Crowdstrike Windows Outage

Last Update: July 22, 2024 at 12:05pm EDT

Summary: Critical Systems Outage: 911, Hospitals, Banks, Airports, the Internet, Health Care, and Water treatment facilities are experiencing global outages caused by CrowdStrike’s software update to a range of MS Windows systems. CrowdStrike has pulled this update, but organizations worldwide that have been sent it are already affected. This has resulted in a considerable number of mission-critical devices becoming inoperable. The fix requires manual intervention for impacted assets, as related Windows machines are experiencing a looping Blue Screen of Death (BSOD).

This disruption has also highlighted the interconnected nature of modern OT systems and their dependence on reliable cybersecurity solutions. We published a separate blog with Armis’ take on a strategy for better preparedness in the future and lessons for OT Industries.

Armis can help affected customers detect impacted devices, find the devices, prioritize which devices to address first, and validate and help manage the process. Outlined below are real-time informational updates, the latest projections, and remediation guidance for Armis customers and others. An Armis Labs flash alert has been issued to our global database.

What Has Happened:

Single CrowdStrike Update Causes Massive World-Wide IT Outage

An update to CrowdStrike software on Windows hosts caused a massive IT outage worldwide. While this isn’t a cyber attack, the impact is almost the same.

The outage has widespread impacts on industries, from transport to infrastructure and even healthcare. Airport check-in systems have been disrupted, while banks, supermarkets, and media companies are among the other businesses reporting the Windows “blue screen of death.” Some hospitals can only treat the most urgent cases because they can’t access medical records.

What We Know:

CrowdStrike has confirmed that it is actively working with customers affected by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. At Armis, we have indeed seen a significant drop in active Windows hosts communications across our customers.

There is no suggestion that it was malicious or that anybody’s data has been compromised, accessed, or stolen. Organizations will most likely require a manual reboot in safe mode for every device. Because some devices are hardly physically accessible, it will likely take hours, if not days, before operations return to normal.

Armis Is Ready To Help

This is a hard day for companies, their customers, and everyone. Armis can help streamline your journey back to normal operations faster as we can provide the physical location of the actual server or workstation—the switch and port—which will greatly assist this process in tracking down assets that need to be manually found and fixed.

• Mapping: Armis can help you map the impacted devices in your environment and identify the specific devices that require remediation. The following query can obtain a list of all Crowdstrike versions active in the environment.

 

Please use the following query to identify devices with Crowdstrike that haven’t been seen since 2024-07-19T01:00:00

 

• Prioritization: what business services, solutions, or critical infrastructure could be impacted? Which assets are the most important ones to fix? Armis allows you to query by site, boundary, and tags. Adding these to the search will enable you to focus on your most critical assets. We also provide insights into the breadth of the business impact by illustrating in a visual map which assets are communicating with other assets that may be compromised.
• Remediation: Armis predicts and assigns the correct owner of each impacted asset by using embedded workflows to remediate, track progress with workflow tools, and measure the effectiveness of the remediation process.

Additionally, Armis can detect unusual behavior and potential security threats in real-time, providing alerts and actionable insights to security teams. This proactive approach helps maintain continuous security operations and mitigates the risk of vulnerabilities being exploited
during periods when traditional security tools like CrowdStrike might be unavailable.

Armis Labs detected unusual activities with a drop of active Windows hosts at around 2:30 AM ET. With CrowdStrike quickly issuing a fix, Armis Centrix™ for VIPR – Prioritization and Remediation is remediating affected devices based on asset criticality to their organizations. It can help impacted entities to resolve related challenges.

Because of the widespread outages being felt due to this incident, Armis is waiving subscription fees for a limited period to help impacted customers address the issue. Armis Centrix™ customers can contact their Customer Success Manager for more information today.

What’s Next

Even with the vendor fix available, it won’t reverse the damage already done. The fix requires manual intervention, as the Windows machines are experiencing a looping Blue Screen of Death (BSOD). By providing a full view of impacted assets, and their business criticality and closing the loop on remediation management, Armis allows organizations to get back to operational readiness quickly.