Banks, stock exchanges, airports, and other significant enterprises worldwide are grappling with unexpected denial of service conditions caused by widespread Blue Screen of Death (BSoD) events in their Windows environments. BSoD occurs when a kernel-level crash or memory error has occurred and can often be tied to faulty drivers.
This wide-reaching issue involving the CrowdStrike EDR agent, Falcon, appears to be caused by the product’s Early Launch Anti-Malware (ELAM) driver. Endpoint Detection and Response (EDR) products like Falcon use special drivers signed by Microsoft to allow them access to bespoke event-tracing feeds inside the operating system. These can be used to detect advanced threats and are more difficult for attackers to evade. ELAM driver signing by Microsoft is only granted to companies that create EDR products, and is likely to come with a degree of trust and verification from Microsoft.To make matters worse, at time of publication, there is no automated or remote method to remove the faulty driver from a system due to its early-launch nature, requiring users to boot into Windows safe mode with ELAM driver loading disabled and delete the offending file. This also requires physical access to the machine and is harder to achieve with cloud-based machines, requiring increased knowledge of underlying systems.Crowdstrike moderators on Reddit shared detailed steps for recovering devices by deleting a specific file from the Crowdstrike installation. After rebooting, the Crowdstrike agent will update itself with the patched version and the EDR should restore normal operations.
CrowdStrike Falcon is one of the most ubiquitous EDR products on the market - and with good reason. Falcon is highly-regarded by security professionals worldwide to protect networks from advanced attacks and give defenders the edge required to quickly detect, prevent, and respond to threat actors. CrowdStrike usually puts significant effort into product testing before updates go out, ensuring efficacy on multiple versions of the Windows Operating System and that updates can be performed as seamlessly as possible. In this instance, that process may have failed.It is still too early to judge how such an error occurred, and whether a code fault with the driver or an unanticipated and undocumented change in the Windows Operating System, which CrowdStrike was unable to predict, is responsible. It is clear, however, that the heavy reliance on Falcon has become a double-edged sword and is causing untold disruption to business operations worldwide.The severity of this incident serves as a stark wake-up call, highlighting the critical need for rigorous and dependable testing of EDR and ELAM drivers in cybersecurity systems. Now more than ever, it is crucial to reassess and overhaul current testing procedures, swiftly identifying and addressing any issues that arise. Furthermore, this prompts reflection on whether security product updates should be automatically applied universally for up-to-date protection or if customers should maintain control over the update process, ensuring thorough testing prior to implementation.For Immersive Labs Crisis Sim customers, you can now complete the Unforeseen Consequences exercise, a Crisis Sim that immerses you in the first hour of a similar global event. To learn more about the Immersive Labs platform, including our Cyber Crisis Simulator, schedule a demo now.