CrowdStrike's Blue Screens of Death

This morning, a friend sent me a frantic text message:

"My whole team is offline due to a major outage. It seems to be affecting all Crowdstrike systems."

He runs a financial services firm, and the sight of the "Blue Screen of Death" on every employee's computer has plunged his company into chaos.

Another friend called me in a panic, wondering if the Russians, Chinese, or Iranians were behind it.

It's none of the above, but the world woke up to chaos today. Windows computers (Linux and Mac are unaffected) running CrowdStrike's Falcon sensor, typically known for its top-notch endpoint detection and response (EDR), were caught in a boot loop, rendering them unable to start Windows. In our technology-dependent society, no computers means no work.

According to CrowdStrike , they monitor over 30 billion endpoint events daily from millions of sensors in 176 countries. Many organizations using CrowdStrike’s Falcon sensor on Windows machines were potentially affected by a bug in an update. This incident isn't a supply chain attack like the one on Kaseya or a nation-state operation like the SolarWinds breach; rather, it exposes vulnerabilities in our digital critical infrastructure.

The outage has had widespread impact on airports, businesses of all kinds, broadcast media, and firms like my friend's financial services company. Flights are grounded, trains delayed, and people are resorting to paper boarding passes. United, Delta, and American Airlines have issued a global ground stop.

CrowdStrike promptly assessed the issue, identifying a flaw in an update that was causing Windows systems to crash, and has since deployed a fix.

CEO George Kurtz reassured the public: "CrowdStrike is actively assisting impacted customers due to a defect found in a single content update for Windows hosts. Mac and Linux hosts are unaffected. This is not a security incident or cyberattack," he clarified, noting that the problem has been isolated and addressed.

But can everyone affected simply download and apply the patch? Unfortunately, no. The reboot loop prevents Windows users from accessing their systems at all, complicating the fix process. IT professionals now face the arduous task of manually repairing each affected computer, akin to recovering from a ransomware attack. This will take time. A lot of it. In fact, so much so that many organizations are deciding whether to restore from backup the way an organization might seek to escape a ransomware attack. ?

For those somewhat tech-savvy, the solution is relatively straightforward:

1. Boot Windows into Safe Mode or Windows Recovery Environment.
2. Navigate to C:\Windows\System32\drivers\CrowdStrike.
3. Find and delete any file matching "C-00000291*.sys".
4. Restart normally.

Despite this incident, CrowdStrike remains an outstanding company known for its research, defense against, and response to cyber threats. While they will undoubtedly face scrutiny for the faulty update, it's crucial to remember that endpoint detection and response sensors like CrowdStrike's Falcon are vital safeguards against cyberattacks. As this situation unfolds, lessons will be learned that will enhance cybersecurity deployment worldwide.

In the meantime, best of luck rebooting your Windows machine! As for me, I'm sticking with my Mac.

#Cybersecurity #CrowdStrike #EndpointSecurity #ITSecurity #CyberIncident #TechOutage #WindowsBug #CyberDefense #DigitalInfrastructure #ITManagement #CyberAware #DataProtection #TechIssues #CyberResilience #SecurityPatch