​Cyber report spotlight: CrowdStrike update causes worldwide outages​ ​

What happened​

The update involved was a sensor configuration update for Windows systems running CrowdStrike Falcon. These sensor updates are regularly released an applied by CrowdStrike to ensure that it can detect the latest threats. ​

However, instead of a routine update, it triggered an error on all Windows endpoints and servers operating the software, which led to a system crash and blue screen of death (BSOD) preventing system access. ​

While Microsoft have stated that approximately 8.5 million windows devices were impacted, a fraction of the total number in use globally, since CrowdStrike is a popular choice of security tooling for large organisations running critical services, the impact was significant. The aviation sector faced considerable impact, with airlines across the world forced to ground flights, with the NHS in the UK also impacted, with many appointments delayed and some doctor’s offices forced to close.​

​While a fix was identified relatively quickly, since the impacted devices could not boot, it meant manual intervention was required. Therefore, the recovery process, although simple, is incredibly time consuming, meaning that for some organisation’s it has stretched into the week following the incident. ​

In addition, following the incident, threat actors have started to take advantage of the situation, launching phishing campaigns targeting impacting organisations trying to recover. Since Friday dozens of malicious domains related to CrowdStrike have been registered and campaigns are already beginning to be observed in the wild. ​

Waterstons will monitor this incident as it continues to unfold and provide any relevant updates in future editions of the threat report.

​What should organisations do to avoid this in the future?

• Review CrowdStrike’s remediation hub on their website for any further updates - Falcon Content Update Remediation and Guidance Hub | CrowdStrike.​

• Organisations impacted by the incident should be ensure employees are aware of the increased risk of phishing associated with the incident. ​

• Review their business continuity plans to ensure critical services can be recovered in the event of their loss. This should include multiple regularly tested backups, following the NCSC’s 3-2-1 backup guidance - Offline backups in an online world - NCSC.GOV.UK

• Consider their disaster recovery plans and if they have suitable on-site IT support to support manual recovery of devices in the event of a similar incident.​To make sure you stay informed on all the latest cyber security news, sign up to our cyber report where we discuss all the latest news and give you insights into the best practises for protecting your data. 

To make sure you stay informed on all the latest cyber security news, sign up to our cyber report where we discuss all the latest news and give you insights into the best practises for protecting your data. 

Sign up here!