EXPEL BLOG

Security Alert: CrowdStrike Windows Outage

· 2 MIN READ · GREG NOTCH · JUL 19, 2024 · TAGS: Cloud security / MDR

What happened?

Early this morning, an issue in a CrowdStrike Falcon Sensor update (caused by a malformed channel file) rendered Microsoft’s Windows OS inoperable, leaving impacted devices with the Blue Screen of Death (BSoD). Any host with the affected channel file has the potential to crash. There is a workaround, but the recovery process is largely manual and recovery times may be long. Mac and Linux hosts are not impacted.

CrowdStrike confirmed that a fix was deployed and that it does not believe this to be a security incident or cyber attack. 

Expel is unaffected by this outage directly, as it does not impact our ability to ingest our customers’ alerts, nor does it impact the API connection between CrowdStrike Falcon and our security operations platform, Expel Workbench™. We communicated the issue with any impacted customers and shared detailed guidance for fixing it.

Why does it matter?

This faulty channel file is having a global impact, interrupting operations at major airlines, banks, broadcast networks, and more. And while there is a fix, it’s not very scalable—requiring manual intervention from IT team admins for each system.

What should you do right now?

A manual fix is required for hosts with channel file “C-00000291*.sys” that has a timestamp of 4:09 AM UTC (the problematic version). If you’re on Windows and you’re an Expel customer, we sent out detailed workarounds via Ruxie this morning. 

You can also refer to the Microsoft status page and this CrowdStrike blog post for steps to take and updates, including recommendations for public cloud and virtual environments. 

Unimpacted Windows hosts don’t require any action, as the problematic channel file was reverted. This includes: 

  • Hosts brought online after 5:27 AM UTC today, July 19
  • Mac- or Linux-based hosts
  • Hosts with the reverted, or “good” version, of the the channel file (“C-00000291*.sys”) with a timestamp of 5:27 AM UTC or later 

What next?

Be wary of attackers taking advantage of the situation to churn out malicious phishing sites and domains (also known as “domain typosquatting”). These can take a lot of forms (for example, replacing “o” with “0”) and often prey on users frantically searching for a solution to an issue. This is not uncommon when large-scale events of any kind occur, and as a general rule organizations should consider blocking users from visiting newly created domains.

We’re keeping a close eye on this situation as it unfolds. We’ll update this post with big developments, but keep an eye on our socials (@ExpelSecurity) for additional recommendations as they emerge.