CrowdStrike Incident Overview
On July 19, 2024, the world experienced a significant global computer outage known as the “CrowdStrike Incident.” Here’s a detailed breakdown of what transpired:
What Happened?
CrowdStrike, a well-known cybersecurity company, issued a faulty update for its security software running on Microsoft Windows. This update inadvertently caused widespread disruptions across several critical industries, including airlines, airports, banks, stock markets, broadcasting services, and 911 emergency dispatch centers.
The update specifically targeted CrowdStrike’s Falcon Sensor product, designed to install a network sensor at the operating system level to detect and prevent threats. Unfortunately, a defective kernel driver (csagent.sys) included in the update caused affected machines to encounter a blue screen of death (BSOD) with the stop code PAGE_FAULT_IN_NONPAGED_AREA. As a result, machines were stuck in a boot loop or entered recovery mode.
Immediate Actions Taken
CrowdStrike acted swiftly by reverting the faulty update at 05:27 UTC, which prevented further impacts on devices that booted afterward. By 09:45 UTC, CrowdStrike CEO George Kurtz confirmed that a fix had been deployed.
Impact
The incident had far-reaching consequences, including the cancellation of over 1,000 flights globally, significantly disrupting the travel sector. It is estimated that approximately 24,000 customers experienced problems due to CrowdStrike’s error.
Who is Affected?
If your computer runs Microsoft Windows and has CrowdStrike’s Falcon Sensor product installed, you might be affected by this incident. Here are some signs to look out for:
- Blue Screen of Death (BSOD): Your computer displays a BSOD with the stop code PAGE_FAULT_IN_NONPAGED_AREA.
- Boot Loop or Recovery Mode: Your computer is stuck in a boot loop or has entered recovery mode.
Steps to Restore Functionality
If you suspect your computer is affected, follow these steps to restore its functionality:
- Boot Windows into Safe Mode or the Windows Recovery Environment.
- Navigate to the C:\\\\Windows\\\\System32\\\\drivers\\\\CrowdStrike directory.
- Locate the file matching “C-00000291*.sys”, and delete it.
- Boot the host normally.
These steps must be performed on every affected machine. If you’re uncomfortable doing this yourself, it is advisable to contact your IT support team for assistance. They can guide you through the process and ensure your computer is functioning properly.
Key Points to Remember
This issue is a result of a software defect, not a security incident or cyberattack. CrowdStrike has identified the problem, isolated it, and deployed a fix. However, some systems may require manual intervention to recover fully. If you continue experiencing issues after following these steps, consider reaching out to CrowdStrike’s support team for further assistance.
MJ Sampsel
Cybersecurity Specialist and Team Lead
Additional Resources
- https://techcrunch.com/2024/07/19/what-we-know-about-crowdstrikes-update-fail-thats-causing-global-outages-and-travel-chaos/
- https://www.bbc.com/news/articles/cp4wnrxqlewo
- https://news.sky.com/story/it-outage-what-we-know-about-the-global-tech-meltdown-cloudstrike-and-microsoft-so-far-13180890
- https://www.abc.net.au/news/2024-07-19/what-is-crowdstrike-outage-explained/104120260
- https://www.technologyreview.com/2024/07/19/1095161/fix-windows-pc-microsoft-crowdstrike-outage/
- https://www.windowscentral.com/microsoft/mitigation-actions-microsoft-cloudstrike-outages
- https://mashable.com/article/windows-bsod-crash-crowdstrike-update-worldwide-outage
- https://www.tomshardware.com/software/windows/how-to-fix-cloudstrike-bsods-in-three-minutes-fix-requires-manual-changes-but-they-are-simple
Keep your mission-critical communication lines open and secure with InterTalk!
Contact InterTalk today to book a needs assessment to discuss your communication needs with our expert team.
Products
InterTalk Dispatch Console System
Powerful Radio Dispatch Solutions
Exact-fit dispatch solutions that direct all aspects of your control, communications, and intelligence infrastructure at a secure, single point of contact.
InterTalk Enlite™
Next Generation Cloud Ready Dispatch
Encrypted, secure & reliable, flexible dispatch solution with on-demand scalability providing operational continuity and mobility. Cloud or on-premises infrastructure.
Recent News
Audio Deepfakes: Understanding Their Threat to Public Safety
Imagine receiving a phone call from a loved one, their voice filled with urgency, pleading for help in a crisis. You rush to their aid, only to discover it was a smartly crafted audio deepfake. How did you feel when you arrived? You might feel relief once realizing...
Enlite Feature Update | Q3 2024
In Q3 of 2024, the InterTalk team was hard at work expanding both telephony and P25 supplementary service features in Enlite. Read until the end to get a sneak peek of the new Enlite Push-to-Talk application that is currently in development. This app will allow those...
California APCO Annual State Conference 2024 Booth 709
InterTalk is thrilled to be attending the 2024 California APCO Annual State Conference in Garden Grove, California! The 2024 California APCO Annual State Conference is hosted by both the Northern and Southern California chapters of APCO International. This Annual...