Overview and Recap

An update to CrowdStrike Falcon (cyber security software designed to monitor and protect computers) which in many cases was deployed automatically, caused Microsoft Windows computers to crash, with a so-called "Blue Screen of Death". The issue was not a malicious cyberattack but stems from a defect found in a content update CrowdStrike pushed out to its customers that use Microsoft Windows.

The problem was particularly acute as given the way the computers were impacted, they were rendered completely inoperable. Manual intervention (and in some cases, physical attendance) has been required in many instances to fix each affected device (whether that's employee laptops, servers, cash points, ePOS (electronic point of sale) devices, etc). CrowdStrike is continuing to maintain a list of remediation guidance and resources for impacted teams and environments. Disruption for some has been significant.

According to Microsoft telemetry, CrowdStrike's update boot-looped roughly 8,500,000 computers across the globe, including computer operations regarded as critical infrastructure. From an Australian perspective, Australian Chamber of Commerce and Industry CEO Andrew McKellar said on 22 July 2024 that it was clear a wide range of businesses had suffered significant productivity losses and missed sales. He further said the wide-ranging impact of a single error from a global software company showed the "unfortunate reality of working in a very connected economy”.

Federal Home Affairs Minister Clare O’Neil provided a number of updates on Saturday 20 July 2024, resulting from meetings via the national coordination mechanism, with involvement from CrowdStrike,
whose software caused the issue. Also on Saturday 20 July 2024, O’Neil said that there had “been a huge amount of work over this weekend to get the [Australian] economy back up and running” after cascading impacts observed in sectors from government and finance to transportation and retail. “However, it will take time until all affected sectors are completely back online,” O’Neil said in a series of threaded posts on X on Saturday 20 July 2024. “In some cases, we may see teething issues for one or two weeks.”

Cyber Vigilance

Organisations have reported phishing emails, text messages, and phone calls pretending to be CrowdStrike support staff and selling software tools that claim to automate the process of recovering from the failed update. Some threat actors have also posed as researchers, claiming to have "special information" vital to recovery.

No one from CrowdStrike or Microsoft will directly contact your client regarding support. If your client receives a call, email, or text claiming to be from one of these companies, it is likely a scam.

Within hours of Friday’s event, a trove of new domains started popping up online. The one common factor? The name CrowdStrike. Many websites appear to promise help. Names include:
• crowdstriketoken.com
• crowdstrikedown.site
• crowdstrikefix.com and
• fix-crowdstrike-bsod.com

The new domains are poised to encourage people desperate to get their systems back up and running to click on malicious links. While attempts to set up phishing sites in the wake of a big event is nothing new, the scale of Friday’s outages means that there is a very wide field of potential victims. On 19 July 2024, the US Cybersecurity and Infrastructure Security Agency said it has already observed threat actors taking advantage of this incident for phishing and other malicious activity, urging people to avoid clicking suspicious links.

George Kurtz, CEO of CrowdStrike, warned affected customers in a post on X on 20 July 2024 to “ensure they’re communicating with CrowdStrike representatives through official channels,” adding his
team is fully mobilised to ensure the security and stability of their customers. It is wise to be cautious of social engineering attempts where individuals impersonate the IT Helpdesk to target employees, and where employees impersonate the IT Helpdesk to gain access. It is prudent to remind employees to stay vigilant of social engineering attempts. Organisations should monitor and mitigate as needed. Organisations should also follow strict ID validation process for calls into their IT Helpdesk, especially related to password reset and access requests.

Conclusion

This event speaks to the risk of reliance on critical vendors/third parties. 

Whilst beneficial, and an essential, undeniable, part of doing business in the modern economy, there are risks associated with outsourcing services or products. Unlike the services rendered, the risk and liability cannot be outsourced. 

If a third party fails to deliver or suffers a breach, the organisation that utilises the vendor will face the consequences. The impact can be fiscally, operationally, reputationally, and contractually significant. Data shared between external vendors (supplier, vendor, contractor, or service provider) can be exposed.

Fundamentally, third-party/vendor risk management is a program, not a project. It is an ongoing and constantly evolving area of risk that must be addressed that way.