Introduction

The National Cyber Coordination and Command Centre (NC4), National Cyber Security Agency (NACSA) have been made aware of a significant global issue involving the CrowdStrike Falcon Sensor, which has caused widespread disruptions across various sectors, including television channels, airports, and other services. 

Impact

Operational disruptions have been observed in various sectors in Malaysia. These disruptions have caused operational challenges and delays, affecting both the public and businesses.

Brief Description

The issue arises from a flawed update or channel file in the CrowdStrike Falcon Sensor, resulting in system crashes with an infinite boot sequence and disruptions to operations.

While this issue is not classified as a cyber attack or security incident, the severity of the impact due to the failures in process and technology can lead to significant cyber risk to the affected organisation.

At the same time, NC4 has observed that there is a high risk that threat actors are exploiting the issue by conducting phishing and social engineering attacks. They will pose as CrowdStrike Customer Support, offering unsolicited assistance in resolving the issue. These attacks aim to deceive current CrowdStrike clients and public into disclosing sensitive information, distributing malicious file or clicking on potentially dangerous links.

As the situation develops, NC4 NACSA will continue to closely monitor the trend and provide additional updates.

System Affected

Microsoft Windows host running CrowdStrike Falcon Sensor

Recommendation

Organisations are advised to be vigilant and to take the following actions:

1. Stay Alert: Continuously monitor announcements, workarounds, and updates from CrowdStrike support team to address availability issues (refer to the References section below).
2. Risk Management: Ensure vigilant monitoring and management of any temporary workarounds to mitigate potential new risks.
3. System Assessment: Conduct a thorough assessment of your systems to identify any disruptions or impacts related to the CrowdStrike Falcon Sensor issue.
4. Verify Communications: Be cautious of unsolicited communications claiming to be from CrowdStrike. Verify the authenticity of such communications through official channels before taking any action.
5. Block Malicious Domains: Implement controls such as proxy, spam filters, and other security measures to block the potential phishing/malicious domains. The updated lists of domains can be access from NACSA official GitLab at https://git.osdec.gov.my/NACSAmalaysia/crowdstrike-ioc.git
6. Reporting: If your operations have been affected, report the nature of the disruption, affected services, steps taken to mitigate the impact, and any additional support required to NC4, NACSA.

References

  https://www.crowdstrike.com/blog/statement-on-windows-sensor-update/

  https://www.crowdstrike.com/blog/technical-details-on-todays-outage/

  https://www.crowdstrike.com/blog/falcon-sensor-issue-use-to-target-crowdstrike-customers/

  https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/

  https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/

  https://git.osdec.gov.my/NACSAmalaysia/crowdstrike-ioc.git