Microsoft says the faulty update CrowdStrike released late last week for its Falcon security software has impacted 8.5 million Windows computers worldwide. The malfunction, which led to widespread Blue Screens of Death (BSOD), has disrupted various sectors, from airlines to healthcare.
The incident began on July 18, 2024, when CrowdStrike released a defective content update for its Falcon endpoint detection and response (EDR) software. This update, specifically affecting Windows hosts, caused devices to crash globally, sparking operational halts in businesses and critical services.
CrowdStrike's CEO, George Kurtz, quickly acknowledged the issue, confirming that it was not a security breach but a technical fault. The company worked rapidly to isolate and fix the update, advising customers to follow specific remediation steps through their support portal.
8.5 million systems BSODed
Microsoft, heavily impacted by the outage due to its integration with CrowdStrike, reported that the faulty update affected 8.5 million Windows devices. The company deployed hundreds of engineers to restore services and provided detailed recovery steps. Two primary recovery options were made available: recovering from Windows Preinstallation Environment (WinPE) and recovering from Safe Mode, both accessible through the Microsoft Download Center.
Additionally, a new recovery tool was released, offering automated solutions to expedite the repair process. The tool offers two primary repair options:
- Recover from WinPE: This option creates boot media that facilitates direct system repair. It is recommended for its efficiency and because it does not require local admin privileges. However, users may need to input the BitLocker recovery key if BitLocker is enabled on their devices.
- Recover from Safe Mode: This option also produces boot media, allowing devices to boot into Safe Mode. Users can then log in with local admin privileges to run the remediation steps. This method is useful for devices with TPM-only protectors or situations where the BitLocker recovery key is unknown.
The recovery tool supports a variety of environments, including Windows clients, servers, and Hyper-V virtual machines.
Cybercriminals see opportunity
Amidst the ongoing recovery efforts, CrowdStrike's intelligence team has observed cybercriminals exploiting the situation. Threat actors are distributing a malicious ZIP archive named “crowdstrike-hotfix.zip,” which contains a payload designed to compromise systems further.
The malicious campaign, primarily targeting Latin American (LATAM) customers, uses Spanish filenames and instructions within the ZIP archive to deceive users into believing it is a legitimate fix for the CrowdStrike issue. When executed, the payload initiates a multi-stage attack, ultimately deploying the RemCos remote access trojan (RAT).
Key indicators of compromise (IOCs) include the ZIP file ‘crowdstrike-hotfix.zip,’ the malicious executable ‘Setup.exe,’ and traffic from the C2 server at 213.5.130.58:443.
CrowdStrike has emphasized the importance of ensuring communications are through official channels and adhering strictly to the technical guidance provided
Leave a Reply