CrowdStrike Software Glitch Affected 8.5 Million Computers, Hampering Travel, Healthcare, and More
The Y2K scare of the late 1990s fizzled out. But now, 25 years later, an IT software outage sparked widespread disruptions, reminding many of their turn-of-the-millennium fears and reinvigorating discussions about resilience and vendor dependency.
Approximately 8.5 million computers worldwide were briefly disabled late last week by a global IT outage caused by a corrupted software update from security company CrowdStrike. This makes the glitch the largest ever cyber-event, eclipsing previous hacks and outages, the BBC reported.
A faulty driver in CrowdStrike’s Falcon security software caused many Microsoft Windows systems to malfunction, including those at banks, airlines, television broadcasters, and retailers. The 19 July update pushed affected devices into a recovery boot loop, which prevented them from starting properly. Mac and Linux hosts were not affected.
The glitch hit some industries particularly hard. Air travel ground to a halt for many airlines, resulting in delays and flight cancellations as passengers had to be manually checked in. Top U.S. airlines—including American Airlines, Delta, and United—issued a “global ground stop” on all flights. Ramifications from the outage continue today—Delta canceled more than 4,600 flights from Friday through Sunday, and it canceled another 700 so far today. Delta’s crew-tracking tools were particularly affected by the outage, leaving the company unable to “effectively process the unprecedented number of changes triggered by the system shutdown,” said Delta CEO Ed Bastian in a statement online.
Meanwhile, healthcare facilities’ digital access to online records and other medical needs was disrupted in multiple key U.S. cities, CyberScoop reported. Some hospitals in Europe and the United States canceled elective procedures, and others had to activate backup systems to keep caring for patients, according to the New York Times.
As CrowdStrike continues to work with customers and partners to resolve this incident, our team has written a technical overview of today’s events. We will continue to update our findings as the investigation progresses. https://t.co/xIDlV7yKVh
— George Kurtz (@George_Kurtz) July 20, 2024
While most systems came back online relatively quickly, fixes were far from consistent and required some troubleshooting and trial and error by users, including rebooting up to 15 times. Amid the scramble to recover, programmers opined that CrowdStrike likely failed to sufficiently test its patch on a variety of Windows machines before deploying the update. Meanwhile, cybersecurity experts questioned why Microsoft’s system was not resilient enough to handle a software glitch from a third-party.
“Among Washington’s cyberwarriors, the first reaction on Friday morning was relief that this wasn’t a nation-state attack,” wrote national security journalist David Sanger in analysis for the New York Times. “For two years now, the White House, the Pentagon, and the nation’s cyberdefenders have been trying to come to terms with Volt Typhoon, a particularly elusive form of malware that China has put into American critical infrastructure. It is hard to find, even harder to evict from vital computer networks and designed to sow far greater fear and chaos than the country saw on Friday.
“Yet as the ‘blue screen of death’ popped up from the operating rooms of Massachusetts General Hospital to the airline management systems that keep planes flying, America got another reminder of the halting progress of cyberresilience,” Sanger continued. “It was a particularly bitter discovery then that a flawed update to a trusted tool in that effort—CrowdStrike’s software to find and neutralize cyberattacks—was the cause of the problem, not the savior.”
Cyberattackers aren’t wasting a good crisis, though. Cyber intelligence agencies from Australia to the United States and beyond have warned that “malicious websites and unofficial code” were being released online posing as official solutions to the glitch, Reuters reported. The Australian Signals Directorate said its cybersecurity center “strongly encourages all consumers to source their technical information and updates from official CrowdStrike sources only.”
CrowdStrike’s intelligence team has observed threat actors distributing a malicious ZIP archive that likely targets Latin America-based customers by offering Spanish-language instructions posing as a utility for automating recovery for the glitch, prompting the user to run an extension to start patch installation but which actually will launch a search-order hijacking attack.
Impersonation-based attacks and frauds are not uncommon, and attackers often pose as technical support to try and trick users into following instructions. Researchers began warning last week that attackers are reserving domain names or spinning up websites to run tech support scams targeting CrowdStrike’s customers, WIRED reported. Attackers have also sent phishing emails or made phone calls pretending to be CrowdStrike support staff or selling software tools claiming to automate the recovery process.
“While most individuals are not personally responsible for addressing CloudStrike-related computer outages, the incident is ripe for exploitation because some of the IT professionals working on remediation could be desperate for solutions,” WIRED explained. “In most cases, the fix for impacted computers involves individually booting and correcting each one—a potentially time-consuming and logistically difficult process. And for small-business owners who don't have access to extensive IT expertise, the challenge may be particularly daunting.”