In context: A glitch with CrowdStrike's Falcon Sensor agent caused havoc across the globe last week, and the chaos continues as malicious actors rush to take advantage. Amid the turmoil, it is instructive to consider a little-noticed event earlier this year when a CrowdStrike update caused all Debian Linux servers to crash simultaneously and refuse to boot. It took the cybersecurity provider weeks to provide a root cause analysis, revealing that the update was incompatible with the latest stable version of Debian.
Friday's events were not the first time CrowdStrike, a popular cybersecurity service provider, caused significant disruptions to multiple operating systems. To recap what happened: Windows machines worldwide began displaying the dreaded Blue Screen of Death as they booted up last Friday, impacting banks, airlines, media outlets, food chains, and many other businesses. The problem was traced to the security firm and an issue with its Falcon Sensor agent. There was also a related issue with Microsoft 365 apps and services.
Another disruption, this one hardly noticed, occurred in April when a CrowdStrike update caused all Debian Linux servers to crash simultaneously and refuse to boot. The update was incompatible with the latest stable version of Debian, despite this Linux distro being supposedly supported by CrowdStrike.
These issues occurred over several months, indicating ongoing compatibility problems between the security software and certain Linux distributions. For instance, similar issues were reported by CrowdStrike users after upgrading to Rocky Linux 9.4, with servers crashing due to a kernel issue.
CrowdStrike's response to the Debian issue was slow. It took them weeks to provide a root cause analysis, which revealed that the Debian Linux configuration was not included in their test matrix.
These earlier issues raise serious concerns about the company's software update and testing procedures. Certainly, its slow response to the Debian issue suggests that the company's testing procedures are inadequate for Linux systems, leading to these compatibility issues.
Meanwhile, the aftermath of Friday's global outage continues. CrowdStrike has fixed the Windows agent bug, but the process of manually remediating each affected computer is expected to cause ongoing disruptions. Perhaps not surprisingly, threat actors are exploiting the situation.
The US Cybersecurity and Infrastructure Security Agency (CISA) has reported that although the outage was not caused by a cyberattack, hackers are engaging in phishing and other malicious activities, taking advantage of the chaos. Malicious actors are sending phishing emails from domains impersonating CrowdStrike, falsely claiming to offer solutions to the outage in exchange for payments to random crypto wallets.
The cybercriminals are posing as CrowdStrike employees or other tech specialists through emails or even phone calls. Attackers have also quickly set up deceptive websites with domain names that include keywords like "CrowdStrike" and "blue screen." Once they get their hooks into the victims, they trick them into revealing sensitive information such as passwords and other security codes.