CrowdStrike outage turns into playground for threat actors


As more systems come back online in the wake of Friday’s worldwide CrowdStrike IT outage, experts say the process will be lengthy for many industries, such as the airlines, healthcare, and banking sectors, and create a slew of unforeseen security challenges.

CrowdStrike CEO George Kurtz told news outlets on Friday there was a “software bug” in a single content update that caused an issue with the “Microsoft operating system.”

Multiple reports of Microsoft system outages and a ‘blue screen of death’ (BSOD) early Friday morning began trickling in on social media, first in Australia and then later across the globe.

ADVERTISEMENT

“When you look at the complexity of cybersecurity, we are always trying to stay one step ahead of the adversaries, this update went out, if there is a negative reaction between the way these systems work, that’s something that happens,” Kurtz said.

In a post on Friday afternoon, Kurtz pledged his “commitment to provide full transparency on how this occurred and the steps we’re taking to prevent anything like this from happening again.”

Kurtz said the cybersecurity vendor identified and remediated the issue “very quickly,” noting that as systems come back online and are rebooted, CrowdStrike has been working directly with “each and every customer” to make sure the recovery process runs as smoothly as possible.

And, although Kurtz noted that for some companies, it could be some time, he said that CrowdStrike will “not relent until we get every customer is back where they were and we continue to protect them and get the bad guys out of our systems.”

Aleksandr Yampolskiy, CEO of cybersecurity firm SecurityScorecard says the disruption "creates a fertile ground for exploitation, as attackers prey on the vulnerability of users seeking solutions.”

“The timing of this event and how public it is happens to be exactly what attackers look for to craft targeted attacks,” he pointed out.

ADVERTISEMENT

“Vigilance is paramount, as organizations must not only address the outage but also fortify defenses against opportunistic attacks that exploit the chaos,” Yampolskiy said.

Recovery will be lengthy process

Security expert Shawn Waldman, CEO and founder of Secure Cyber, believes that recovery will not be as swift as expected, and in reality, is far more complex than may appear for impacted organizations.

"While CrowdStrike has issued a fix, the challenge lies in the application of this fix across vast networks,” Waldman explained.

“Many global agencies and large organizations have tens to hundreds of thousands of devices spread out across the globe – often lacking the capability to quickly and remotely deploy such fixes.”

– Shawn Waldman, CEO and Founder of Secure Cyber

“Many global agencies and large organizations have tens to hundreds of thousands of devices spread out across the globe – often lacking the capability to quickly and remotely deploy such fixes,” he said.

As companies work to reach and update all their affected devices, “both remotely and physically,” Waldman said these companies should “brace for potential extended downtime, possibly lasting days or even weeks.”

Encrypted devices present an additional layer of difficulty and will only compound the issues, Waldman added, especially if decryption keys are not readily available.

“The reality for many IT departments and organizations is a prolonged period of disruption,” he said.

Regulators, security experts warn to be vigilant

ADVERTISEMENT

According to the US Cybersecurity and Security Infrastructure Agency (CISA, threat actors have already been observed taking advantage of the CrowdStrike incident for phishing and other malicious activity, it said in a warning advisory released Friday.

“CISA urges organizations and individuals to remain vigilant and only follow instructions from legitimate sources,” the agency said, reminding organizations and their employees to avoid clicking on phishing emails or suspicious links.

Meantime, as recovery efforts take center stage, financial regulators in New York warned banks and trust companies to be on “high alert” because of the outage, reminding all regulated entities “to be vigilant at this time.”

“Threat actors have been known to launch attacks during periods when IT and security staff are distracted, especially through social engineering," the New York State Department of Financial Services said in a statement.

The agency, which oversees more than 3,000 financial institutions across New York state, said it would be working with other state and federal regulators to monitor institutions and market events.

While everyone is distracted by other issues, organizations face increased vulnerability as threat actors invariably try to exploit the situation, said Itzik Alvas, CEO and co-founder of Entro Security.

“Companies dependent on CrowdStrike for security monitoring, incident response, and threat detection might face operational disruptions, delaying their ability to detect and respond to security incidents promptly,” Alvas explained.

During emergencies, as seen on Friday due to the CrowdStrike incident, people may neglect security best practices, becoming vulnerable to social engineering, he said.

ADVERTISEMENT

Alvas warned that companies should be on the lookout for various scams, such as bad actors impersonating IT staff, or phishing emails referencing the outage that would offer “urgent updates,” or disguise malicious software as legitimate security tools.

Some CrowdStrike customers might even "uninstall endpoint protection entirely, leaving systems unprotected," Atlas said, adding that "security systems could be compromised if endpoints hosting those platforms are also affected by a specific Falcon version.” Falcon is the name of CrowdStrike's endpoint detection and response (EDR) software.

Finally, Alvas pointed out that because of the incident, overall “trust in CrowdStrike may decrease, leading customers to question the resilience of security products.:

“In the long run, new startups may emerge, focusing on emergency handling and resilience,” he added.