CrowdStrike Denial of Service Alert

On 19 Jul 2024, CrowdStrike Falcon Sensor caused crashes on Windows hosts. Windows hosts running on cloud such as Azure, AWS, etc. are also affected. The symptoms include hosts experiencing a bugcheck\blue screen error.

Threat actors has been observed taking advantage of this incident for phishing and other malicious activities, including the following:

• Sending phishing emails posing as CrowdStrike support to customers
• Impersonating CrowdStrike staff in phone calls
• Posing as independent researchers, claiming to have evidence the technical issue is linked to a cyberattack and offering remediation insights
• Selling scripts purporting to automate recovery from the content update issue

HKCERT recommands that users ensure they are communicating with CrowdStrike representatives through official channels and they adhere to technical guidance the CrowdStrike support theams have provided.
 

CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes.

If hosts are still crashing and unable to stay online to receive the Channel File Changes, please take the workaround in the “Solution” section

Note:

No patch is currently available for affected products.

[Updated on 2024-07-20] 

Updated Description, System / Technologies affected, Solutions and Related Links.

[Updated on 2024-07-21] 

Updated Solutions and Related Links.

Impact

• Denial of Service

System / Technologies affected

• CrowdStrike Falcon Sensor for Windows version 7.11 and above, that were online or downloaded the updated configuration between Friday, July 19, 2024 04:09 UTC to 05:27 UTC

Solutions

Before installation of the software, please visit the vendor web-site for more details.

Windows hosts which have not been impacted do not require any action as the problematic channel file has been reverted.

Workaround Steps for individual hosts:

• Reboot the host to give it an opportunity to download the reverted channel file. 
• If the host crashes again, then:
  Note: Bitlocker-encrypted hosts may require a recovery key.
  • Boot Windows into Safe Mode or the Windows Recovery Environment
    • NOTE: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.
  • Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
    • Windows Recovery defaults to X:\windows\system32
      • Navigate to the appropriate partition first (default is C:\), and navigate to the crowdstrike directory:
        • C:
        • cd windows\system32\drivers\crowdstrike
    • Note: On WinRE/WinPE, navigate to the Windows\System32\drivers\CrowdStrike directory of the OS volume
  • Locate the file matching “C-00000291*.sys”, and delete it.
    • Do not delete or change any other files or folders
  • Cold Boot the host
    • Shutdown the host
    • Start host from the off state

• Microsoft has released a USB tool to help IT Admins expedite the repair process. The signed Microsoft Recovery Tool can be found in the Microsoft Download Center. For further details, please visit:
  • https://techcommunity.microsoft.com/t5/intune-customer-success/new-recovery-tool-to-help-with-crowdstrike-issue-impacting/ba-p/4196959

For VM running on cloud platform, please apply workarounds issued by the vendor:

• Google Cloud Platform (GCP)
  • https://www.crowdstrike.com/wp-content/uploads/2024/07/Automated-Recovery-from-Blue-Screen-on-Windows-Instances-in-GCP.pdf
• Microsoft Azure
  • https://azure.status.microsoft/en-gb/status
• Amazon Web Services (AWS)
  • https://repost.aws/en/knowledge-center/ec2-instance-crowdstrike-agent

Notes: CrowdStrike will update the solution from time to time, for latest information, please refer to https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/

Vulnerability Identifier

• No CVE information is available

Source

• https://www.crowdstrike.com/blog/statement-on-windows-sensor-update/

Related Link

• https://www.crowdstrike.com/blog/statement-on-windows-sensor-update/
• https://www.crowdstrike.com/blog/technical-details-on-todays-outage/
• https://www.crowdstrike.com/blog/our-statement-on-todays-outage/
• https://www.crowdstrike.com/blog/falcon-sensor-issue-use-to-target-crowdstrike-customers/
• https://azure.status.microsoft/en-gb/status
• https://health.aws.amazon.com/health/status
• https://techcommunity.microsoft.com/t5/intune-customer-success/new-recovery-tool-to-help-with-crowdstrike-issue-impacting/ba-p/4196959
• https://www.cisa.gov/news-events/alerts/2024/07/19/widespread-it-outage-due-crowdstrike-update