A suspected technical issue at cybersecurity vendor CrowdStrike is causing mass IT outages across the world, disrupting critical sectors such as airlines, banks, media and retailing.
The issue appears to concern an update to CrowdStrike’s security platform Falcon Sensor, which is impacting Microsoft Windows operating systems. Reports suggest the affected systems are struggling to boot correctly, causing a bluescreen error to appear.
In a statement on X (formerly Twitter) at 10.45am BST, CrowdStrike President and CEO George Kurtz said the firm was actively working with customers impacted by a defect found in a single content update for Windows hosts.
He emphasized the issue is not related to a cyber-incident, and has been identified, isolated and fixed.
"We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website. We further recommend organizations ensure they’re communicating with CrowdStrike representatives through official channels. Our team is fully mobilized to ensure the security and stability of CrowdStrike customers," said Kurtz.
The Flacon Sensor is a single, lightweight sensor that is cloud-managed and delivered.
It is offered as a purpose-built solution that is used to prevent all types of cyber-attacks, including malware.
CrowdStrike literature explains that it blocks attacks on your systems while capturing and recording activity as it happens to detect threats fast.
Speaking to Infosecurity, Brian Honan, CEO of BH Consulting, said there appears to be two major issues impacting IT operations globally – the CrowdStrike fault and a separate Microsoft Azure outage in the US.
Both of these problems are impacting companies either directly through their own systems and applications being affected, or by organizations within their supply chain suffering outages as a result of one or both of these issues.
Big Brands Impacted by IT Outages
Microsoft users in Australia were the first to report outages on July 19, with well-known companies such as Woolworths, ANZ, Visa, Netflix and Vodafone, among many others, reportedly affected.
Courts around Australia were forced to close early due to their systems being completely shut down.
Australian National Cyber Security Coordinator Michelle McGuiness sent a post on X, stating the government were aware of the large-scale technical outage.
“Our current information is this outage relates to a technical issue with a third-party software platform employed by the affected companies,” she wrote.
McGuinness added: “There is no information to suggest it is a cyber security incident. We continue to engage across key stakeholders.”
Organizations in the US, UK, Germany, South America New Zealand and the UK have since reported outages. Planes from major airlines have been grounded because of the issue including American Airlines, Delta Airlines and United Airlines.
UK rail operator Thameslink also said it is experiencing widespread IT issues across its entire network, leading to potential short-notice cancellations.
Media broadcaster Sky News was reportedly unable to broadcast and is now showing pre-recorded content.
Workarounds to the CrowdStrike Issue
CrowdStrike’ Director of Threat Hunting Brody Nisbet described the problem as a “faulty channel file” in a post on X, and offered a workaround users could put in place.
There is a faulty channel file, so not quite an update.
— Brody (@brody_n77) July 19, 2024
There is a workaround...
1. Boot Windows into Safe Mode or WRE.
2. Go to C:\Windows\System32\drivers\CrowdStrike
3. Locate and delete file matching "C-00000291*.sys"
4. Boot normally.
1/2
Brody acknowledged that this workaround won’t help everyone.
Tom Kidwell, Co-founder, Ecliptic Dynamics and former British Army and UK Government intelligence specialist, commented: “Due to the nature of the update, an individual from every organisation will need to boot into safemode, remove the issue file/driver, and then either roll back or update to a new version, something CrowdStrike will need to release very quickly.”
CrowdStrike’s current official advice to customers appears to be to take no further action, but to monitor updates until a resolution is found.
Ajay Unni, CEO of Stickman Cyber, said initial analysis suggests that customers running versions 7.15 and 7.16 are affected by the outage, but those running v7.17 are not impacted.
“We are waiting on official advisory from CrowdStrike on these findings but doing our best to help affected customers. It’s a lesson to always update your software, but obviously this is an extreme example,” Unni commented.
Outages Highlight Need for IT Resilience
Honan noted that the incident highlights the huge reliance on third-party IT providers in today’s modern business world, underscoring the need for organizations to have in-built resiliency when such systems fail.
“Companies need to ensure they have appropriate business continuity management/cyber resilience plans in place so that they can continue to provide their services to their clients. It also highlights that those business continuity management/cyber resilience plans need to extend to outages and impacts in your supply chain,” he explained.
Honan added that the incident demonstrates the importance of upcoming EU regulations such as NIS2 and the Digital Operational Resilience Act (DORA), which will impose requirements on organizations to manage their resilience in the event of outages.
Updated at 11:00 with comments from Crowdstrike president and CEO