A faulty Channel File 291 caused kernel instability and a global BSOD loop affecting roughly 8.5 million Windows devices, prompting remediation while highlighting the importance of trusted update mechanisms. SentinelOne notes early threat actor activity around the incident, including maliciousDomains, fake fixes, and phishing attempts, as monitoring continues. #CrowdStrike #BSOD #ChannelFile291 #Windows7 #SentinelOne #LiveSecurityUpdates
Keypoints
- The July 19, 2024 outage was caused by Channel File 291 (C-00000291-*.sys) on Windows 7+ with CrowdStrike Falcon, leading to a BSOD loop and broad global outages (manufacturing, air travel, hospitals).
- Remediation requires booting into safe mode to delete the faulty channel file or using Microsoft scripts, with Bitlocker-encrypted devices needing the Bitlocker key.
- The outage underscored the value of update mechanisms; SentinelOne emphasizes its Live Security Updates (LSU) operate in user-space and are phased, isolated from core agent components.
- SentinelOne’s GA workflow includes Early-Access (EA) builds, extensive QA, and opt-in testing before wide release, with customers controlling deployment timing and scope.
- Cybercriminals quickly weaponized the incident, registering numerous misleading domains and conducting phishing/extortion campaigns offering fake fixes for BTC payments.
- Illustrative infrastructure includes typosquatting domains (e.g., fix-crowdstrike-apocalypse.com) and fake files like crowdstrike-hotfix.zip and CrowdStrike Updater.exe, used to lure victims.
- Indicators of Compromise (IOCs) include file hashes, a threat-distributing update zip URL, and dozens of registered domains resembling CrowdStrike themes.
MITRE Techniques
- [T1566] Phishing – Threat actors are using CrowdStrike-themed phishing sites to lure victims. ‘Threat actors are using CrowdStrike-themed phishing sites to lure victims.’
- [T1583] Acquire Infrastructure – Thousands of typo-squatting domains registered to exploit the CrowdStrike incident. ‘Thousands of typo-squatting domains have been registered to exploit the CrowdStrike incident.’
- [T1105] Ingress Tool Transfer – Distributing fake ‘hotfixes’ and malicious binaries disguised as legitimate updates. ‘distributing fake ‘hotfixes’ and malicious binaries disguised as legitimate updates.’
Indicators of Compromise
- [File Hash] context – fef212ec979f2fe2f48641160aadeb86b83f7b35, 66fbe2b33e545062a1399a4962b9af4fbbd4b356
- [File Hash] context – Ffef212ec979f2fe2f48641160aadeb86b83f7b35, 5b2f56953b3c925693386cae5974251479f03928
- [URL] context – cdfa4966d7a859b09a411f0d90efbf822b2d6671link.storjshare[.]io/s/jvktcsf5ypoak5aucs6fn6noqgga/crowdstrikesupport/update.zip
- [Domain] context – crashstrike[.]com, crowdstrikefix[.]com, crowdstrikebsod[.]com, and 60+ more domains
- [File Name] context – CrowdStrike Updater.exe, crowdstrike-hotfix.zip (and related bundles)