The Cyber Security Fallout of CrowdStrike Global IT Outage

Before I get into some of the cyber security fallout from the CrowdStrike global IT outage, you can read some of my thoughts on the incident here:

The Wednesday Bit on Monday – CrowdStrike Global IT Outage

In this article I look at just a couple of the cyber security implications of an IT issue on this scale and one that is widely reported in the non-technical media.

Threat Actors Strike

As with any high-profile incident, in which real people are suffering and there is uncertainty about what is happening, the threat actors took very little time to exploit it heartlessly. The BBC was already reporting on scams and phishing campaigns on the day after the news broke and computers started crashing (Tidy, 2024). The National Cyber Security Centre (NCSC) had already got its advice out there on Friday (NCSC, 2024).

This was followed up on Sunday by a report that data wiper and remote access malware had been detected in phishing emails pretending to be official sources of information and fixes for the CrowdStrike failed update (Ilascu, 2024).

There is only one source of information to fix this issue – CrowdStrike. If you need to, go there directly not via a link in an email. If you do not use CrowdStrike – which is probably the majority of my readers, this is your takeaway from this incident. Get your critical information, updates and fixes directly from the vendor, don’t follow “helpful” email links.

No Updates!

An extensively reported IT incident like this, hitting many ordinary people – chaos at airports and disruption in the NHS – has the effect that organisations may start to avoid updates and patches, not wanting to get caught up in some hypothetical future “global IT outage”. I am just going to quote the NCSC advice at this point:

“Installing security updates is still an essential security practice and organisations should continue to install them when they are available.” (NCSC, 2024)

You cannot stop applying updates and patches – this would just play into the threat actors’ hands.

Have an incident response plan.

An incident response plan does not need to be complicated but it does need to address your mission-critical processes and have a pre-written selection of responses to stakeholders so everyone knows what is going on.

Find out more

Next…

On one of the blogs I write there will be an article about “your inbox”!

Clive Catton MSc (Cyber Security) – by-line and other articles

References

Tidy, J. (2024, July 20). Crowdstrike: Global cyber agencies warn about scammers. BBC News. https://www.bbc.co.uk/news/articles/cq5xy12pynyo

Ilascu, I. (2024, July 21). Fake CrowdStrike fixes target companies with malware, data wipers. BleepingComputer. https://www.bleepingcomputer.com/news/security/fake-crowdstrike-fixes-target-companies-with-malware-data-wipers/

NCSC. (2024, July 19). Statement on major IT outage. https://www.ncsc.gov.uk/news/major-it-outage

Cookie	Duration	Description
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_141969298_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.

Threat Actors Strike

No Updates!

Have an incident response plan.

Next…

References

Further Reading