CrowdStrike Incident and Threat Update

We put together the following information to help you and your tenants stay informed on the global CrowdStrike incident. We can confirm that Todyl has not been impacted by this event.

Summary

• At 12:09 AM ET, some Windows hosts running the CrowdStrike Falcon Sensor experienced system crashes due to a driver update.
• At 5:45AM ET, CrowdStrike CEO made a statement confirming the issue and shared additional information on the response.

Update at 7/20 12:34 PM MT:

Intelligence & Threat Activity

CrowdStrike released guidance on the opportunistic threat activity late evening on 7/19 that can be found here: https://www.crowdstrike.com/blog/falcon-sensor-issue-use-to-target-crowdstrike-customers/    

Todyl was aware and proactively took appropriate measures against included indicators when we originally published. We continue to monitor and block additional activity.

Analysis

CrowdStrike explicitly stated their file was not all nulls as we mentioned during the 7/29 1:36 PM MT update below, highlighting the spread of misinformation on the situation.  

The crash dump in the link below identified a null pointer deference as the cause, however, it is unclear what the application was doing prior to that.  

Source: https://x.com/Perpetualmaniac/status/1814376668095754753

Investigations are ongoing to determine how the channel file was able to corrupt memory. Top of mind for us is also the extent to which it could be used for exploitation.  

Regardless, this supports the overall point that installation of new channel files must be handled through careful testing and measured rollout.

CrowdStrike stated a full root cause analysis will be performed and shared, which we will analyze, opine on, and post once public.  

‍

Update at 1:36 PM MT: Technical Analysis of What Occurred

To help educate those impacted by today's events, the below section provides additional information around the technical specifics of what took place. Our teams continue to monitor and block any opportunistic threat activity across the Todyl Platform while sharing our engineering research.

‍

Key Terms and Definitions

• ‍Early Launch Anti-Malware (ELAM): A security feature that’s part of Windows operating systems designed to defend against malware built to load early in the boot process. Its purpose is to counteract attacks that try to embed into the boot process of Windows before endpoint security can start.
• ‍Kernel Level: Refers to a privileged mode of operation within an operating system that manages system resources (e.g., CPU, memory) and provides the essential services needed by other parts of the operating system and applications.

‍

Analysis

A preliminary analysis uncovered the following:

• To achieve ELAM, CrowdStrike Falcon Sensor installs a kernel driver called CSAgent[.]sys.
• Part of the function of CSAgent is to load other submodules distributed by CrowdStrike to provide up-to-date detection of the latest threats.
• CrowdStrike distributes these submodules as encrypted files that the CSAgent decrypts at runtime and loads for execution.
• It appears that a specific submodule distributed by CrowdStrike was malformed in a way that, when execution is attempted, leads to a crash.
• Because CSAgent is loaded as ELAM, the resultant reboot only causes the same decryption and malformed executable to result continuously.

‍

What this means and future impacts

As covered above, EDR software must load before other critical drivers to properly prevent malware from hijacking the boot process. Oftentimes, administrators can avoid pushing software updates to production until they’ve tested the software. Since this update involved a submodule instead of a full driver update, administrators may not have had the opportunity to test.

The situation may prompt Microsoft to review how crashes that load as part of the ELAM process are handled and possibly rolled back. Based on their review, Microsoft may prevent ELAM drivers from loading additional files from the disk into memory during the loading process.

It’s important to note that this is an evolving situation, and we continue to see additional analysis around what was contained in the update. However, much of this analysis deviates from the CSAgent we analyzed, indicating either multiple issues to the update process or the potential for misinformation.

‍

Current Status as of 9:17 AM MT & Impact

• CrowdStrike stated the incident is not the result of a security incident or cyberattack.
• Windows hosts are impacted, Mac and Linux hosts are not.
• The issue has been identified, isolated, and a fix has been deployed. CrowdStrike is referring customers to their support portal for the latest updates and is continuing to provide updates on their website.
• Additional information can be found here: https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/

‍

Threat Intelligence & Activity

We’re seeing some activity from opportunistic threat actors impersonating CrowdStrike support and trying to capture users seeking information via malicious domains and social engineering outreach. Todyl’s MXDR continues to monitor and update our prevention controls across SASE and EDR, along with updates to SIEM to identify malicious activity resulting from this incident. Todyl MXDR will continue to send intelligence reports.

Situations like these can be very challenging and we wish all those impacted a speedy recovery. Todyl will continue to monitor and provide relevant updates on this blog as new information comes to light.

Please reach out if we can be of any assistance.