International. After what has been described by some experts as "the largest computer blackout in history", we analyse the possible security incidents that could arise from the failure of the CrowdStrike platform and the fall of Microsoft.
Although the full extent of the worldwide disruptions has yet to be determined, it is already expected that the global failure of Microsoft's services will involve significant risks in areas such as cybersecurity, physical security and video surveillance, among others.
In fact, the United States Department of Homeland Security has already reported that threat actors were taking advantage of this incident to conduct phishing and other malicious activities, such as launching fake websites to capture data: "Remain vigilant and only follow instructions from legitimate sources," reads a bulletin issued by the Cybersecurity and Infrastructure Security Agency (CISA). of the Department.
According to Víctor Ruiz, founder of the company SILIKN, certified cybersecurity instructor (CSCT) and leader of the Querétaro Chapter of the OWASP Foundation, "cybercriminals have moved quickly to establish phishing campaigns and launch social engineering attacks, impersonating CrowdStrike. They inform companies that they can download an update or security patch that actually contains malware."
The expert said that the appearance of malicious domains designed to take advantage of the recent interruption for scam purposes has also been reported, among which the following have been identified:
- crowdstrike-bsod[.] COM
- crowdstrike-helpdesk[.] COM
- crowdstrike0day[.] COM
- crowdstrike[.] Fail
- crowdstrikebluescreen[.] COM
- crowdstrikebsod[.] COM
- crowdstrikebug[.] COM
- crowdstrikeclaim[.] COM
- crowdstrikedoomsday[.] COM
- crowdstrikedown[.] Site
- crowdstrikefail[.] COM
- crowdstrikefix[.] COM
- crowdstrikefix[.] zip
- crowdstrikehealthcare[.] COM
- crowdstrikeoopsie[.] COM
- crowdstrikeoutage[.] info
- crowdstrikereport[.] COM
- crowdstriketoken[.] COM
- crowdstrikeupdate[.] COM
- crowdstrikeupdate[.] COM
- fix-crowdstrike-apocalypse[.] COM
- fix-crowdstrike-bsod[.] COM
- iscrowdstrikedown[.] COM
- iscrowdstrikedown[.] COM
- isitcrowdstrike[.] COM
- MicrosoftCrowdStrike[.] COM
- whatiscrowdstrike[.] COM
Below are some of the other possible consequences of the ruling.
Cybersecurity
Services such as Microsoft 365, Azure AD, and others can be affected, preventing access to critical resources. The inability to access authentication services such as Azure AD can leave users unable to authenticate to dependent systems and applications.
Risk of attacks
Attackers can take advantage of confusion and the need for technical support to launch phishing attacks and distribute malware. In addition, instability in services can be seen as an opportunity to attempt brute force attacks and other intrusion methods.
Data exposure
Service interruption can lead to the loss of data not properly backed up and unauthorized access due to temporary vulnerabilities or backdoors can be exploited during periods of outage.
System Integration
Access control systems that rely on cloud authentication services can fail, preventing authorized access to facilities. The connectivity of IoT devices and alarm systems integrated with Microsoft platforms can also be compromised.
Monitoring and Response
In Security Operations Centers (SOCs), cloud-based tools and dashboards can be inaccessible, making it difficult to monitor and respond to incidents. Similarly, notification systems that rely on cloud services may not work, delaying incident response.
CCTV (Closed Circuit Television)
The inability to access cloud services may prevent real-time viewing of security cameras and recordings stored in the cloud may not be accessible, complicating the review of critical events.
Remote Surveillance
Remote surveillance services that rely on Microsoft Azure may go down, affecting the ability to monitor and protect facilities. On the other hand, an interruption in video recording and storage can leave areas unattended, increasing the risk of physical security incidents.
CrowdStrike speaks out
The cybersecurity company has confirmed the outage by specifying that:
- It affects Windows 10 and later systems.
- It does not affect Mac and Linux hosts.
- It is due to the CrowdStrike Falcon content update and not malicious cyber activity.
In addition, CrowdStrike has indicated that the issue has been identified, isolated, and a fix has been implemented. Organizations that are CrowdStrike customers should refer to the CrowdStrike guide and their customer portal to resolve the issue.
Mitigation measures
- Contingency and recovery: Develop contingency plans that include specific procedures for cloud service failures.
- Data backup: Maintain local and redundant backups of critical data and CCTV recordings.
- Backup systems: Implement backup systems for authentication and monitoring that do not rely exclusively on cloud services.
- Physical security: Use additional physical security solutions, such as security guards, during periods of disruption.
- Autonomous tools: use monitoring and alerting tools that work independently of cloud services.
Additionally, CISA recommends organizations that remind their employees to avoid clicking on phishing emails or suspicious links.
