CrowdStrike Chaos: Why an update canceled flights and bricked ATMs

The world seemed to slow down to a standstill when a security update canceled flights, hospitals lost access to patient records, ATMs stopped working and people couldn’t turn on their computers. It was all caused by a single file from CrowdStrike.

But it wasn’t due to a CrowdStrike breach or supply chain attack. It was during a routine security update that CrowdStrike ran — and a problem at the kernel level via one single file.

In this blog and video, we’ll break down the latest CrowdStrike news and the global outage it caused for many organizations.

Why did the CrowdStrike outage happen? 

A computer's memory has two primary areas where things can run: User land and kernel land.

“User land is where most applications operate, and it's the area you as a user interact with,” Infosec vice president of portfolio product strategy Keatron Evans said. “Kernel land is a protected zone where the operating systems like Windows and crucial drivers that enable your system to communicate with hardware like your network cards or your USB drives operate.”

Evans explained how protection is essential because even a tiny error in kernel land can cause the entire system to crash. Years ago, malware creators discovered ways to escalate privileges and run malicious software in kernel land. This situation is problematic because if malware runs there, it's invisible and nearly unstoppable by security software that operates only in user land.

He added that one solution is having security software like CrowdStrike that can operate in kernel land. This ability allows it to detect and stop powerful malware that would go unnoticed. However, this comes with risk.

“If CrowdStrike software makes a mistake while operating in kernel land, it could crash the entire system. This is why most applications are not allowed to run in kernel land. But for security software, the benefit of detecting and stopping malware usually outweighs the risk of potential crashes.”

Role-appropriate training to your entire workforce

Get a free year of cybersecurity skills training with your security awareness training purchase.  

Book a Demo

CrowdStrike provides many cybersecurity services, including threat detection and incident response.

One of their products is the Falcon platform. Falcon runs on your PC and can detect and prevent cyberattacks. Falcon's early detection driver operates at the kernel level, which is why such a small error devastated the Windows operating system.

The CrowdStrike incident highlights supply chain risk: when too many systems rely on the same third-party vendor to keep them running. A single failure can cause chaos. In this case, over 8.5 million PCs have been impacted to date.

What if I’m affected by the CrowdStrike incident?

Why wasn't this error caught before the update went out? There isn’t an answer yet, but critical security updates might often get pushed out without as much scrutiny as other types of updates. So, what should you do if your computer is affected by this mass outage, either now or in the future?

• Stay informed. We live in a connected world, meaning tech news is much like the weather. Look for the latest problems, and you'll know what's going on.
• Maintain current backups, and always back up your files regularly, especially the critical and personal ones.
• Watch out for scams. Scammers are already taking advantage of the CrowdStrike chaos to send phishing attacks. These messages promise to prevent similar incidents or claim you can recover your lost data. “Just click here.” But it's a scam.
• Follow organizational guidance. If your work computer is affected, don't try to solve the problem. Instead, report it to the proper team and follow all policies and procedures laid out by your organization. We live in an interconnected world, and that's not changing anytime soon.

The CrowdStrike incident proves that even if you and your organization do everything right, you can still lose your data. For more security awareness tips, tools and resources, check out Infosec IQ. Stay informed and stay safe.