CrowdStrike outage fuels rise in phishing scams, experts argue
As TechDay has extensively reported, the CrowdStrike Falcon platform experienced a significant disruption on 19th July, impacting more than 8 million Windows computers.
To recap, the platform, which normally receives multiple updates daily to counter new threats in real-time, was affected by a logic error in a configuration file. This error resulted in incorrect memory allocation at the kernel level in Windows, causing systems to display the 'Blue Screen of Death' (BSOD) and preventing Windows from booting.
In the wake of a disruption to CrowdStrike's Falcon platform, several experts have issued warnings about an uptick in phishing campaigns. These campaigns are taking advantage of the situation by offering fake fixes, thus exploiting the business disruption caused by the outage.
Max Gannon, Cyber Threat Intelligence Manager at Cofense, shed some light on the situation: "When we say 'opportunistic attacks' - this is exactly the type of thing we mean. Anytime there is any big news - geo-political, weather, tragedy, etc., phishing and malicious cyber attacks almost always scale up. The situation provides a great smokescreen and people are much more receptive and reactive to content on a large scale."
Gannon referenced previous instances where major vulnerabilities were exploited, noting that this is a familiar tactic among threat actors. He elaborated, "We have seen threat actors spoofing CrowdStrike and publicly claiming ownership, but we are also likely to see them spoofing Microsoft and every relevant company, including updates from one's own company relating to the incident." He also advised recipients of such emails to pause and evaluate their authenticity rather than reacting to the implied urgency.
Mohit Dewan, Avocado Consulting's Digital and Cloud Solutions Practice Leader, discussed the critical measures necessary to enhance system resilience. He first addressed the issue stemming from the frequency of deployments. "While the frequency of updates is a strength of CrowdStrike, enabling near real-time threat identification and blocking, it also introduces risks, including complacency, as demonstrated by this incident," Dewan stated.
To mitigate such risks, Dewan emphasised the importance of effective testing, operational controls, and observability. He pointed out the necessity of rigorous testing frameworks, remarking, "Vendors must thoroughly test updates before release. Implementing an automated testing suite within the CI/CD pipeline can help catch issues early and ensure stability."
He highlighted that vendors like CrowdStrike bear the responsibility for testing updates, as expecting customers to manage multiple updates daily is impractical. "Since CrowdStrike Falcon updates are pushed automatically, thorough vendor-side testing is crucial. Setting and enforcing a policy where all updates are applied in non-production environments and functionally tested before production deployment can prevent similar issues," Dewan noted.
Dewan further stressed the importance of tailored policies, stating, "It is imperative to have a nuanced understanding of each of your systems and platforms and create appropriate policies that work for each, rather than implementing blanket policies across all systems."
Dewan also advised implementing operational controls to mitigate update risks. "Adopt policies such as versioning or delay mechanisms. For example, maintaining a version behind or delaying updates can provide time to evaluate them and avoid immediate issues," he suggested. Ensuring updates are applied first in non-production environments is another crucial measure that allows organisations to functionally test them before deployment to production systems.
The final measure involved observability, which Dewan described as essential for a resilient organisation. "Real-time observability tools provide insights into system health and performance, enabling quick detection and response to issues. For example, our observability solutions allowed a client to rapidly assess and address the impact of the CrowdStrike incident, significantly reducing downtime and costs," Dewan explained.
The disruption of CrowdStrike's Falcon platform has thus underscored the need for rigorous testing, balanced update policies, and robust observability to ensure system resilience and mitigate risks effectively.