Internet

Criminals exploited CrowdStrike chaos to distribute malware

Last week, an unprecedented IT glitch caused chaos. The cause was a failed update from the security company CrowdStrike. Criminals wanted to exploit this and released a “fix” that was little more than malware.

Small cause, huge impact

Last Friday, one line of code was enough to plunge much of the world into absolute chaos. Airlines, banks, hospitals and media were no longer able to use their computers because the security provider CrowdStrike triggered a chain reaction with a single domino. Specifically, a problematic update triggered a reboot loop on almost nine million Windows computers, which was accompanied by Blue Screen of Death (BSOD) errors. CrowdStrike and Microsoft reacted quickly and were able to solve the problem relatively quickly – the emphasis here is on relatively, because by the time the first countermeasure was published, the damage was already enormous. According to CrowdStrike (via Neowin), unknown cyber criminals wanted to take advantage of the confusion and distributed ZIP archives with names like “crowdstrike-hotfix.zip”. However, these did not contain the promised bug fix, but rather the HijackLoader payload, which loads the RemCos malware when executed. This hidden malware attack was primarily aimed at users and CrowdStrike customers in Latin America and is believed to have originated in Mexico.

Phishing parallel to chaos

What’s more, in the wake of the confusion, there were also several phishing campaigns in which bad actors posed as CrowdStrike support staff and attempted to steal login information and otherwise gain access to systems. The methods used were typical emails, but there were also reports of phone calls in which supposed security experts and fake CrowdStrike employees offered their help. What does CrowdStrike do? CrowdStrike is a leading cybersecurity company specializing in endpoint protection. It offers security solutions for Windows and Linux systems that are used in many large companies and organizations around the world. According to the company, CrowdStrike serves over 298 of the Fortune 500 companies, 43 US states, 6 of the 10 largest healthcare providers and 8 of the 10 leading financial services providers in the US.

This underlines the company’s central role in the global IT security landscape. What was the reason for the outage? The massive outage was caused by a faulty update of the CrowdStrike Falcon sensor. This update resulted in a so-called “Blue Screen of Death” (BSOD) on affected Windows systems, resulting in continuous reboots. According to initial analysis, the cause appears to be a null pointer error. The code attempted to access an invalid memory address without first checking its validity. This basic programming error should have been discovered with careful testing. How many devices were affected? According to Microsoft, around 8.5 million Windows devices were affected by the faulty update.

This number corresponds to less than one percent of all Windows machines worldwide. Despite the relatively small share of the total number of Windows systems, the impact was significant, as many critical infrastructures and large companies were affected. Full recovery of all affected systems could take several weeks. Which industries were affected? The outage had far-reaching effects on various industries worldwide. Airports and airlines were particularly affected, struggling with delays and flight cancellations. Banking systems also reported disruptions to their online services, causing problems with account access and transactions.

In the healthcare sector, some hospitals had to postpone planned operations. Even media companies such as the British news channel Sky News were affected and were temporarily unable to broadcast live news. How was the problem resolved? CrowdStrike has since withdrawn the faulty update and is working on a global solution. For systems already affected, a workaround has been recommended that includes booting in safe mode and manually deleting a specific file. Microsoft is working closely with CrowdStrike and other leading cloud providers such as Amazon AWS and Google Cloud to speed up the recovery process. Nevertheless, it is expected that the full resolution of the problem could take several weeks. Have there been similar incidents before? It is reported that there have been similar problems with CrowdStrike updates in the past.

In April of this year, an update is said to have caused crashes on servers running Debian and Rocky Linux. In these cases, too, deficiencies in CrowdStrike’s testing processes were evident. There was criticism that certain operating system versions were not part of the test matrix, which led to compatibility problems. These incidents raise questions about quality assurance at CrowdStrike. What does CrowdStrike say about this? George Kurtz, CEO of CrowdStrike, commented on the incident in a television interview. He expressed his deep regret about the incident and assured that the company is working with each individual customer to get the systems back online. Kurtz indicated that CrowdStrike will launch an internal investigation into the incident. However, his statements were received critically by some IT managers because they did not adequately address the severity of the incident and the underlying errors.