ADVISORY!
TLP : CLEAR
Date : 19/07/2024
REF NO : CERT / 2024/07/65
CrowdStrike Denial of Service Alert
Severity Level: High
Components Affected
CrowdStrike Falcon Sensor for Windows version 7.11 and above, that were online or downloaded the updated configuration between Friday, July 19, 2024 04:09 UTC to 05:27 UTC
Overview
On 19 Jul 2024, CrowdStrike Falcon Sensor caused crashes on Windows hosts. Windows hosts running on cloud such as Azure, AWS, etc. are also affected. The symptoms include hosts experiencing a bugcheck\blue screen error.
Threat actors has been observed taking advantage of this incident for phishing and other malicious activities, including the following:
- Sending phishing emails posing as CrowdStrike support to customers
- Impersonating CrowdStrike staff in phone calls
- Posing as independent researchers, claiming to have evidence the technical issue is linked to a cyberattack and offering remediation insights
- Selling scripts purporting to automate recovery from the content update issue
SLCERT recommands that users ensure they are communicating with CrowdStrike representatives through official channels and they adhere to technical guidance the CrowdStrike support theams have provided.
CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes.
If hosts are still crashing and unable to stay online to receive the Channel File Changes, please take the workaround in the “Solution” section
Impact
- Denial of Service
Solution/ Workarounds
Before installation of the software, please visit the vendor web-site for more details.
Windows hosts which have not been impacted do not require any action as the problematic channel file has been reverted.
Workaround Steps for individual hosts:
- Reboot the host to give it an opportunity to download the reverted channel file.
- If the host crashes again, then:
Note: Bitlocker-encrypted hosts may require a recovery key.- Review the following video on CrowdStrike Host Self-Remediation for Remote Users. Follow the instructions contained within the video if directed to do so by your organization’s IT department.
- Boot Windows into Safe Mode or the Windows Recovery Environment
- NOTE: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.
- Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
- Windows Recovery defaults to X:\windows\system32
- Navigate to the appropriate partition first (default is C:\), and navigate to the crowdstrike directory:
- C:
- cd windows\system32\drivers\crowdstrike
- Navigate to the appropriate partition first (default is C:\), and navigate to the crowdstrike directory:
- Note: On WinRE/WinPE, navigate to the Windows\System32\drivers\CrowdStrike directory of the OS volume
- Windows Recovery defaults to X:\windows\system32
- Locate the file matching “C-00000291*.sys”, and delete it.
- Do not delete or change any other files or folders
- Cold Boot the host
- Shutdown the host
- Start host from the off state
- Microsoft has released a USB tool to help IT Admins expedite the repair process. The signed Microsoft Recovery Tool can be found in the Microsoft Download Center. For further details, please visit:
For VM running on cloud platform, please apply workarounds issued by the vendor:
- Google Cloud Platform (GCP)
- https://www.crowdstrike.com/wp-content/uploads/2024/07/Automated-Recovery-from-Blue-Screen-on-Windows-Instances-in-GCP.pdf
- See GCP CrowdStrike File Remediation Script – provides a Python script customers can use to remediate impacted hosts residing in the GCP.
- Microsoft Azure
- Amazon Web Services (AWS)
Notes: CrowdStrike will update the solution from time to time, for latest information, please refer to https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/
Reference
- https://www.crowdstrike.com/blog/statement-on-windows-sensor-update/
- https://www.crowdstrike.com/blog/technical-details-on-todays-outage/
- https://www.crowdstrike.com/blog/our-statement-on-todays-outage/
- https://www.crowdstrike.com/blog/falcon-sensor-issue-use-to-target-crowdstrike-customers/
- https://azure.status.microsoft/en-gb/statushttps://health.aws.amazon.com/health/status
- https://techcommunity.microsoft.com/t5/intune-customer-success/new-recovery-tool-to-help-with-crowdstrike-issue-impacting/ba-p/4196959
- https://www.cisa.gov/news-events/alerts/2024/07/19/widespread-it-outage-due-crowdstrike-update
- https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/
Disclaimer : The information provided herein is on an “as is” basis, without warranty of any kind.
Sri Lanka Computer Emergency Readiness Team | Coordination Centre
- Hotline : 101
- +94 11 269 1692
- Room 4-112, BMICH, Bauddhaloka Mawatha, Colombo 07, Sri Lanka.
- General inquiry: cert@cert.gov.lk
- Security incidents: incidents@cert.gov.lk
- Social media incidents: report@cert.gov.lk
