On Friday, July 19, 2024, the world experienced a significant IT disruption linked to a botched software update from CrowdStrike, a leading cybersecurity firm. The incident affected numerous organizations globally, with the travel industry being one of the most impacted sectors.
What Happened?
The disruption began early Friday morning in Australia and rapidly spread across Asia, Europe, and the Americas. Initially perceived as a Microsoft issue due to the appearance of the infamous blue screen of death on Windows PCs, it was soon identified as a faulty channel file in CrowdStrike’s Falcon sensor product. This issue caused a boot loop, preventing affected Windows devices from completing a stable boot cycle.
What Does CrowdStrike Do?
CrowdStrike is renowned in the cybersecurity industry, providing advanced cloud-native platforms to protect critical areas of risk, including endpoints, cloud workloads, identity, and data. Established in 2011 and headquartered in Texas, CrowdStrike employs over 8,000 people and generates around $3 billion in annual revenue. The firm is also known for its contributions to major cybersecurity incident investigations, including the Sony Pictures hack and the WannaCry crisis.
The Impact of the Outage
Organizations across various sectors were affected, including airlines, airports, financial institutions, healthcare facilities, media companies, retailers, and sporting bodies. Notable entities impacted include American Airlines, Delta, the London Stock Exchange, and several Formula 1 teams.
CrowdStrike’s Response
CrowdStrike CEO George Kurtz confirmed that the issue was due to a defect in a single content update for Windows hosts, with Mac and Linux hosts remaining unaffected. The defect was identified and isolated, and a fix was deployed. CrowdStrike has advised customers to communicate through official channels for continuous updates.
Is There a Cybersecurity Threat?
While the outage itself is not a cybersecurity incident, there is potential for threat actors to exploit the situation. Security and IT leaders are urged to warn users about potential phishing and social engineering attacks that may arise from this incident.
Mitigation Steps
CrowdStrike has rolled back the problematic update, but affected devices may require manual intervention to restore functionality. System administrators are advised to:
- Boot Windows into safe mode or the Windows Recovery Environment.
- Navigate to C:\Windows\System32\drivers\CrowdStrike and delete the file matching “C-00000291*.sys”.
- Reboot normally.
Preventing Future Incidents
To mitigate similar issues in the future, organizations should consider phased software updates and test them in sandbox environments before full deployment. Implementing system redundancies can also help manage fault domains, especially in critical infrastructure.
CrowdStrike continues to provide updates and support through their official channels to resolve the ongoing issues and ensure customer security and stability.