Alert - Issue impacting CrowdStrike Falcon EDR

Number: AL24-010
Date: July 19, 2024

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

On July 19, 2024, the Cyber Centre became aware of an issue impacting systems worldwide resulting from a faulty software update within the CrowdStrike Falcon Endpoint Detection and Response tool (EDR). The faulty update referred to as a ‘channel file’ has resulted in Windows based systems employing this tool to crash and not restore themselves automatically. CrowdStrike has indicated that this error only impacts Windows systems, with Mac and Linux hosts unaffected.

Impact of this issue has been observed within Canada and worldwide. Organizations who employ the CrowdStrike Falcon EDR solution are encouraged to review the suggested actions below to restore impacted systems and seek further guidance found on the CrowdStrike support portal for the latest updates. Footnote 1Footnote 2

The Cyber Centre has received reports that threat actors are using this incident for the purpose of phishing and other related malicious activity. The Cyber Centre recommends organizations reinforce to employees to only trust recommended sources and to not click links on untrusted or questionable emails.

Suggested actions

The Cyber Centre recommends that affected organizations follow the steps below to remove the affected channel files on any impacted systems that are crashing during boot:

  1. Boot Windows into Safe Mode or Windows Recovery Environment (WinRe).
  2. Go to C:\Windows\System32\drivers\CrowdStrike
  3. Locate and delete file(s) matching "C-00000291*.sys"
  4. Boot normally.
    Please note that organizations which use Bitlocker may require a recovery key.Footnote 3

If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.

Date modified: