On July 19, 2024, a global issue originating from the cybersecurity firm CrowdStrike caused widespread computer and internet disruptions. Let’s dive into the details.
What is CrowdStrike?
CrowdStrike is an American cybersecurity company founded in 2011 and headquartered in Austin, Texas. Since its inception, the company has rapidly grown by providing a range of cloud-based security services. It employs thousands of workers and serves businesses worldwide.
What is CrowdStrike Falcon?
Falcon is one of the software products deployed by organizations to protect their computers from cyberattacks and malware.
Falcon is classified as an Endpoint Detection and Response (EDR) software. Its primary function is to monitor the activities on the computers where it is installed, searching for signs of malicious software. When it detects something suspicious, it helps lock the threat.
To detect signs of an attack, Falcon must monitor computers in great detail. This includes tracking the communications sent over the internet, the programs running, the files opened, and much more.
Falcon’s ability to block threats also requires deep integration with the core software of the computers it monitors, such as Microsoft Windows. For example, if Falcon identifies that a monitored computer is communicating with a potential hacker, it must be able to terminate that communication.
What Do We Know About the CrowdStrike Outage?
On July 19, 2024, CrowdStrike released a faulty update to its Falcon security software that caused widespread issues on computers running Microsoft Windows. As a result, approximately 8.5 million systems crashed and failed to reboot properly, marking what is now known as the largest IT outage in history.
According to CrowdStrike, the problematic update for the Falcon EDR platform was distributed at 04:09 UTC to Windows devices. CrowdStrike typically sends multiple updates to Falcon files daily.
The flaw that triggered the outage resided in Channel File 291, a file located at C:\Windows\System32\drivers\CrowdStrike\ with a name starting with “C-00000291-” and ending with “.sys.” This file instructs the Falcon sensor on how to process “named pipe” execution used by Windows systems for interprocess communication. While the commands themselves were not inherently malicious, they were susceptible to misuse.
Following the Channel File 291 update, the Windows sensor client caused out-of-bounds memory errors, leading to blue screen stop code crashes on affected machines.
What Did the Company Say?
George Kurtz, CEO and co-founder of CrowdStrike, issued a public apology on the company’s blog:
“I want to sincerely apologize directly to all of you for today’s outage.”
The statement clarified that the issue was specific to Windows computers and did not affect Mac or Linux systems, as it stemmed from a bug in the Falcon update.
Cybercriminals Exploiting the Outage
According to CrowdStrike, malicious actors took advantage of the outage with activities such as:
- Sending phishing emails pretending to offer CrowdStrike support.
- Making fake phone calls impersonating CrowdStrike employees.
- Selling scripts that falsely claimed to automate recovery from the faulty update.
- Spreading misinformation, claiming the outage resulted from a cyberattack and offering supposed solutions.
Was Microsoft Responsible?
The issue was not directly caused by Microsoft. However, the faulty CrowdStrike update had a significant impact on Microsoft Windows operating systems. Microsoft advised Azure customers to reboot their virtual machines to resolve the issue.
Were Individual Users Affected?
CrowdStrike’s customers primarily consist of large enterprise users, so individual users were not directly impacted. However, some individuals may have been indirectly affected through systems at their workplaces.
Elon Musk’s Response
Elon Musk, the owner of Tesla, SpaceX, and X, announced that he had removed CrowdStrike from all his systems following the global software issue.
Public Commentary
- CNN:
“A global tech outage shows how close we are to chaos with just one mistake,” stated CNN, highlighting the significant impact of the CrowdStrike incident.
“It’s worth remembering that a major error by a cybersecurity company you’ve probably never heard of showed how the internet can suddenly grind to a halt without warning.” - Forbes:
“CrowdStrike IT Outage Highlights Need for Tighter Operational Updates.” - Reuters:
“The widely used cybersecurity software’s routine update, which caused customers’ computer systems worldwide to crash on Friday, apparently skipped sufficient quality checks before deployment.”
Conclusion
The CrowdStrike outage underscores the critical role of operational vigilance in cybersecurity. While the incident primarily impacted enterprises, its global reach serves as a stark reminder of how interconnected and fragile digital infrastructure can be.
Sources
- https://www.cio.com/article/3476789/crowdstrike-failure-what-you-need-to-know.html
- https://en.wikipedia.org/wiki/2024_CrowdStrike_incident#Analysis_of_causes
- https://www.forbes.com/sites/moorinsights/2024/07/23/crowdstrike-it-outage-highlights-need-for-tighter-operational-updates/
- https://www.reuters.com/technology/cybersecurity/crowdstrike-update-that-caused-global-outage-likely-skipped-checks-experts-say-2024-07-20/
- https://www.techtarget.com/whatis/feature/Explaining-the-largest-IT-outage-in-history-and-whats-next
- https://edition.cnn.com/2024/07/23/business/crowdstrike-tech-nightcap/index.html
- https://theconversation.com/what-is-crowdstrike-falcon-and-what-does-it-do-is-my-computer-safe-235123
- https://www.crowdstrike.com/blog/to-our-customers-and-partners/
- https://www.theguardian.com/technology/article/2024/jul/19/what-is-crowdstrike-microsoft-windows-outage
- https://blogs.microsoft.com/blog/2024/07/20/helping-our-customers-through-the-crowdstrike-outage/
- https://gazeteoksijen.com/bilim-ve-teknoloji/tarihin-en-buyuk-bilisim-krizi-3-soru-3-yanit-217342
- https://www.bbc.com/turkce/articles/c0350l65446o
- https://www.bloomberght.com/elon-musk-crowdstrikei-sistemlerimizden-sildik-2356893
