The computer outage that is shutting down airports, banks, hospitals and transport companies all over the world has nothing to do with a security incident or cyber attack. The problem has been identified, isolated and a solution has been found. This is according to CEO George Kurtz of Crowdstrike, the cybersecurity company that distributed a wrong software update that caused Windows environments to fail.
Kurtz and the company he heads are under fire following computers running Microsoft operating systems received a corrupt automatic update on Thursday, might no longer boot and subsequently crashed. In the Netherlands, several airports, the UWV, Slingeland Hospital, Zorggroep Treant and the transport companies AllGo, Keolis R-net and Syntus Utrecht appear to have been affected.
‘Crowdstrike is actively working with customers affected by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not affected’, Kurtz writes on X. He refers affected organizations to the support pages of Crowdstrike’s site and to their contacts at the company. The CEO does not offer an apology in his tweet on X, but in an interview on NBC’s Today Show in the US, he did apologize on behalf of his company for “the impact we’re having on customers.”
CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed. We…
— George Kurtz (@George_Kurtz) July 19, 2024
Crowdstrike CEO George Kurtz responds to the outage
Crowdstrike is one of the world’s largest cybersecurity companies, with mainly large enterprises as customers. The American company announced its new product CrowdStrike Falcon Complete Next-Gen MDR on Thursday, with which it says it ‘sets a new standard for mdr (managed detection and response, ed.).’
Two security messages
According to security expert Erik Westhovens, the problem lies in Crowdstrike system driver C-00000291-00000000-000000XX.Sys. Windows Defender, the standard security system for Windows environments, is said to give two notifications as a result of this system driver, writes Westhovens on LinkedIn. ‘The first that malicious content was found (an infostealer) and the second that there were malicious connections to IP addresses with a bad reputation.’ The expert suspects a supply chain attack, possibly set up by Russian hackers. ‘Crowdstrike will definitely have to investigate this.’
Earlier in the day, Eset cyber expert Dave Maasland called the global computer outage a digital cardiac arrest. ‘As annoying as this is, this is the wake-up call we need to use to once once more realize that our digital society contains vulnerabilities that we will have to tackle together.’
Workaround
At this time, no patch has been made available. However, a workaround has been offered by Crowdstrike. According to the NCSC, this workaround ‘seems to work in most cases, which means that the problems are starting to decrease for many organizations’.
1. Boot Windows into Safe Mode
2. Navigate to C:WindowsSystem32driversCrowdStrike directory in Explorer
3. Locate file “C-00000291-00000000-00000032.sys” file, right click and rename the file to “C-00000291-00000000-00000032.renamed” (the version may differ on your host)
4. Boot the host
Bron: National Cyber Security Centre (NCSC)