Jaguar Land Rover Cyber Attack: Lessons in Identity, Supply Chain, and Resilience

KEY POINTS

George Kurtz, co-founder and CEO of CrowdStrike Inc., speaks during the Montgomery Summit in Santa Monica, California.

Patrick T. Fallon | Bloomberg | Getty Images

The recent havoc wreaked by a cybersecurity company’s update reverberated through global IT systems, causing widespread outages across various industries, including banking, healthcare, and airlines. This resulted in disrupted services for banks and healthcare providers, blank screens for TV broadcasters, and pronounced turbulence in the air travel sector, leading to grounded planes and extensive delays.

At the epicentre of this ordeal stands CrowdStrike, a cybersecurity vendor based in Texas, which grappled with a significant disruption stemming from a software update issue.

CrowdStrike told NBC that it is in the process of rolling back the update that caused the issue, and later said a fix for the defect had been deployed.

“CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted,” CEO George Kurtz said in a statement on X .

For the latest information that we will continuously update, please refer to the CrowdStrike website (https://crowdstrike.com/blog/statement-on-windows-sensor-update/…), my posts on LinkedIn, and my posts on X.  I will continue to provide updates to our community and the industry as they become available.

Now, let’s unravel the precise details of what transpired.

Technical Details: Falcon Content Update for Windows Hosts

CrowdStrike Sensor Configuration Update Incident

On July 19, 2024 at 04:09 UTC, CrowdStrike initiated a sensor configuration update as part of its ongoing operations to bolster the protection mechanisms of the Falcon platform on Windows systems. Regrettably, this update triggered a logic error that resulted in system crashes and the dreaded blue screen (BSOD) on impacted systems.

Taking swift action, CrowdStrike remediated the sensor configuration update by Friday, July 19, 2024, 05:27 UTC, effectively resolving the issue. It’s important to emphasize that this incident was not the result of a cyberattack, but rather an unforeseen impact of the sensor configuration update.

Understanding the significance of such events on users’ systems, CrowdStrike is steadfast in its commitment to prioritizing the reliability and security of its platform, continuously refining its processes to mitigate the risk of similar occurrences in the future.

Understanding the Impact of the Recent Falcon Sensor Issue

In the world of cybersecurity, even the smallest glitch can have far-reaching consequences. Recently, customers using the Falcon sensor for Windows version 7.11 and above found themselves caught in the crosshairs of a potentially disruptive event. During a specific timeframe – between Friday, July 19, 2024, 04:09 UTC and 05:27 UTC – systems that downloaded the updated configuration were susceptible to a system crash. This means that the smooth operation of these systems was suddenly compromised, calling attention to the significant impact that such incidents can have on businesses and individuals alike. Vigilance and swift action are crucial in times like these, and it’s essential for all of us to stay informed and prepared as we navigate the ever-evolving landscape of cybersecurity threats.

Customers running Falcon sensor for Windows version 7.11 and above, that were online between Friday, July 19, 2024 04:09 UTC and Friday, July 19, 2024 05:27 UTC, may be impacted. 

Systems running Falcon sensor for Windows 7.11 and above that downloaded the updated configuration from 04:09 UTC to 05:27 UTC – were susceptible to a system crash.

Configuration File Primer

The configuration files referred to as “Channel Files” play a crucial role in the behavioral protection mechanisms deployed by the Falcon sensor. Updates to these files are seamlessly integrated into the sensor’s operations, occurring multiple times throughout the day in response to newly uncovered tactics, techniques, and procedures. It’s important to note that this process has been a fundamental part of Falcon’s architecture since its inception, underlining its ongoing commitment to staying ahead in the ever-evolving landscape of cybersecurity.

Technical Details

On Windows systems, there’s a crucial directory where Channel Files reside: C:\Windows\System32\drivers\CrowdStrike\. These files bear names that kick off with “C-” and are each assigned a unique identifier number. In the context of this event, the impacted Channel File is 291. You can recognize it by its filename, which starts with “C-00000291-” and ends with a .sys extension. It’s worth noting that, despite the .sys extension, these files are not kernel drivers.

Channel File 291 plays a pivotal role in how Falcon evaluates named pipe1 execution on Windows systems. Named pipes, as you may know, are instrumental for interprocess communication within the Windows environment.

The update that took place at 04:09 UTC aimed to target newly observed, malicious named pipes utilized by common C2 frameworks in cyberattacks. Unfortunately, a logic error triggered by the configuration update led to an operating system crash. Stay tuned for more insights and updates on this evolving situation.

Channel File 291

Evaluating and Protecting Against Named Pipes Abuse

The recent update from CrowdStrike indicates that the logic error in Channel File 291 has been rectified. According to their announcement, no further modifications will be made to Channel File 291 apart from the necessary logic update. Additionally, Falcon is currently assessing and implementing measures to safeguard against the abuse of named pipes.

It’s worth noting that CrowdStrike has clarified that this issue is unrelated to the presence of null bytes in Channel File 291 or any other Channel File. This development underscores the ongoing efforts to fortify systems and address potential vulnerabilities.

Remediation

The latest remediation recommendations and information can be accessed directly from Crowdstrike’s blog or through the Support Portal.

They recognize that some customers may have specific support requirements and encourage them to reach out for assistance.

It’s important to note that systems not currently affected will continue functioning as expected, provide ongoing protection, and carry no risk of encountering this issue.

Furthermore, it’s reassuring to know that systems operating on Linux or macOS, which do not utilize Channel File 291, remain unaffected by this incident.

Root Cause Analysis

CrowdStrike understands how this issue occurred and is conducting a thorough root cause analysis to determine the logic flaw. This effort will continue to identify any foundational or workflow improvements that will update the findings in the root cause analysis as the investigation progresses.

Conclusion

The July 19, 2024, incident significantly affected Windows systems running the Falcon sensor. Swift identification and remediation minimized further impact. CrowdStrike is dedicated to offering robust security solutions and works actively to prevent future occurrences through comprehensive root cause analysis and process improvements. Please consult CrowdStrike’s official blog and Support Portal for the latest information and technical details.

This video below for remote users with local administrator privileges, outlines the steps required to self-remediate a Windows laptop experiencing a blue screen of death (BSOD) related to the recent defect in a CrowdStrike content update for Windows hosts. Follow these instructions if directed to do so by your organization’s IT department. 🛡️ CrowdStrike’s Remediation and Guidance Hub: https://www.crowdstrike.com/falcon-co…

Details about Pipes by Microsoft

New Recovery Tool to help with CrowdStrike issue impacting Windows endpoints

Disclaimer
This post is based on the information available as of now. CrowdStrike’s investigation is ongoing, and further updates will be provided as new insights are gained.

Ayo Dada Avatar

Posted by

Ayo Dada

Leave a comment