Global cybersecurity giant CrowdStrike unintentionally became the reason for a massive Denial-of-Service(DoS) last Friday when a routine update to their endpoint security platform Falcon went horribly wrong.
A faulty component pushed with the update triggered a logic error in Windows PCs worldwide causing them to get stuck on Blue Screens of Death(BSOD) and in never-ending boot loops.
The update contained newly observed malicious pipes being used by common C2 frameworks for cyber attacks to be added to Falcon’s Sensor tool. One of the Channel Files that contained the data however, turned out to be the core of the issue. This file, named C-00000291*.sys, has since been recalled, fixed, and redeployed by CrowdStrike, and is no longer a threat.
The Fixes
For the systems that have already been affected, CrowdStrike recommends the following workaround:
- Boot Windows into Safe Mode or the Windows Recovery Environment
- Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
- Locate the file matching “C-00000291*.sys”, and delete it.
- Boot the host normally.
Microsoft in addition to this released it’s own recovery tool called WinPE to find and remove the faulty update manually.
The Impact
Even though fixes have been made available, the effects of the outages will continue to affect services for weeks. Entire companies were taken offline with fleets of hundreds of thousands of computers being rendered useless after installing the faulty update. The massive outages led to thousands of flights being cancelled, disruptions in banking services, and even in emergency services.
In the wake of these outages, threat actors were swift to take advantage of the desperate companies to dupe them into installing data wipers and remote access tools. A stark increase in phishing emails trying to take advantage of the situation has been observed.
Most notably, BBVA bank customers have been targeted with a fake CrowdStrike Hotfix update that delivers the Remcos RAT. The fake fix was promoted on a website masquerading as a BBVA portal.
Furthermore, a pro-Iranian hacktivist group named Handala, has claimed a campaign distributing data wipers, saying that they impersonated CrowdStrike in emails to Israeli companies to distribute the malware.
CrowdStrike has also warned of a fake repair manual, delivered via phishing emails, which is being used to deliver an information-stealer malware called Daolpu.
Conclusion
According to Microsoft, 8.5 million Windows devices were affected by the faulty update. Despite this being only a fraction of a percentage of all windows machines, the impact, as you can see was massive.
A lot of controversy has also emerged with respect to this with a famous google whistleblower on X claiming that this issue was a two-part time bomb which has been allowed to exist for a long time. We will explore this exciting theory in our next post. So stay tuned. Consider following.
Stay secure.
Until next time.