Issue Overview and Impact

Integrity360 is aware of an ongoing issue affecting Windows users, causing a Blue Screen of Death (BSOD) and resulting in devices getting stuck at the “Recovery” screen. CrowdStrike has confirmed that a recent update to its sensors is the cause of this problem.

Below, we have provided the steps that can be taken to mitigate the BSOD and Recovery screen loop issue.

Details

  • Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor.
  • Windows hosts which have not been impacted do not require any action as the problematic channel file has been reverted.
  • Windows hosts which are brought online after 0527 UTC will also not be impacted
  • Hosts running Windows7/2008 R2 are not impacted.
  • This issue is not impacting Mac- or Linux-based hosts
  • Channel file "C-00000291*.sys" with timestamp of 0527 UTC or later is the reverted (good) version.
  • Channel file "C-00000291*.sys" with timestamp of 0409 UTC is the problematic version.

 

Current Action

  • CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes.
  • If hosts are still crashing and unable to stay online to receive the Channel File Changes, the following steps can be used to workaround this issue:

Workaround Steps for individual hosts:

  • Reboot the host to give it an opportunity to download the reverted channel file.  If the host crashes again, then:
  • Boot Windows into Safe Mode or the Windows Recovery Environment
  • Note:  Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.  
  • Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
  • Locate the file matching “C-00000291*.sys”, and delete it.
  • Boot the host normally.

Note:  Bitlocker-encrypted hosts may require a recovery key.

Workaround Steps for public cloud or similar environment including virtual:

Option 1:

  • Detach the operating system disk volume from the impacted virtual server
  • Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes
  • Attach/mount the volume to to a new virtual server
  • Navigate to the %WINDIR%\\System32\drivers\CrowdStrike directory
  • Locate the file matching “C-00000291*.sys”, and delete it.
  • Detach the volume from the new virtual server
  • Reattach the fixed volume to the impacted virtual server

Option 2:

  • Roll back to a snapshot before 0409 UTC. 

AWS-specific documentation: 

 
Azure environments: 

  • Please see this Microsoft article (https://azure.status.microsoft/en-gb/status).

 

Bitlocker recovery-related KBs:

  • BitLocker recovery in Microsoft Azure (/s/article/kal 6T00000ltlmZQAQ)
  • BitLocker recovery in Microsoft environments using SCCM (/s/article/kal 6T000001tlmeQAA)
  • BitLocker recovery in Microsoft environments using Active Directory and GPOs (/s/article/ka16T000001tlmjQAA)
  • BitLocker recovery in Microsoft environments using lvanti Endpoint Manager (/s/article/ka16T000001tlmtQAA)
  • BitLocker recovery in Microsoft environments using ManageEngine Desktop Centr (/s/article/ka16T000001tln8QAA)
  • BitLocker recovery in Microsoft environments using BM BigFix (/s/article/ka16T000001tlnSQAQ)

 

 

Azure environments:

Pease see this Microsoft article.


Bitlocker recovery-related KBs:


Latest Updates


    • 2024-07-19 05:30 AM UTC | Tech Alert Published.
    • 2024-07-19 06:30 AM UTC | Updated and added workaround details.
    • 2024-07-19 08:08 AM UTC | Updated
    • 2024-07-19 09:45 AM UTC | Updated
    • 2024-07-19 11:49 AM UTC | Updated
    • 2024-07-19 11:55 AM UTC | Updated

More information 

We are proactively contacting our Managed Services customers but if you require any assistance with the steps mentioned above or have any further questions, please contact our support team.

We are here to help you through this process and ensure your systems are back to normal as quickly as possible.

 

Additional advice 

 

In response to the recent Crowdstrike - Blue Screen of Death incident, Integrity360 has observed that opportunist threat actors are taking advantage of the outage by setting up fake CrowdStrike domains/websites in order to perform social engineering attacks. Some are being created for scamming purposes, however Integrity360 has also observed the (far more dangerous) distribution of Ransomware in some cases.

 

In addition to the above, threat actors are also*:

  • Sending phishing emails posing as CrowdStrike support to customers
  • Impersonating CrowdStrike employees in phone calls
  • Posing as independent researchers, claiming to have evidence the technical issue is linked to a cyberattack and offering remediation insights
  • Selling scripts purporting to automate recovery from the content update issue

*https://www.csa.gov.sg/alerts-advisories/alerts/2024/al-2024-091

 

The following is a list of fake CrowdStrike domains that have been observed so far:

 

    crowdstrike-bsod[.]com
    crowdstrike-helpdesk[.]com
    crowdstrike0day[.]com
    crowdstrike[.]fail
    crowdstrikebluescreen[.]com
    crowdstrikebsod[.]com
    crowdstrikebug[.]com
    crowdstrikeclaim[.]com
    crowdstrikedoomsday[.]com
    crowdstrikedown[.]site
    crowdstrikefail[.]com
    crowdstrikefix[.]com
    crowdstrikefix[.]zip
    crowdstrikehealthcare[.]com
    crowdstrikeoopsie[.]com
    crowdstrikeoutage[.]info
    crowdstrikereport[.]com
    crowdstriketoken[.]com
    crowdstrikeupdate[.]com
    crowdstrikeupdate[.]com
    fix-crowdstrike-apocalypse[.]com
    fix-crowdstrike-bsod[.]com
    iscrowdstrikedown[.]com
    iscrowdstrikedown[.]com
    isitcrowdstrike[.]com
    microsoftcrowdstrike[.]com
    whatiscrowdstrike[.]com

 

Please note that not all of these domains are malicious or phishing. Some are also set up to be harmless "meme" pages, such as a count down for "days since the last accident". However, it is still advised that enterprises and their IT team be especially vigilant at this time.

 

Concerns and Recommendations:

  • Verify that all Crowdstrike related communication received is from official sources.
  • Watch out for any websites re-directing to payment pages requesting cryptocurrencies under the the guise of providing a fix or offering support services.
  • As always with avoiding phishing websites:
    • Check the URL Carefully
    • Inspect the Website Content
    • Check for suspicious requests
    • Verify links before clicking 
    • Check the contact information 
    • Report any suspicious activity


Sincerely,

Integrity360 Support Team