Výpadek postihl zařízení s Windows a nainstalovaným agentem CrowdStrike Falcon. Mj. se dotkl několika letišť, vč. např. RyanAir a British Airways, kteří museli zrušit část letů. Dále bankovních institucí a další kritické infrastruktury. Nemluvě o soukromém sektoru, a to napříč celým světem.
Za výpadkem stojí chybná aktualizace ze strany CrowdStrike, konkrétně agenta CrowdStrike Falcon. Chybná aktualizace sice byla stažena, ale zasažené koncové body nenabootují a končí na BSOD. Vyžadují proto ruční zásah a obnovu v nouzovém režimu. Netýká se zařízení s agenty Microsoft Defender EDR a XDR.
Týká se výpadek i Vás? Oprávněné osoby mohou zjistit na tomto odkazu
Service Health – Microsoft Azure,
Případně se doptejte naší IT podpory prostřednictvím preferovaného kontaktu.
Během dnešního rána jsme řadě našich klientů, kteří mají zabezpečení koncových bodů CrowdStrike pomáhali se zotavením a znovuzprovozněním zasažených zařízení. Ačkoliv sami CrowdStrike firmám v rámci našich bezpečnostních produktů nabízíme a implementujeme, pomohli jsme i těm, kteří mají licenci zakoupenou odjinud. Cílem bylo obnovit v rámci tohoto kritického incidentu co nejdříve normální fungování zasažených zařízení, a v danou chvíli ani tak nezáleželo, zda mají licenci od nás, nebo alespoň využívají naše IT služby či podporu. V rámci kritických incidentů jsme mnohdy připraveni pomoci kdekoliv, i mimo naši klientelu, seč nám kapacity dovolí.
Za výpadkem nestojí naše společnost, ani Microsoft a jeho infrastruktura. Problém je v chybné aktualizaci ze strany CrowdStrike, vyjádření společnosti naleznete níže..
🔻Vyjádření Microsoft (v angličtině)
We are aware of an issue that started on July 18, which resulted in customers experiencing unresponsiveness and startup failures on Windows machines using the CrowdStrike Falcon agent, affecting both on-premises and various cloud platforms (Azure, AWS, and Google Cloud).
It’s important to clarify that this incident is separate from the resolved Central US Azure outage (Tracking Id: 1K80-N_8). Microsoft is actively providing support to assist customers in their recovery on our platforms, offering additional guidance and technical assistance.
CrowdStrike has released a public statement on Windows Sensor Update – crowdstrike.com addressing the matter, and it includes recommended steps for a workaround. For environments specific to Azure, further instructions are provided below:
Updated: We approximate impact started as early as 04:09 UTC on the 18th of July, when this update started rolling out.
Update as of 10:30 UTC on 19 July 2024:
We have received reports of successful recovery from some customers attempting multiple Virtual Machine restart operations on affected Virtual Machines. Customers can attempt to do so as follows:
- Using the Azure Portal – attempting ‘Restart’ on affected VMs
- Using the Azure CLI or Azure Shell (https://shell.azure.com)
https://learn.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest#az-vm-restart
We have received feedback from customers that several reboots (as many as 15 have been reported) may be required, but overall feedback is that reboots are an effective troubleshooting step at this stage.
Additional options for recovery:
We recommend customers that are able to, to restore from a backup, preferably from before 04:09 UTC on the 18th of July, when this faulty update started rolling out.
- Customers leveraging Azure Backup can follow the following instructions:
How to restore Azure VM data in Azure portal
- Alternatively, customers can attempt repairs on the OS disk by following these instructions:
Troubleshoot a Windows VM by attaching the OS disk to a repair VM through the Azure portal
Once the disk is attached, customers can attempt to delete the following file:
Windows/System32/Drivers/CrowdStrike/C-00000291*.sys
The disk can then be attached and re-attached to the original VM.
We can confirm the affected update has been pulled by CrowdStrike. Customers that are continuing to experience issues should reach out to CrowdStrike for additional assistance.
Additionally, we’re continuing to investigate additional mitigation options for customers and will share more information as it becomes known.
This message was last updated at 17:43 UTC on 19 July 2024
🔻Vyjádření CrowdStrike (v angličtině)
CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This was not a cyberattack.
The issue has been identified, isolated and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website.
We further recommend organizations ensure they’re communicating with CrowdStrike representatives through official channels.
Our team is fully mobilized to ensure the security and stability of CrowdStrike customers.
Updated 1:25pm ET, July 19, 2024:
We understand the gravity of the situation and are deeply sorry for the inconvenience and disruption. We are working with all impacted customers to ensure that systems are back up and they can deliver the services their customers are counting on.
We assure our customers that CrowdStrike is operating normally and this issue does not affect our Falcon platform systems. If your systems are operating normally, there is no impact to their protection if the Falcon Sensor is installed.
ZDROJ: Statement on Falcon Content Update for Windows Hosts – crowdstrike.com