The CrowdStrike Blue Screen Outage: Is Windows Always Down? An Investigation of a Global Large-Scale Software Outage
On Friday morning, some of the biggest airlines, TV broadcasters, banks, and other essential services came to a standstill as a massive outage rippled across the globe. The outage, which has brought the Blue Screen of Death upon legions of Windows machines across the globe, is linked to just one software company: CrowdStrike.
CrowdStrike billing itself as having the fastest mean time to detect threats, helps companies find and prevent security breeches. Since its launch in 2011, the Texas-based company has helped investigate major cyberattacks, such as the Sony Pictures hack in 2014, as well as the Russian cyberattacks on the Democratic National Committee in 2015 and 2016. CrowdStrike’s valuation was over $83 billion as of Thursday evening.
The update seems to cause systems to get stuck in a boot loop by installing faulty software onto the core Windows operating system. There is an error message that says, “It looks like Windows didn’t load correctly”, while giving users the option to restart the PC. Many companies, including this airline in India, have resorted to the good old-fashioned way of doing things by hand.
How long does it take to recover? The cloud attacks against CrowdStrike administrators and IT personnel are well-prepared for the eventual event, according to Olejnik
The software that we operate is interdependent and very connected according to Lukasz Olejnik, author of the book Philosophy of Cybersecurity. “But in general, there are plenty of single points of failure, especially when software monoculture exists at an organization.”
Although CrowdStrike has deployed a fix, getting things up and running won’t be a simple task. IT administrators may have to have physical access to a device to get them working again because Olejnik says it could take days to weeks to resolve this issue. How quickly that happens depends on the size of the company’s IT team. “Some systems in certain specific circumstances may be unrecoverable, but I assume that the majority will be recovered,” Olejnik adds.
Researchers, including those from CrowdStrike intelligence, have thus far seen attackers sending phishing emails or making phone calls where they pretend to be CrowdStrike support staff and selling software tools that claim to automate the process of recovering from the faulty software update. Some attackers are also pretending to be researchers and claiming to have special information vital to recovery—that the situation is actually the result of a cyberattack, which it’s not.
Attackers will take advantage of global events and issues to trick people into giving them money, stealing their account credentials or becoming victims of computer attacks.
“Threat actors invariably attempt to capitalize on any major event,” says Brett Callow, managing director of cybersecurity and data privacy communications at FTI Consulting. “Whenever an organization experiences an incident, it’s something customers and business partners should be prepared for.”
The CloudStrike incident is ripe for exploitation because the individuals not personally responsible for addressing the problems could be desperate for solutions. In most cases, the fix for impacted computers involves individually booting and correcting each one—a potentially time-consuming and logistically difficult process. For small-business owners with no IT expertise, the challenge may be particularly difficult.
CrowdStrike emphasizes that customers should confirm that they are communicating with legitimate company staff members and only trust the company’s official corporate communications.
“Speedy alerts to employees outlining potential risks will help,” Callow says of how CloudStrike customers should work to defend themselves. “Forewarned is forearmed.”