try to take advantage of the chaos surrounding incidents like this. The potential for phishing emails and malicious websites offering fixes goes up exponentially during critical incidents. Always ensure communications are coming from the vendor or trusted partners.
Blackpoint Cyber and the Adversary Pursuit Group are continuing to monitor the ongoing ramifications and will update this blog as the situation develops.