HomeGuidance for CrowdStrike Windows Outage

Guidance for CrowdStrike Windows Outage

Last Updated: July 19, 2024

Change Log

Date

Updates
7/19/2024 Updates to the What Happened section to clarify the details based on input provided by CrowdStrike. Update to the What CIS is Doing section with further actions taken by CIS.
7/19/2024 Initial Publication

What Happened

Just after midnight Eastern time July 19, Windows environments utilizing CrowdStrike Falcon software were affected when logic used in the detection capabilities of the Falcon sensor were updated for Microsoft Windows operating systems, which caused devices to experience outages. The symptoms for these outages included system crashes, Falcon sensor bugcheck screens, and Microsoft Windows blue screen error pages. Microsoft Windows systems that checked in with the CrowdStrike Cloud for updates between 0409 UTC and 0527 UTC were impacted.

NOTE: Microsoft Windows systems that checked in with the CrowdStrike Cloud for updates after 0527 UTC were not impacted as the logic update that caused the issue had been reverted at that time. CrowdStrike has since issued a workaround that requires manual remediation for each affected device.

What CIS is Doing

The CIS SOC immediately began working the issue overnight, investigating the outage and communicating with affected MS-ISAC and EI-ISAC member organizations. An email was sent from the SOC to all all CIS Endpoint Security Services / Endpoint Detection and Response customers at approximately 3 a.m. Eastern time with information about how to remediate the issue, with another update distributed at 10 a.m. Recommended actions to mitigate the impact of this issue, which were included in these correspondence were based on official recommendations made by CrowdStrike.

On the afternoon of July 19, CIS issued a Short Form Analytic Report (SFAR) to all members of the MS- and EI-ISAC that included additional threat details related to this issue. CIS also hosted a webinar including presentations by the CIS SOC and Cyber Threat Intelligence (CTI) teams as well as representatives from CrowdStrike.

We will continue to work with affected MS- and EI-ISAC members as this situation develops and as further information is made available by CrowdStrike.

What You Can Do

While remediating affected systems, organizations should be aware that CIS has detected numerous phishing campaigns and spoofed domains set up by threat actors in an attempt to socially engineer and compromise organizations affected by the outage. 

Please be advised that numerous workarounds are circulating that have not been verified. Use extreme caution when implementing anything other than the official guidance.

Official CrowdStrike guidance: https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/

We will update this page with relevant information as it becomes available.

Learn more about joining the MS-ISAC here.

Learn more about joining the EI-ISAC here.