CrowdStrike Update Causes Global IT Outage and Security Concerns

Source: Center for Internet Security

On July 19, 2024, at approximately 1:00 a.m. ET, a widespread IT outage began due to a defect in a single CrowdStrike content update. This outage affected numerous Windows hosts globally, including critical U.S. State, Local, Tribal, and Territorial (SLTT) government systems. CrowdStrike has since isolated the issue and deployed a fix.

While SLTT entities strive to maintain critical operations and restore access to affected systems running CrowdStrike Falcon sensors, cyber threat actors (CTAs) are exploiting the situation. They are using phishing lures, typosquatted domains, and malicious ZIP files disguised as CrowdStrike support materials. The Center for Internet Security's Cyber Threat Intelligence (CIS CTI) team continues to monitor these threats, sharing indicators of compromise (IOCs) through the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Malicious Domain Blocking and Reporting (MDBR) service.

Initial Observations and Impact

The MS-ISAC noted substantial disruptions to SLTT member systems, with some organizations continuing to experience issues as they implement CrowdStrike’s fix. Critical sectors such as airlines, railways, healthcare, and financial institutions reported significant disruptions. Some 911 centers had to rely on backup systems, indicating the wide-reaching impact on SLTT subsectors.

This incident underscores the potential scale of disruption when critical systems depend on a single vendor, providing CTAs with opportunities to exploit these dependencies in future attacks.

CTAs' Exploitation of the Incident

The CIS CTI team identified CTAs creating domains that mimic CrowdStrike's infrastructure, likely intended for social engineering. These domains often pose as legitimate CrowdStrike support to exploit the urgency and confusion caused by the outage. On July 20, 2024, CrowdStrike Intelligence reported that CTAs were distributing a malicious ZIP archive containing HijackLoader, disguised as a legitimate hotfix file. The IOCs associated with this report are likely used for malicious purposes.

Historically, CTAs have exploited chaotic situations and urgency to socially engineer users into visiting malicious websites and responding to phishing emails that appear legitimate.

Impacted Sectors

The CrowdStrike content update caused disruptions across several SLTT subsectors and other critical areas, impacting:

  • Government Administration:

    • Department of Motor Vehicles in multiple locations

    • Social Security Administration

    • Department of Justice (DOJ) reported some computer impacts

  • Mass Transit Systems:

    • Major metro rail systems experienced disruptions but have since recovered

  • Hospitals/Healthcare:

    • At least 11 health systems reported impacts, including canceled surgeries and diverted ambulances

  • Air Travel:

    • As of July 19, 2024, 12:56 p.m. ET (Flightaware data):

      • Total delays: 31,307

      • Delays within, into, or out of the U.S.: 6,169

      • Total cancellations: 3,566

      • Cancellations within, into, or out of the U.S.: 2,219

  • Financial Services:

    • Payment systems and pharmacies were unable to dispense medication

Conclusion

The CIS CTI team will continue to monitor and disseminate threat intelligence related to this incident. Businesses and organizations must remain vigilant, ensuring robust data privacy and security practices to mitigate risks and safeguard operations.

To learn more Contact us