Crowdstrike fiasco: New details on the fatal update, BSI warns of attacks
The root of all evil has a name: Channel File 291 has caused massive IT outages worldwide. Meanwhile, the BSI warns against CrowdStrike phishing.
- Ronald Eikenberg
Last Friday, a sudden outage of countless Windows computers led to a worldwide IT disaster. The culprit was the widely used Falcon security software from CrowdStrike, which is designed to protect against modern cyberattacks – and therefore also against outages. The manufacturer has since revealed a few more details about the incident.
According to this, CrowdStrike deployed a faulty update last Friday from 06:09 to 07:27 German time. This affected systems that were online during this time and were therefore automatically supplied with the update. The fatal update is a so-called channel file for the Falcon Sensor component, which must be installed on the clients to be protected.
Channel files control the software's behavioral protection mechanisms, similar to signature updates in antivirus software. CrowdStrike explains that such files are distributed several times a day to be able to react to current threats. The fatal channel file 291 should contain new information about named pipes, which are currently used for cyberattacks with command-and-control frameworks.
.sys file is not a driver
Even if such channel files have the extension .sys, they are not kernel drivers according to CrowdStrike. However, number 291 triggers a logic error that apparently caused the software's kernel driver to crash. The file was intended to address attacks on Windows and was not distributed to macOS and Linux systems.
The company is currently still investigating the cause and promises to improve its workflow to prevent such a serious case from happening again: "We know how this problem occurred and are conducting a thorough root cause analysis to find out how this logic error occurred. These efforts will continue. We are committed to identifying any fundamental or workflow improvements we can make to strengthen our process."
BSI: repercussions and cyberattacks
The BSI (Bundesamt für Sicherheit in der Informationtechnik) also commented on the devastating IT disaster on Saturday. According to the BSI, the situation is returning to normal in many places, but many companies "are still struggling with the knock-on effects of the disruption." According to the BSI, it has not yet been conclusively clarified how the faulty code was able to get into the update. The authority is "also in close contact with the company".
Meanwhile, cyber criminals are apparently already using the opportunity "for various forms of phishing, scams or fake websites", warns the BSI. Even unofficial code is said to be in circulation. Technical information on the incident should only be obtained from CrowdStrike, the Federal Office expressly warns.
Update on the Azure disruption
Another IT outage affecting Microsoft Azure is also said to be returning to normal. The disruption, which affected Teams, OneDrive, Microsoft Defender and Sharepoint, is currently still being analyzed and "a corresponding report has been announced for next week", explains the BSI. The information published so far does not suggest that there is a direct connection with the CrowdStrike MCA, apart from the timing of the incident. (rei)
