Global IT Outages Causing Significant Disruption to Multiple Industries
Key Findings: Global IT Outages Causing Significant Disruption
- On July 18, 2024, a global Information Technology (IT) outage caused significant disruption to industries around the world, with thousands of Windows workstations and servers displaying a fatal system error message commonly referred to as the “blue screen of death.”
- The incident reportedly impacts Windows hosts that have installed CrowdStrike’s Falcon Sensor service; it does not affect all Windows devices.
- At the time of writing, the cause of the outage is not being treated as a cyberattack and is instead most likely to be a faulty or incorrectly deployed security update or a faulty channel file.
- The outage is known to have affected Windows devices across the world, with a significant impact across multiple industries—including, but not limited to—Energy, Finance, Healthcare, Media, Retail, and Travel.
- The current workaround provided by the vendor requires a physical presence at each device and almost certainly cannot be deployed remotely.
Details: Thousands of Windows Workstations and Servers Displaying a Fatal System Error
On July 18, 2024, a global IT outage caused significant disruption to industries around the world, with thousands of Windows workstations and servers displaying a fatal system error message commonly referred to as the “blue screen of death.” The incident is reportedly impacting Windows hosts that have installed CrowdStrike’s Endpoint Detection and Response (EDR) Falcon Sensor service; the incident does not affect all Windows devices. At the time of writing, the cause of the outage is not being treated as a cyberattack and is instead most likely to be a faulty or incorrectly deployed security update or a faulty channel file.
- Falcon is a widely deployed, high-privilege security tool used to monitor and detect system intrusions and take action to mitigate these threats.
- It is designed to have extensive access control capabilities on the devices it is installed upon.
- Reporting indicates that the error message is displayed upon booting the device.
This is an ongoing incident, and the scale of the impact is still being assessed. The outage is known to have affected Windows devices across the world, including—but not limited to—North America, Europe, and the Asia-Pacific region. Just some of the affected industries include:
- Finance – Widespread disruption to financial and banking services, as well as global stock markets.
- Healthcare – Significant impact on healthcare services and hospitals.
- Travel – Significant delays and suspension of services for trains and flights, including the closure of airports, citing communication issues.
- Media – Television networks temporarily stopped broadcasting. While service has been resumed, some are operating without broadcasting graphics.
- Retail – Disruption to payment systems.
- Energy – Disruption to energy and gas trading markets, significantly restricting the ability to buy and sell power.
At the time of writing, the workaround provided by the vendor requires a physical presence at each device and almost certainly cannot be deployed remotely. On July 19, 2024, CrowdStrike issued an advisory acknowledging the incident, stating that it is working on resolving the issue and providing a workaround for some affected devices. While the advisory was published behind a customer login page, it has since been posted widely in open sources. Users are advised to:
- Boot Windows into Safe Mode or the Windows Recovery Environment.
- Navigate to the C:\Windows\System32\drivers\CrowdStrike directory.
- Locate the file matching "C-00000291*.sys" and delete it.
- Boot the host normally.
Currently, there is no workaround that can be deployed centrally, as the issue occurs upon booting the device and before the operating system has loaded. This will likely
leave many organizations that remotely manage the hundreds—and even thousands—of Windows devices within their infrastructure without a remote, operational solution. Additionally, the aforementioned workaround likely needs to be deployed on all devices before security teams are able to implement any forthcoming security updates issued by the vendor.
While threat actor communities continue to discuss the ongoing incident, ZeroFox has identified no evidence of cyber threat actors claiming credit for the outage. However, ZeroFox notes that threat actors may seek to exploit the ongoing outages, including by:
- Taking advantage of stretched security infrastructure, performing attacks against targets that may otherwise draw quick attention and be identified.
- Leveraging the outage as a lure in social engineering attacks.
- Targeting high-profile victims that choose to remove their EDR suite in response to the outage, thereby leaving them vulnerable.
ZeroFox Intelligence Recommendations
- Where possible, deploy the vendor’s recommended workarounds outlined in this report.
- Monitor for further workarounds and updates published by the vendor.
- Affected users should contact CrowdStrike through official channels.
Tags: Threat Intelligence