CrowdStrike reiterated that the issue was not the result of a cyberattack but confirmed that millions of users with its Falcon sensor for Windows experienced their systems crashing into a BSOD (blue screen of death) reboot loop.
“The update applied at 04:09 UTC was intended to address newly identified malicious named pipes used by common C2 frameworks in cyberattacks. This configuration update triggered a logic error, causing the operating system to crash.”
CrowdStrike has resolved the logic error by updating the content in Channel File 291 and confirmed that no further changes to this file beyond the updated logic will be made. The Falcon system continues to evaluate and protect against the abuse of named pipes.
The anti-malware vendor has provided remediation guidelines, stating that systems not currently affected “will continue to function normally, maintain protection, and are not at risk of this issue reoccurring.”
“We understand how this issue occurred and are conducting a thorough root cause analysis to determine how the logic flaw emerged. This investigation is ongoing, and we are committed to identifying any foundational or workflow improvements to enhance our processes,” the company stated.
Amid the disruptions at airports and hospitals caused by the CrowdStrike update, the US cybersecurity agency CISA announced it is collaborating with federal, state, local, tribal, and territorial (SLTT) partners, as well as critical infrastructure and international partners, to assess impacts and support remediation efforts. CISA confirmed CrowdStrike’s statements that the issue does not affect Mac and Linux hosts and was “not due to malicious cyber activity.”
“CISA has noted that threat actors are exploiting this incident for phishing and other malicious activities. We urge organizations and individuals to remain vigilant and only follow instructions from legitimate sources. CISA advises organizations to remind employees to avoid clicking on phishing emails or suspicious links,” the agency cautioned.