Conversation

Notices

1. Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:14:07 JST Kevin Beaumont

   Crowdstrike published a faulty update. Causes Windows to bluescreen. Driver is C-00000291*.sys. Will cause worldwide outages. Thread follows, I suspect. 🧵

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:13:43 JST Kevin Beaumont

     in reply to

     Billboards in Times Square blue screen of deathing. Nice way to find out which orgs use Crowdstrike, this 🤣

     Source is BBC News, if anybody wondering.

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:13:44 JST Kevin Beaumont

     in reply to

     When I get successfully DDoS’d it’s both a security incident and I’m not protected…

     luithe repeated this.
   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:13:45 JST Kevin Beaumont

     in reply to

     BBC News at 6 is leading the entire show with this. (They asked me to appear but I was slightly busy).

     For the record I spent much of the day trying to tell people it isn’t a Microsoft issue.

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:13:47 JST Kevin Beaumont

     in reply to

     🤪

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:13:48 JST Kevin Beaumont

     in reply to

     Probably the funniest BBC news update so far (they’ve cleared the airways for this incident).

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:13:49 JST Kevin Beaumont

     in reply to

     The chuckle brothers at NoName attempting to claim they caused the incident. To be super clear, NoName can barely DDoS a bike shed website, and once asked me to make their logo in Minecraft.

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:13:50 JST Kevin Beaumont

     in reply to

     lol Microsoft have put ‘reboot each box 15 times’ on its website

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:13:51 JST Kevin Beaumont

     in reply to

     By far my fave thing with the Crowdstrike thing is Microsoft saying to try turning impacted PCs off and on again in a loop until you get the magic reboot where CrowdStrike updates before it blue screens.

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:13:52 JST Kevin Beaumont

     in reply to

     Crowdstrike publishes updated CIA triad

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:13:53 JST Kevin Beaumont

     in reply to

     For anybody wondering why Microsoft keep ending up in the frame, they had an Azure outage and- this may be news to some people- a lot of Microsoft support staff are actually external vendors, eg TCS, Mindtree, Accenture etc.

     Some of those vendors use Crowdstrike, and so those support staff have no systems.

     But MS isn’t the outage cause today.

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:13:54 JST Kevin Beaumont

     in reply to

     Crowdstrike statement: https://www.bbc.co.uk/news/live/cnk4jdwp49et?post=asset%3A0c379e1f-48df-493c-a11a-f6b1e3d1eb63#post

     Basically 'it's not a security incident... we just bricked a million systems'

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:13:55 JST Kevin Beaumont

     in reply to

     I'm seeing people posting scripts for automated recovery.. Scripts don't work if the machine won't boot (it causes instant BSOD) -- you still need to manually boot the system in safe mode, get through BitLocker recovery (needs per system key), then execute anything.

     Crowdstrike are huge, at a global scale that's going to take.. some time.

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:13:56 JST Kevin Beaumont

     in reply to

     CrowdStrike's shares are down 20% in pre-market.

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:13:57 JST Kevin Beaumont

     in reply to

     The .sys files causing the issue are channel update files, they cause the top level CS driver to crash as they're invalidly formatted. It's unclear how/why Crowdstrike delivered the files and I'd pause all Crowdstrikes updates temporarily until they can explain.

     This is going to turn out to be the biggest 'cyber' incident ever in terms of impact, just a spoiler, as recovery is so difficult.

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:13:58 JST Kevin Beaumont

     in reply to

     BBC tracker (they mix up an earlier Microsoft outage, what they're actually tracking is the Crowdstrike issue) https://www.bbc.co.uk/news/live/cnk4jdwp49et

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:14:00 JST Kevin Beaumont

     in reply to

     If anybody is wondering, the update was delivered via channel file updates in Crowdstrike.

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:14:01 JST Kevin Beaumont

     in reply to

     I've obtained copies of the .sys driver files Crowdstrike customers have. They're garbage. Each customer appears to have a different one.

     They trigger an issue that causes Windows to blue screen.

     I am unsure how these got pushed to customers. I think Crowdstrike might have a problem.

     For any orgs in recovery mode, I'd suspend auto updates of CS for now.

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:14:02 JST Kevin Beaumont

     in reply to

     Favour to IT folks fixing - could you please copy the C-00000291*.sys file to somewhere and upload it to Virustotal, and reply with the Virustotal link or file hash? It's still unclear if the update was malicious or just a bug.

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:14:03 JST Kevin Beaumont

     in reply to

     Sky News has gone off air in the UK.

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:14:04 JST Kevin Beaumont

     in reply to

     You know it was coming...

     Crowdstrike's BSOP theme tune

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:14:05 JST Kevin Beaumont

     in reply to

     If anybody is wondering the impact of the Crowdstrike thing - it’s really bad. Machines don’t boot.

     The recovery is boot in safe mode, log in as local admin and delete things - which isn’t automateable. Basically Crowdstrike will be in very hot water.

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 06:14:06 JST Kevin Beaumont

     in reply to

     I am obtaining a copy of the driver to see if malicious or bad coding, if anybody else checking let me know.