CrowdStrike Outage

CrowdStrike Outage Left Corporate Devices Open to Email-Based Attacks

If your work environment is mainly Microsoft Windows, you probably experienced one of the most significant IT outages. The outage was caused by a cybersecurity firm named CrowdStrike. CrowdStrike offers detection and mitigation for cyber-attacks and threats. The software is integrated in thousands of corporate environments.

As with most cybersecurity businesses, frequent updates allow their software to detect the latest threats in the wild. On July 19, 2024, CrowdStrike deployed a patch to its system to detect recent threats. Developers mistakenly added a logic bug, which affected Windows machines. Any desktop, workstation, or business server with Windows and CrowdStrike integration suffered from the infamous “blue screen of death” (BSOD). The Windows BSOD renders the machine unusable and unresponsive. A reported 8.5 million machines were affected.

Remediation efforts were quickly deployed, but this outage is unique because a server or desktop suffering from a BSOD cannot respond to remote commands either. Administrators must be physically next to the machine to fix it so that remediation will take days for larger organizations without local administrators.

Leaving an Open Vulnerability to Attackers

The logic error in CrowdStrike protection software left large businesses unable to function. Commuters were stuck at airports, unable to get flights. Banks were forced to work with paper and pen. Times Square in New York City displayed a blue screen while its administrators rushed to fix the bug. CrowdStrike deployed a patch, and Microsoft helped its customers wherever they could. Focusing on remediation left an opening for attackers.

While administrators rushed to fix Windows systems, Mac and Linux machines were unaffected. Some Windows machines without CrowdStrike installations were also free from crashes. Some businesses could work with other machines available to users, but attackers quickly created ways to inject malware into a corporate environment.

Reports from cybersecurity researchers indicated that files named “crowdstrike-hotfix.exe” or “crowdstrike-patch-hotfix.zip” were being distributed across the internet. The file names varied, but the goal was the same – the files contained malware. The file names were done to trick users and administrators into thinking that they were official CrowdStrike hotfixes for the bug.

Delivery of Malware Started with a Phishing Email

To deliver malware, attackers need a way to put the malicious files in front of users. Corporations suffered from critical downtime, so administrators were in panic and stress. This stress leaves an opening for attackers when administrators are too panicked and busy to take precautions and remember their training. It’s hard to imagine a trained professional falling for a phishing email, but a sense of urgency is a reliable way to bypass security awareness training.

The phishing email might have a malicious file as an attachment or a message with an embedded link pointing to a server hosting the malware, which is also an option for attackers. The website page must convince readers to download and run the malicious file. It’s possible that administrators disabled detection tools to stop the CrowdStrike crashes, so some environments were more vulnerable than others. As with most threats, the chosen attack vector was email.

If your organization did not have email and web content filters, you may have seen one of these email messages. Relying entirely on security training is a mistake, so businesses with good email security would block these threats. The CrowdStrike threat was a zero-day, built specifically for the July 19th incident, but good email filters use artificial intelligence (AI) to catch zero-day phishing and malware threats.

A cloud-based approach is one way to avoid issues with on-premises systems. Cloud-based email cybersecurity filters email at the DNS level so threats cannot access email servers. Should you shut off any on-premises infrastructure, a cloud-based DNS email filter stops malicious emails and phishing messages even when servers suffer from downtime? DNS-based filters prevent users from accessing servers hosting malware, so any messages returning a false negative response from filters will require bypasses for a second security layer.

Security awareness training is helpful but should be the last security layer. During critical cyber events such as the CrowdStrike outage, having as many layers as possible to protect users reduces the risks of additional attacks. Once attackers know you are vulnerable to one exploit, they will target your organization with others. Email security is one critical layer in stopping cyber-criminals from taking advantage of busy administrators struggling to remediate downtime during outages.

Ready to strengthen your organization's security? Explore PhishTitan's capabilities and fortify your M365 defenses. Book a PhishTitan Demo.