A faulty update to software owned by cybersecurity firm CrowdStrike has caused a massive failure on Windows computers. This is not a cyberattack.
The update has caused a number of computers to be stuck in a boot loop, also known in the industry as the “Blue Screen of Death” (BSOD), affecting airport services, airlines, rail networks, media outlets and other organisations around the world.
Operators have been provided with the necessary information to mitigate the impact of the incident, and systems are gradually being recovered.
A special attention protocol has been implemented with the corresponding information for citizens and companies through our 017 Your Help in Cybersecurity service.
The National Cybersecurity Institute (INCIBE), an entity dependent on the Ministry of Digital Transformation and the Civil Service, through the State Secretariat for Digitalization and Artificial Intelligence, reports on an information systems incident that is affecting different organizations worldwide. The first logs in the reports begin to be detected in the surveillance network at 10:20 PM on 07/18/2024.
The problem is caused by an update to a cybersecurity component (antivirus sensor) from the CrowdStrike company, which is causing problems in its interaction with Microsoft platforms. This update is causing technical problems for Microsoft clients, where the component is being updated. The problem is reflected in the generation of a blue screen that blocks the system and prevents it from working correctly.
CrowdStrike is already implementing mitigation and recovery measures on the affected systems and clients, and has already managed to restore several of these systems. In parallel, they are working on a new update to replace the one that is causing problems so as not to impact new services.
The mitigation and correction measures that INCIBE is recommending are the following:
- Updating CrowdStrike components that are causing blue screen loops.
- It is recommended not to perform the CrowdStrike Agent update until a verified fix is available.
- The faulty channel file has been rolled back and the manufacturer hopes this will mitigate further expansion. For systems that are already failing, some are reset to a normal working state and it is felt that they should choose the new file for the non-problematic component over the problematic one. Some systems simply fail in a loop and may require manual intervention.
- If the systems fail and manual intervention is therefore necessary, it is recommended to follow these steps:
- Windows must be started in safe mode.
- You must access the C:\Windows\System32\drivers\CrowdStrike directory in Explorer.
- Search for the file “C-00000291*.sys” and delete it.
- Start the system normally.
INCIBE is in contact with the entities referred to and with critical and strategic operators to alert them and offer them support with the adoption of these mitigation measures.