CrowdStrike’s recent faulty update caused a significant tech disaster affecting 8.5 million Windows devices globally, according to Microsoft. Although the tech giant claims this represents “less than one percent of all Windows machines,” the impact was widespread, disrupting operations for retailers, banks, airlines, and other industries reliant on these systems.
Microsoft adds that the issue was largely resolved by Friday afternoon in the US, but both it and CrowdStrike are still addressing the aftermath. David Weston, its vice president of enterprise and OS security, stated in a blog post on Saturday that the company is collaborating with the security firm to develop a scalable solution to accelerate a fix within Microsoft’s Azure infrastructure.
In addition to Microsoft’s efforts, assistance has been sought from Amazon Web Services (AWS) and Google Cloud Platform (GCP) to manage and mitigate the effects of the faulty update. The joint efforts aim to prevent future disruptions and ensure a more robust response mechanism.
Read an update on what we’ve done to help Microsoft customers recover from the recent CrowdStrike outage. Learn about our actions from the start of the incident and our collaboration with customers, cloud providers and others in the tech community. https://t.co/7lS3zl32ww
— Microsoft News and Stories (@MSFTnews) July 20, 2024
Meanwhile, CrowdStrike released a technical breakdown on its blog, providing detailed insights into what caused the widespread system failures. It noted that the core issue stemmed from a configuration file update, which is part of the behavioral protection mechanisms of the Falcon sensor. Known as “Channel Files,” these are routinely updated several times a day to respond to new threats.
The problematic file, though not a kernel driver, is crucial for how the Falcon sensor evaluates named pipe executions on Windows systems. Further details from CrowdStrike’s blog reveal that the issue began on July 19, 2024 when a routine sensor configuration update was released. This update inadvertently triggered a logic error, resulting in system crashes and blue screens of death (BSOD) on affected devices.
As CrowdStrike continues to work with customers and partners to resolve this incident, our team has written a technical overview of today’s events. We will continue to update our findings as the investigation progresses. https://t.co/xIDlV7yKVh
— George Kurtz (@George_Kurtz) July 20, 2024
Worsening the situation even further, CrowdStrike’s channel file updates were automatically pushed to computers regardless of any settings that should have prevented such updates. This oversight contributed to the extensive reach and impact of the faulty update.
The firm also warned of threat actors exploiting the recent update issue to distribute malware via a malicious ZIP archive named “crowdstrike-hotfix.zip.” This archive contains a HijackLoader payload that loads RemCos and appears to target Latin American (LATAM) CrowdStrike customers, indicated by Spanish filenames and instructions.
The blog also mentions the emergence of typosquatting domains impersonating the company. This is the first observed instance of threat actors exploiting the Falcon content issue to target LATAM-based customers. CrowdStrike advises organizations to work only with official representatives and follow guidance from their support team.
