Nigeria’s National Cyber Emergency Response Team (ngCERT) says the global IT outages, caused by a recent software update from CrowdStrike is now affecting over 8.5 million users.
This software update from the CrowdStrike Falcon agent led to widespread system crashes, known as the “blue screen of death” (BSOD), impacting primarily Windows clients and servers, with no recorded issues for Mac and Linux users, according to ngCERT which is calling for caution against cybercriminals exploiting the incident.
Scope and Impact
ngCERT says the outage has disrupted numerous businesses and individual routines across various sectors including airlines, banking, trading, and media companies. On-premises systems and cloud platforms such as Microsoft 365, Windows, Azure, and Amazon Web Services, particularly those running Falcon sensor versions 7.15 and 7.16, were affected.
The issue originated from a faulty CrowdStrike Falcon Agent update, causing unresponsiveness and startup failures on Windows machines. This problem was not the result of a security breach or cyberattack but from a defect in the Falcon content update, the ngCERT says.
Exploitation by Malicious Actors
Despite the non-malicious origin, threat actors have exploited this vulnerability to launch attacks against CrowdStrike customers. Using mass-scale phishing domains, these actors are targeting end-users to inflict damage and intrude on systems. Identified malicious domains include:
According to ngCERT, “This incident underscores the need for constant vigilance, prompt action, and robust cybersecurity measures in our increasingly interconnected digital world. Threat actors are leveraging the flaw with mass-scale phishing domains to target unsuspecting end users, inflict damage and intrude on systems”.
According to ngCERT, some identified domains employed to impersonate CrowdStrike by the threat actors are as follows:
crowdstrike.phpartners/.Jorg
crowdstrikeOday/.com
CrowdStrike bluescreen/.com
crowdstrike-bsod/.com
CrowdStrike update/.com
crowdstrikebsod/.]com
www.crowdstrikeOday/.]com
www.fix-crowdstrike-bsod/.]com
CrowdStrike outage/.Jinfo
www.microsoftcrowdstrike/./com
crowdstrikeoday.]com
CrowdStrike/.]buzz
www.crowdstriketoken/.]com
www.crowdstrikefix/.]com
fix-crowdstrike-apocalypse|.]com
microsoftcrowdstrike/.]com
crowdstrikedoomsday/.]com
crowdstrikedown/.]com
whatiscrowdstrike/.]com
crowdstrike-helpdesk/.]com
crowdstrikefix/. com
fix-crowdstrike-bsod|.]com
crowdstrikedown/.]site
crowdstuck/jorg
crowdfalcon-immed-update[.]com
crowdstriketoken/.]com
crowdstrikeclaim/.]com
crowdstrikeblueteam/.]com
crowdstrikefix/.]zip
crowdstrikereport/.]com
Consequences
Exploitation of these vulnerabilities could lead to:
Data breaches
Harm to organizational reputation
Financial losses
Ransomware attacks
Denial of Service (DoS) attacks
Mitigation Steps
nGCERT and CrowdStrike urge users to implement the latest security updates from CrowdStrike and Microsoft. To mitigate the issue:
Avoid clicking on any identified malicious links.
If affected by the outage:
Start Windows in Safe Mode or the Windows Recovery Environment.
Navigate to the C:\Windows\System32\drivers\CrowdStrike directory.
Delete the file matching “C-00000291* sys”.
Restart the device.
Recovery of systems might require a Bitlocker key.
Technical support is available through CrowdStrike support teams and the Incident Handling Team at incident@cert.gov.ng.