As Microsoft outage resolves, beware cybercriminals

The global IT outage linked to a corrupted CrowdStrike software update has created the perfect conditions for cybercriminals to launch attacks against organisations struggling to get their systems up and running again.

While it was not a cyberattack itself, the outage – which hit infrastructure around the world on Friday and is still being resolved – has been followed by a sharp rise in phishing and malware-backed attacks, according to cybersecurity experts.

The problem was caused by an update to CrowdStrike's Falcon software for Microsoft computers, and did not affect Mac or Linux systems, limited the scope of the outage although it still played havoc with air travel, health systems, and businesses and has exposed the fragility of the IT systems used to keep our infrastructure going.

CrowdStrike said that "threat actors" have been taking advantage of the outage to distribute a malicious ZIP archive called 'crowdstrike-hotfix.zip', targeting customers in Latin America, and the company's chief executive George Kurtz said: "We know that adversaries and bad actors will try to exploit events like this."

He added: "I encourage everyone to remain vigilant and ensure that you’re engaging with official CrowdStrike representatives. Our blog and technical support will continue to be the official channels for the latest updates."

The Australian Cyber Security Centre (ACSC) said yesterday that it had observed that "a number of malicious websites and unofficial code are being released claiming to help entities recover from the widespread outages caused by the CrowdStrike technical incident."

Meanwhile, the UK National Cyber Security Centre (NCSC) said "organisations and individuals" may be exposed to an increase in phishing referencing the outage.

In a blog post, Microsoft revealed on Saturday that 8.5m Windows devices around the world were disabled by the outage, which is less than 1% of all Windows machines worldwide, but still ranks as one of the largest cyber events in history.

It added that "the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services."

Commenting on the incident, Dr Erisa Karafili, associate professor in cybersecurity from the University of Southampton’s Cyber Security Research Group, said: "On one hand, the public is reassured that the providers are taking protective measures against cyber-attacks…but on the other hand, it shows how vulnerable we might be with respect to these issues."

She added: "If we think of the glass half full, we were lucky that this bug created a disruption of the service and Crowdstrike seems to know from where it is coming and it is solving it. It would have been catastrophic if the issue was left there, and used by attackers to launch a global massive attack."

Dr Inah Omoronyia, who is based in the Bristol Cybersecurity Research Group at University of Bristol’s School of Computer Science, remarked: "Today’s infrastructures are a lot more complex, with extensive dependencies, risks that are often not obvious to those responsible for building them."

"Overall, to reduce the occurrences of these sorts of issues and their impact, it is important that we…consistently evaluate the resilience of the critical systems that we depend on," he added. "Currently, our risk mitigation approaches are too reactive and therefore unsustainable for the current pace of technological innovation."

Image by PantheraLeo1359531 via Wikimedia