Addressing The CrowdStrike Outage

CrowdStrike customers experienced a large-scale outage on Friday, July 19 due to an issue in a routine content update deployed overnight. The content update glitch has affected millions of Microsoft Windows systems, rendering them inoperable until a fix is executed manually on each system.

CrowdStrike continues to develop and refine technical remediation guidance, which is posted on their website. Our teams have studied this guidance, are currently working with several clients that utilize CrowdStrike software to remedy their specific situations and are prepared to assist others in their recovery efforts onsite or remotely as needed. 

Day Zero - Rapid Response Mobilization

Our experts continue to monitor the situation and have highlighted the following areas:

• Cyber Threats

Despite the non-malicious nature of the outage, threat actors are attempting to exploit the situation. Kroll’s Threat Intelligence analysts have observed phishing and social engineering campaigns leveraging the disruption. Organizations should remain vigilant and consult their cybersecurity teams if they encounter suspicious activity.

• Complexity and Mitigation

Software update failures are nothing new – they will happen. At the same time, our digitally-interconnected world has increased the impact of such outages. Remote and distributed workforces exacerbate the challenge, especially when offline interventions may be necessary to recover. Technical challenges to business operations may arise, requiring additional technical and cybersecurity expertise.

• Business Continuity

Mass IT outages underscore the importance of having continuity plans. To navigate disruptions efficiently in the future, businesses can learn from this experience to enhance resilience in their operations. External review of existing business continuity plans is an important step and ensures alignment with evolving industry best practices and business needs, while limiting impact from future events.

• Business Interruption

While it is too early to estimate the size of the disruption caused by this outage, it is already being compared to NotPetya, a global ransomware attack that took place in 2017 which caused billions in losses. Insurers are bracing for an influx of claims, but not all cyber or business interruption policies may cover an event like this. There could also be legal action as victims seek financial or other remuneration. Kroll experts can advise on options and potential courses of action for those impacted. It’s important to reach out to an expert as soon as possible to ensure the best outcome.

Potential For Weaponization

Kroll is aware of multiple domains being created shortly after the incident started, which purport to be related to CrowdStrike. Kroll knows that attackers frequently leverage large-scale events like this for phishing and scam activity. Organizations should instruct their staff to:

• Watch for emails appearing to come from CrowdStrike that reference Security or Support or claim to be pushing a patch for download.
• Double-check domains supposedly related to this outage, collecting donations or offering recovery patches for download. For example, on the morning of July 19 the domain “crowdstrike-bsod[.]com” displayed a message with news about the outage and included links to donate to a BTC wallet and PayPal address. At the time of reporting, that domain, hosted by Namecheap, had been taken down.
• Callback phishing campaigns, where threat actors may craft a believable message purporting to be from CrowdStrike and socially engineering the victim to call them back. Once the victim calls the number, they could be socially engineered to install remote management tools on their systems as a "fix" for this event.
• Reinforce Help Desk authentication systems, as fake calls claiming to impersonate legitimate employees may lead to password resets in relation to this incident.

The UK National Cyber Security Centre also confirmed a rise in phishing based on the incident, reporting: “Note that an increase in phishing referencing this outage has already been observed, as opportunistic malicious actors seek to take advantage of the situation. This may be aimed at both organisations and individuals.”

In any situation like this, the focus needs to be on quickly remedying the immediate impact and ensuring business operations continue. However, it’s also critical to be aware of emerging security threats and bad actors that will use this opportunity to further introduce new scams and phishing schemes. Additionally, if there has been organizational impact, it’s critical to reach out to experts as early as possible to identify potential solutions that could help reduce downtime and mitigate financial impact from an outage. Finally, conducting an external review of business continuity plans to ensure that plans address evolving cybersecurity and technology challenges while aligning to individual business needs and risk tolerances.

Going Forward - Expert Support

The UK National Cyber Security Centre also confirmed a rise in phishing based on the incident, reporting: “Note that an increase in phishing referencing this outage has already been observed, as opportunistic malicious actors seek to take advantage of the situation. This may be aimed at both organisations and individuals.”

In any situation like this, the focus needs to be on quickly remedying the immediate impact and ensuring business operations continue. However, it’s also critical to be aware of emerging security threats and bad actors that will use this opportunity to further introduce new scams and phishing schemes. Additionally, if there has been organizational impact, it’s critical to reach out to experts as early as possible to identify potential solutions that could help reduce downtime and mitigate financial impact from an outage. Finally, conducting an external review of business continuity plans to ensure that plans address evolving cybersecurity and technology challenges while aligning to individual business needs and risk tolerances.