A massive IT outage has disrupted computer systems globally, impacting banks, media organizations, hospitals, transport services, retail checkouts, airports, and more in Australia and Aotearoa New Zealand.
This outage, which occurred on Friday, is notable for its unprecedented scale and severity. The affected computers have been rendered almost entirely useless by the outage, a situation described as being “bricked.”
The outage has been associated with CrowdStrike Falcon, a piece of software. But what exactly is CrowdStrike Falcon, and why has it caused such extensive disruption?
CrowdStrike, a leading US cybersecurity firm with a significant global presence, offers Falcon as one of its key software products. Falcon is designed to protect computers from cyber threats and malware by monitoring activity on the machines where it’s installed.
As an “endpoint detection and response” (EDR) tool, Falcon scrutinizes various aspects of computer operations to identify potential threats like malware. Upon detecting suspicious activity, it helps contain and address the issue.
Due to its role, Falcon is considered privileged software. It requires detailed monitoring of computers, including tracking internet communications, active programs, file access, and other internal processes to effectively spot and mitigate attacks.
In some ways, Falcon functions similarly to traditional antivirus software but with enhanced capabilities. Unlike standard antivirus programs, Falcon not only detects threats but also actively neutralizes them. For instance, if Falcon identifies that a computer is interacting with a possible hacker, it must be able to cut off that communication. This requires Falcon to be deeply integrated with the operating system of the computers it protects, such as Microsoft Windows.
The extensive privileges and deep integration of Falcon make it a powerful tool. However, these same factors can lead to significant issues if Falcon experiences a malfunction. The recent outage exemplifies this worst-case scenario.
It appears that an update to Falcon led to a malfunction that caused Windows 10 computers to crash and fail to reboot, resulting in the infamous “blue screen of death” (BSOD). This term describes the screen shown when Windows systems crash and require rebooting—though in this instance, the issue with Falcon means the computers repeatedly encounter the BSOD during reboot attempts.
CrowdStrike, a leading provider of EDR solutions, is renowned for its products like Falcon, which are widely used by organizations prioritizing cybersecurity.
The outage on Friday highlighted that this includes a range of sectors such as hospitals, media organizations, universities, and major supermarkets. While the full extent of the disruption is still being assessed, it is evident that the impact is global.
CrowdStrike’s products, including Falcon, are primarily used by large organizations for network security and intrusion response, rather than by individual home users.
This is because CrowdStrike’s tools are designed for enterprise environments where they monitor and protect extensive networks. For personal computers, more commonly used solutions include built-in antivirus software or security products from companies like Norton and McAfee.
Currently, CrowdStrike has issued manual instructions for addressing the issue on individual affected computers.
However, there doesn’t seem to be an automatic solution available yet. Some IT teams might be able to resolve the issue swiftly by wiping the affected computers and restoring them from backups or other recovery methods.
Some IT teams might also be able to “roll back” to a previous version of the affected Falcon software on their organization’s computers. Alternatively, they may need to address the problem manually on each affected computer.
Resolving the issue could take some time for many organizations.
Ironically, this incident highlights a paradox: while security experts have long advocated for the deployment of advanced security technologies like EDR, this same technology has now caused a significant outage. For companies like CrowdStrike, which provide highly privileged security software, this serves as a crucial reminder to exercise extreme caution when rolling out automatic updates.