The global IT outage caused by a faulty Crowdstrike Falcon update may be a wakeup call for cybersecurity.
While CrowdStrike CEO George Kurtz assured the public Friday morning that the outage was not “a security incident or cyberattack,” its impact is comparable to that of a major supply chain attack.
“This issue exposes the same hazard as in the SolarWinds incident: an update (in this case, non-malicious) to a widespread administrative tool had far-reaching impact,” noted Andy Ellis, former Akamai CISO and current operating partner at cybersecurity venture capital firm YL Ventures, in an email to SC Media.
Related: CrowdStrike confirms faulty update is tied to massive global IT outage: ‘Fix has been deployed’
Related: Security pros brace for manual system-by-system fix to CrowdStrike outage
While there are plenty of lessons to be learned in the long-term aftermath of this incident, the immediate impact may also leave affected organizations open to attacks from threat actors eager to take advantage of the ongoing IT disaster.
“Teams are in crisis containment mode, and not eyes on the glass for other attacks,” Armis CTO and Co-founder Nadir Izrael told SC Media. “While teams scramble to restore operations by any means necessary, they are prioritizing uptime of operations vs. security – so they might be inadvertently creating more loopholes, more misconfigurations, and basically more vulnerabilities that can be taken advantage of.”
Amidst the turmoil, Kurtz stated that CrowdStrike customers “remain fully protected,” which may be little comfort to stressed out IT teams.
“The one (heavily tarnished) silver lining is that the failure of the CrowdStrike software isn’t what’s known as ‘fail-open,’ when a security system that breaks just shuts itself down, but rather ‘fail-closed,’ when the failed security system prevents normal functionality,” Ellis explained. “So most customers weren’t immediately exposed to a new security risk … but they might be when they come up, if they decide to just turn off CrowdStrike.”
Attackers quickly take advantage ‘blue screen of death’ incident
Within hours of the incident, security researchers began to report on threat actors leveraging the outage for phishing campaigns.
Phishing domains such as “crowdstrikebluescreen[.]com” and “crowdstrikefix[.]com” were discovered by user JCyberSec_ on X, formerly known as Twitter, who posted screenshots of sites impersonating CrowdStrike or attempting to sell phony solutions to the “blue screens of death.”
Phishing emails from “Crowdstrike Support” or “Crowdstrike Security” were also reported by some users to the SANS Technology Institute’s Internet Storm Center.
“I do not have any samples at this point, but attackers are likely leveraging the heavy media attention. Please be careful with any ‘patches’ that may be delivered this way,” wrote Internet Storm Center Founder Johannes Ullrich.
“During emergencies, people may neglect security best practices, becoming vulnerable to social engineering. Attackers might post as IT staff, sending malicious software under the guise of urgent updates,” Entro Security CEO and co-founder Itzik Alvas told SC Media.
Another problem that puts organizations at great cyber risk in the aftermath of the outage is a loss of trust in CrowdStrike, which could lead to hasty removal of vital endpoint protections.
“As customers start to recovery [sic], they’ll most likely disable or modify their Crowdstrike protections. This is going to leave a whole lore [sic] of people exposed!” Cisco Talos Senior Intelligence Analyst Azim Khodjibaev wrote on X. “I urge the entire community to help anyone and everyone they can in this situation. With a collective mindset we can all mitigate the impact of this.”
Global IT outage exposes weaknesses in update safety, cyber resilience
With the root case of the “blue screens of death” (BSODs) being an automatic CrowdStrike Falcon update on Windows hosts, cybersecurity professionals noted the risk of installing updates without prior safety checks.
“My hope is that this becomes a wakeup call to organizations when it comes to implementing updates. Proper testing and a healthy dose of skepticism is often necessary. Just because the vendor is ‘best in breed,’ does not mean they are immune,” said Dustin Sachs, senior director of programs and chief technologist at SC Media’s parent company CyberRisk Alliance.
Andy Ellis, of YL Ventures, also noted how the incident highlights the risks posed by tools with remote administrative capabilities, including those such as CrowdStrike Falcon and SolarWinds Orion.
“There will hopefully be a lot of discussion around the role of administrative software in the enterprise. Some of that happened post-SolarWinds, but only on the server-side. There is too much security software that runs with administrative privileges all across the ecosystem, and it’s time for companies to consider whether that is safer than any other alternative,” Ellis said.
Attacks and disruptions in the software supply chain, including the cybersecurity supply chain, continue to be a pain point following incidents involving Snowflake, open-source components like xz utils and Polyfill.io, and now CrowdStrike Falcon. Such events emphasize the need for a zero-trust approach to software systems.
“With this historical outage along with other recent software supply chain catastrophic events, such as SolarWinds and Log4j, we cannot accept with blind trust software updates nor blindly trust cybersecurity or cryptography practices,” SandboxAQ Chief Scientist Carlos Aguilar Melchor told SC Media. “Every company should implement observability in their software systems right away to monitor these high-impact platforms and prevent these catastrophes.”
Experts also noted the resiliency challenges exposed by the global outages, partly driven by increasing consolidation in the cybersecurity market.
“Today’s outage is a reminder of the fragility and systemic ‘nth-party’ concentration risk of the technology that runs everyday life: airlines, banks, telecoms, stock exchanges, and more. SecurityScorecard, in collaboration with McKinsey, produced research showing that 62% of the global external attack surface is concentrated in the products and services of just 15 companies,” SecurityScorecard CEO Aleksandr Yampolskiy told SC Media. “An outage is just another form of security incident. Antifragility in these situations comes from not putting all your eggs in one basket.”
Evolve CEO Alan Stephenson-Brown added that the incident demonstrates that “even large corporations aren’t immune to IT troubles” and “this outage highlights the importance of having distributed data centres and rerouting connectivity that ensures business can continue functioning when cloud infrastructure is disrupted.”