U.S. government agencies and cybersecurity experts are warning of opportunistic phishing attacks, SMS scams and other malicious activity, which are attempting to take advantage of the chaos of Friday’s global outages.
The outages themselves are not a cyberattack, but instead have been linked to an update for versions of CrowdStrike’s Falcon EDR product running on Windows machines. Many large organizations worldwide have been forced to take their services offline overnight, including banks, airlines, media companies, leading to everything from flights being grounded to non-urgent surgeries being canceled.
In a Friday statement, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said that it has observed threat actors taking advantage of this incident for phishing “and other malicious activity.” CISA said it is working closely with CrowdStrike as well as federal, state and local partners, and critical infrastructure partners, to assess the impact of the outage and support remediation efforts.
“CISA urges organizations and individuals to remain vigilant and only follow instructions from legitimate sources,” according to CISA’s Friday advisory. “CISA recommends organizations to remind their employees to avoid clicking on phishing emails or suspicious links.”
The UK National Cyber Security Centre (NCSC) said that the increase in phishing activity may be aimed at both organizations and individuals. There are various potential scenarios for attacks, including cybercriminals pretending to be IT support and saying they could assist impacted people, and then asking for their credentials or other sensitive information.
NCSC said organizations can take multiple steps to prevent phishing, including implementing anti-spoofing controls, filtering or blocking incoming phishing emails, providing training for employees so that they can better spot phishing attacks, protecting accounts to make them more resistant to phishing by setting up multi-factor authentication and using proxy services and up-to-date browser to protect from malicious websites.
John Hammond of Huntress said that “a run of the mill outage from just technical maintenance is common, but something with this size and scale and sheer impact is extremely rare.” Hammond said the issue here is “not a matter of business owners or system administrators having automatic updates enabled, but genuinely the vendor and provider who had pushed out this problematic update.”
“The gist is the CrowdStrike kernel driver had an automatic update and [an] unfortunate mistake that would cause all of the computers to crash,” said Hammond. “That is what has made for such a widespread outage across practically every Windows server or workstation running the CrowdStrike Falcon Sensor.”
CrowdStrike on Friday said that the issue has been identified, isolated and a fix has been deployed. The company is recommending on its website that organizations take several specific workaround steps to remediate any Windows machines affected by the update. The company said that the crashes on Windows hosts are related to the Falcon sensor, but the issue does not affect the Falcon platform system.
“We understand the gravity of the situation and are deeply sorry for the inconvenience and disruption,” said CrowdStrike CEO George Kurtz in a Friday tweet. “We are working with all impacted customers to ensure that systems are back up and they can deliver the services their customers are counting on.”