Alert - Issue impacting CrowdStrike Falcon EDR

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. that may impact cyber information assets and to provide additional detection DetectionThe monitoring and analyzing of system events in order to identify unauthorized attempts to access system resources. and mitigation advice to recipients. The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

On July 19, 2024, the Cyber Centre became aware of an issue impacting systems worldwide resulting from a faulty software update within the CrowdStrike Falcon Endpoint Detection and Response tool (EDR). The faulty update referred to as a ‘channel file’ has resulted in Windows based systems employing this tool to crash and not restore themselves automatically. CrowdStrike has indicated that this error only impacts Windows systems, with Mac and Linux hosts unaffected.

Impact of this issue has been observed within Canada and worldwide. Organizations who employ the CrowdStrike Falcon EDR solution are encouraged to review the suggested actions below to restore impacted systems and seek further guidance found on the CrowdStrike support portal for the latest updates. ^{Footnote 1Footnote 2}

The Cyber Centre has received reports that threat actors are using this incident for the purpose of phishing PhishingAn attempt by a third party to solicit confidential information from an individual, group, or organization by mimicking or spoofing a specific, usually well-known brand, usually for financial gain. Phishers attempt to trick users into disclosing personal data, such as credit card numbers, online banking credentials, and other sensitive information, which they may then use to commit fraudulent acts. and other related malicious activity. The Cyber Centre recommends organizations reinforce to employees to only trust recommended sources and to not click links on untrusted or questionable emails.

Suggested actions

The Cyber Centre recommends that affected organizations follow the steps below to remove the affected channel files on any impacted systems that are crashing during boot:

1. Boot Windows into Safe Mode or Windows Recovery Environment (WinRe).
2. Go to C:\Windows\System32\drivers\CrowdStrike
3. Locate and delete file(s) matching "C-00000291*.sys"
4. Boot normally.
   Please note that organizations which use Bitlocker may require a recovery key.^{Footnote 3}

If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.