On July 19th, 2024, as a routine part of company operations, CrowdStrike pushed an update to the Windows sensor’s content setup to collect data on potential new attack methods. This sensor gets updated on a regular basis, sometimes even several times per day and therefore was not considered as something out of the ordinary. However, this update was unexpectedly flawed, resulting in a “Blue Screen of Death” (BSOD) for millions of users, resulting in what might be one the largest IT outages in history.
Its global consequences were immense, going beyond just blocked access from Microsoft services, causing delays or cancellations of numerous flights, blocking payment systems, and crashing governmental, emergency, or health services. For many organizations, there were significant financial losses, globally reaching over US$10 billion, leaving CrowdStrike with multiple lawsuits. As if that was not enough, a Handala Hacking Team exploited the bug roughly two weeks after its occurrence.
Let’s look deeper into what happened.
Examining the root cause of the outage
While the outage was for Microsoft Windows, it was not directly an issue with their system. The outage was caused by an update in CrowdStrike Falcon that prompted the “Blue Screen of Death” BSOD in Microsoft Windows. CrowdStrike Falcon offers superior endpoint protection, threat detection, and response capabilities with the help of machine learning and AI. It is integrated on a large scale by organizations across many sizes, industries, and continents. The update of the sensor configuration runs at the kernel level, the core part of the operating system, which is why the flawed update created so much damage and not just affected CrowdStrike’s software.
It is called by many a “Channel File 291” incident, as the update was comprised of a channel file, intending to update a section of behavioral protections; in this specific case, it was to improve upon the evaluation of the named pipe execution on Microsoft Windows. However, with the “Channel File 291” incident, CrowdStrike introduced a logic error, leading to possibly the largest outage in the history of recent technology. Interestingly, the flow was not present in all versions of the Channel File 291, only those with a specific timestamp (2024-07-19 0409 UTC). Versions timestamped 2024-07-19 0527 UTC or later did not contain said flaw, as by then CrowdStrike managed to catch the bug and revert it.
Regardless of the swift response, the initial estimation of systems affected reached 8.5 million instances, which is less than 1% of Microsoft’s overall Windows installation index. However, more recently, Microsoft shared that the 8.5 million figure was just from those who shared the crash reports with the company. Microsoft did not publish details on how many other devices were affected, but since the 8.5 million was just a subset, it’s believed that the complete impacted group must be massive.
The aftermath for CrowdStrike
Although CrowdStrike quickly deployed a fix for the flaw, for many organizations, the consequences were disastrous as the recovery process was time-consuming; being prompted with the Blue Screen of Death (BSOD), a critical error screen, interrupted all operations. Each affected system needed a manual reboot into the Windows Recovery Environment or Safe Mode to delete the Channel File 291 containing the flaw. Only then could normal operations be restored. Given the number of machines operated in any company, the process took hours – even more in cases where physical access to the affected machine was required.
Organizations from numerous industries have struggled to bounce back. One of the most extreme cases is Delta Air Lines. More than 37 thousand Delta computers were affected, disrupting over 1.3 million people’s journeys. A week after the outage, they were still dealing with its aftermath. They canceled thousands of flights and estimated their losses at over US$500 million, with requests to refund or reimburse more than 175 thousand. Unsurprisingly, CrowdStrike is facing a potential Delta lawsuit.
Healthcare also took a big hit. Many hospitals in North America paused their non-urgent visits, while the British NHS (National Health Service) admitted to being unable to access medical records or prescriptions, temporarily paralyzing the GP practices. Similar issues were experienced worldwide, forcing many institutions to enter their emergency IT plans, often risking people’s health. While very few industries were left untouched by the outage, impacts were seen from many different industries, including media, retail, banking, ground, air, and water transport; the disruption ranged from being moderately to fully frozen.
CrowdStrike prides itself on protecting over 75% of the Fortune 500 companies. Well, now they estimate their losses at US$5.4 billion. The outage has caused CrowdStrike’s share price to drop by almost 25%, devaluing the company by more than $20 billion. The outage critically highlighted how heavily we rely on tech, the risks that go hand in hand, and how little it takes to paralyze the whole world.
Looking forward
Although no cyberattack caused the outage, threat actors have exploited the situation regardless. Soon after the outage, cybercriminals, such as the Handala Hacking Team, began posing as CrowdStrike employees via phone calls and phishing emails claiming to be CrowdStrike support. CISA advises organizations to be diligent and follow instructions from legitimate sources only. Additionally, enhanced employee cybersecurity training and a multi-factor authentication implementation will significantly help.
Finally, after all these perturbations, a vulnerability was discovered in the Windows operating system that caused similar results. This vulnerability, assigned with the ID of CVE-2024-6768, could potentially cause the infamous “Blue Screen of Death.” The flaw occupies the Common Log File System (CLFS) driver, affecting all Windows 10 and 11 versions. Successful exploitation of this vulnerability allows a minimally authenticated attacker to perform a denial-of-service attack on the affected system. While this vulnerability scenario is yet to be actively exploited, a POC exists. The vulnerability is not considered to be of critical severity, but a successful exploitation would have a substantial impact and devastating consequences, similar to what was observed in detail on July 19th, 2024. There is currently no patch available from Microsoft for the vulnerability.