The biggest cyber attack caused by top cybersecurity company
The top-notch company CrowdStrike basically affected more people than any illegal hacker standing aloof
Basically any kind of amenities including some customer support (like the 911 calling hot-line is) to large and robust travel institutions were drastically affected by the Microsoft-CrowdStrike outage.
What’s CrowdStrike exactly?
To begin with, I must dive deep into a little depiction of CrowdStrike and what they do. It’s a very respectable(or it used to be) company, which also has an office in Bucharest, my hometown, and I must confess their people are very lucrative and professional as I am acquainted to some. They are offering cybersecurity services like SECaaS (security as a service) in cloud; in other words, you don’t have to install anything on your machine because their tools are only remote. Moreover they have plenty of tools abundant in tremendous AI and ML techniques of file analysis, threat hunting and human recognition by video camera surveillances(I’ve gone once to a kind of a small conference at their office) and their infrastructure is just one of the best.
But, ….
This is what happened in one airport…. And the crisis was worldwide, including hundreds of airports.
What exactly happened
Their platform called Falcon uses two types content configuration updates: Sensor Content and Rapid Response Content, the one which caused this outage was of the Rapid Response Content type, which is thought to offer operational speed threat hunting and protection. Basically the type of content configuration update that is supposed to happen faster, with the cost of fewer tests done before.
In production they delivered ‘fast’ a bug rather than securely and calculated, probably being the fault of a beginner, an intern, or maybe just a slip that caused confusion and chaos throughout the globe.
The Channel File 291
As related in their official report on the event (https://www.crowdstrike.com/blog/falcon-update-for-windows-hosts-technical-details/) they have some configuration files whom they call ‘Channel Files’ whatsoever. On the date July 19, 2024 at the exact hour 04:09 UTC two IPC Template Instances were deployed containing a logic error, which obviously caused the entire windows to crash at boot time.
At the moment of writing this article is almost 21:00 EEST(or 00:00 UTC) and we’re on July 24, 2024; that means 5 days later. Ironically, the train stations, hospitals, airports, naval ports and big institutions have gone already past this malfunction by 2–3 days ago; for reaching out to as many people as they could there is also a post on their website(https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/) talking about the Falcon Channel File 291 logic error, how some machines with strong internet connection might be fixed up during boot because of some cleaning routines.
Until next time
Yes, definitely will come a second time much worse, maybe not because of CrowdStrike, not because of IT field or the computer science social bubble; we’ve previously seen Covid pandemic, the Russian-Ukraine war, the Israel-Gaza war and plenty of social toxic behaviour, misconception propaganda of human and gender identity identification. Each of them affects us if they catch us unprepared. The best moment to learn about moments like this is to prepare in the good days as to be ready to face the bad ones. Until next time stay safe :)
