CrowdStrike Denial of Service Alert

On 19 Jul 2024, CrowdStrike Falcon Sensor caused crashes on Windows hosts. Windows hosts running on cloud such as Azure, AWS, etc. are also affected. The symptoms include hosts experiencing a bugcheck\blue screen error.

 

Threat actors has been observed taking advantage of this incident for phishing and other malicious activities, including the following:

  • Sending phishing emails posing as CrowdStrike support to customers
  • Impersonating CrowdStrike staff in phone calls
  • Posing as independent researchers, claiming to have evidence the technical issue is linked to a cyberattack and offering remediation insights
  • Selling scripts purporting to automate recovery from the content update issue

HKCERT recommands that users ensure they are communicating with CrowdStrike representatives through official channels and they adhere to technical guidance the CrowdStrike support theams have provided.
 

CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes.

 

If hosts are still crashing and unable to stay online to receive the Channel File Changes, please take the workaround in the “Solution” section

 

Note:

No patch is currently available for affected products.

 

[Updated on 2024-07-20] 

Updated Description, System / Technologies affected, Solutions and Related Links.

RISK: High Risk

TYPE: Operating Systems – Networks OS

TYPE: Networks OS

Impact

  • Denial of Service

System / Technologies affected

  • CrowdStrike Falcon Sensor for Windows version 7.11 and above, that were online or downloaded the updated configuration between Friday, July 19, 2024 04:09 UTC to 05:27 UTC


Solutions

Before installation of the software, please visit the vendor web-site for more details.

 

Windows hosts which have not been impacted do not require any action as the problematic channel file has been reverted.

 

Workaround Steps for individual hosts:

  • Reboot the host to give it an opportunity to download the reverted channel file. 
  • If the host crashes again, then:
    Note: Bitlocker-encrypted hosts may require a recovery key.
    • Boot Windows into Safe Mode or the Windows Recovery Environment
      • NOTE: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.
    • Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
      • Windows Recovery defaults to X:\windows\system32
        • Navigate to the appropriate partition first (default is C:\), and navigate to the crowdstrike directory:
          • C:
          • cd windows\system32\drivers\crowdstrike
      • Note: On WinRE/WinPE, navigate to the Windows\System32\drivers\CrowdStrike directory of the OS volume
    • Locate the file matching “C-00000291*.sys”, and delete it.
      • Do not delete or change any other files or folders
    • Cold Boot the host
      • Shutdown the host
      • Start host from the off state

For VM running on cloud platform, please apply workarounds issued by the vendor:

 

 

Notes: CrowdStrike will update the solution from time to time, for latest information, please refer to https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/


Vulnerability Identifier

  • No CVE information is available

Source


Related Link

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

To keep up to date follow us on the below channels.